Data Sovereignty and Privacy Compliance Post Schrems II

The past year has had an unprecedented impact on business technology strategies as organizations scrambled to adapt to operating in the COVID-19 pandemic. However, there have also been some seismic shifts in the realm of data privacy and security.

In July 2020, the Court of Justice of the European Union (CJEU) gave its judgment on Schrems II, a case with profound consequences for any organization in or dealing with EU data in the United States (US). In normal times this would have dominated the headlines, but instead it’s been overshadowed by the extraordinary disruption of COVID-19.

So, what is Schrems II, and what does it mean for businesses going forward?

The New Data Transfer Landscape for Europe and the US

Schrems II is the work of Max Schrems, an Austrian activist with a focus on data privacy. As a result of the judgment given in July 2020, the CJEU ruled that the Privacy Shield agreement between the EU and US was no longer valid due to the continued use of mass surveillance techniques in the US.

To understand the judgment’s impact, we need to look at GDPR. This regulation requires organizations processing the data of European citizens to comply with strict standards to maintain the security and privacy of confidential information. Moreover, these rules apply internationally regardless of the location of the organization involved.

The European Commission has declared certain non-EU countries, including Japan, Israel, Switzerland and New Zealand, to have equivalent data protection safeguards to the EU itself.

As a result, organizations in these nations can freely transfer the data of EU citizens without the need for additional security mechanisms. The Privacy Shield Agreement granted this same status to the US.

However, with the agreement now declared invalid by the CJEU, US-based businesses dealing with the data of EU citizens potentially face much stricter measures.

It should be noted that at the time of writing, the EU is still deciding whether the UK itself holds equivalent status, so UK-EU operations may also face new measures.

How Can Organizations Remain Compliant?

While Schrems II has sown further confusion and doubt for businesses, the good news is the European Data Protection Board (EDPB) has issued official guidance on keeping compliant with GDPR when transferring personal data to the US.

Organizations receiving the data of EU citizens must be able to prove in court that they’ve taken sufficient measures to protect it from being accessed by authorities using mass surveillance. Various measures are recommended, including data minimization procedures, transparency policies around governmental requests, and the applications of international security standards such as the ISO series.

The EDPB also recommends technical measures such as pseudonymization, where data is stored and processed in a way that cannot be used to identify an individual. Encryption is one of the most important technical solutions, although it must meet several factors to be deemed sufficient.

Data must be protected with strong encryption prior to transmission, and the encryption must be strong enough to withstand attempted cryptanalysis by public authorities.

Perhaps most importantly, the cryptographic keys used in the encryption process must be maintained in the European Economic Area (EEA). The data exporter – the one ultimately responsible for the data in the event of a privacy or security breach – must be in sole control of the keys.

The Role of the Cloud and External Key Management

If a data exporter uses a cloud provider based in a non-EU country where it may be forced to hand data over to the authorities, the organization could quickly find itself in breach of GDPR.

One solution is using a Bring Your Own Key Management System (BYOKMS), where firms can create their own keys and store them in their own data center. If data is encrypted using keys stored and managed from a location in the EEA, the organization will be free to send sensitive data to non-EU countries.

This ties into the concept of data sovereignty, where data is subject to the country’s laws where it is first collected. If data is encrypted when it leaves the country and not decrypted again until arrival, a form of virtual data sovereignty is assured.

Compliance can be further strengthened with the use of confidential computing. This new technology protects data from being compromised at runtime by using a completely isolated trusted execution environment known as a “secure enclave.” Thus, even if the infrastructure is compromised, the data will remain safe.

While uncertainty remains for organizations storing and processing EU data overseas, implementing the processes and technology in accordance with the EDBP’s guidance will give firms the best chance of operating normally.

Furthermore, applying strong encryption to all data before it leaves the EU, backed with an effective BYOKMS strategy, will ensure that enterprises meet crucial requirements to keep both data and encryption keys under their direct control.