Data Sovereignty in a Post-Privacy Shield World
A Solution to Preserve Privacy while Fostering Cross-Border Collaboration after Schrems II
Enterprises face a digital dilemma: They want to leverage the productivity and security benefits of leading global cloud platforms but are concerned that, in so doing, they will face conflicting and shifting legal obligations and perhaps put the privacy of their customers at risk. For example, European companies are concerned that they could be compelled to hand over customer data to the U.S. government —because (a) the leading cloud providers are U.S.-based and subject to various laws requiring cooperation with the U.S. national and homeland security apparatus, and (b) there is currently no multilateral privacy framework.
Fortunately, as this post highlights, there is good news: With end-to-end encryption and properly implemented key management, companies do not have to trade privacy and the manifold benefits of the cloud. Importantly, in November 2020, the European Data Protection Board (EDPB)—the body that oversees the national privacy regulators in each of the EU member states—adopted guidance that clarifies that end-to-end encryption is an effective measure to enable both cloud adoption and EU data sovereignty requirements, which are often viewed as the global privacy gold standard.
With end-to-end encryption, enterprises can:
- Adopt global cloud services while meeting data sovereignty requirements.
- Protect customer privacy rights.
- Maintain full control of the data with which they have been entrusted.
- Ensure that competitors, foreign governments, and other entities who should not have access cannot gain access to their proprietary or otherwise sensitive information.
Virtru was founded to deliver on the full promise of end-to-end encryption to accelerate productivity, collaboration, and, ultimately, trust. Virtru was created to enable a future where fundamental rights are enforced at the data level, and protection travels everywhere the information goes.
Virtru has adopted an approach to data security that prioritizes privacy and controlled, granular access, as defined by the data owner (or, within an EU legal context, the “data subject”). With Virtru, encrypted data can be mobile across domains while the key that unlocks them remains within the sole control and jurisdiction of the data owner, enabling compliant, cross-border data flows, the economic and innovation benefits of which are well documented.
Overview of the Current Policy Landscape
In the absence of a global privacy framework, governments are taking very different legal and policy approaches to data. For example, the European Union has adopted strong privacy protections for its European citizens. The U.S. has adopted far-reaching law enforcement legislation, with leadership on privacy issues residing at the State level (eg, the California Privacy Rights Act – CPRA). In particular, the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018) has codified that when data is hosted by U.S.-based cloud providers, even if their servers are located outside the U.S., they can still be compelled to hand over all data to the U.S. government.
Privacy has become a polarizing issue for these Western allies. For example, a key judicial decision by the European Courts (“Schrems II”) has highlighted potential risks to European residents’ privacy rights when transferring personal data from the E.U. to the U.S. As a result of the decision, the EU-U.S. Privacy Shield Framework, adopted by many commercial entities seeking to compete across borders, was invalidated, leaving businesses scrambling to navigate an increasingly complicated and heterogeneous global policy ecosystem.
The bottom line is this: the system of national and regional law will continue to evolve, and companies need flexible tools for navigating this changing landscape. Technology that simply and flexibly puts enterprises at the center of control can be and must be a central part of the solution.
Current Policy Landscape: U.S. CLOUD Act
These concerns are fast-growing and many find the requirements of the U.S. CLOUD Act unacceptable. This is particularly true among companies outside the U.S. The majority of affected companies, regardless of country, rely on the ability to keep intellectual property (IP), confidential information, and other secrets completely private and secure. These organizations need to keep these secrets private and protect themselves against access requirements such as those codified in laws like the U.S. CLOUD Act.
While the U.S. is home to the vast majority of enterprise cloud providers such as Amazon, Microsoft, and Google, it is uncertain how the U.S. tech industry will balance competing geopolitical demands in the absence of a formally adopted multilateral policy agreement to replace the Privacy Shield.
Current Policy Landscape: Schrems II & GDPR
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield agreement, previously adopted as a mechanism to lawfully transfer personal data from the EU to the U.S., due to perceptions about the powers of invasive U.S. surveillance programs. This ruling by the CJEU is more commonly known as Schrems II. As a note, “Schrems I” was ruled October 16, 2015, on a Facebook Ireland case about data transfers under the predecessor of the EU-U.S. Privacy Shield Framework, Safe Harbor, which was invalidated as a result of the Schrems I ruling. Fair or unfair, the reality is that the 2013 Edward Snowden revelations continue to cast a long shadow over U.S. surveillance practices.
The Schrems II case addressed the validity of both the Privacy Shield and standard contractual clauses (SCCs). The decision of the CJEU is complex and far-reaching; in a nutshell, the Schrems II decision places additional obligations on companies concerning making lawful transfers of personal data from the EU to the U.S.
Transfers of personal data based on Privacy Shield are now unlawful; however, on a case-by-case basis and with additional stringent controls observed, SCCs remain a valid, legal mechanism for data transfers. Data controllers or processors, for our purposes, cloud providers, that intend to transfer data based on SCCs must ensure that the data subject is granted a level of protection equivalent to that guaranteed by GDPR.
The GDPR’s primary aim is to give individuals and companies for their employee and customer data, control over their data, affording transparency regarding how data is being used, under what timeframe, and for what purpose. U.S. companies must now deploy a transfer mechanism that demonstrates protection for EU residents’ personal data to a standard equivalent to the rights provided under GDPR when personal data is transferred outside of the jurisdiction of the EU.
Virtru: A Solution to Safeguard Data while Fostering Collaboration
Given the market dominance of U.S. cloud and software solution providers (i.e., organizations that fall under the scope of the U.S. CLOUD Act), most companies competing in the EU who leverage cloud technologies and collect consumer data (i.e., organizations that fall under the scope of the Schrems II decision) must face the issue of U.S. vs. EU dogma head-on as they operate. Some may avoid or slow down their adoption of cloud-based technologies potentially losing out on access and speed to market. Others may choose to only do business with EU or non-U.S. cloud providers, in alignment with the worrisome trend of isolationism and walled gardens that have sprung up around the globe.
Fortunately, another option exists for those businesses, one that enables full participation in the global economy, maintains the benefits of the public cloud, and provides complete control over data access.
Companies competing in the EU can pair these stringent security controls offered through the Virtru technology with SCCs, ensuring compliance with European law post-Schrems II while offering a managed path to authorized access for U.S. government agencies. With Virtru data protection, the European company, not the cloud provider, sets and enforces corporate policy at the data object level, ensuring that data can be accessed by any government or other entity seeking access before receiving the data subject’s authorization.
Schrems II is a great example of how technology can be architected to deal with conflicting legal constraints and dilemmas. Important, as law changes, or company policy changes, as is inevitable, Virtru is flexible and can be adapted to changes in national and international regulation of data. Virtru is cloud and provider agnostic; is crypto agile, including AES 256 encryption, and mandates that keys be managed separately from data, ensuring that no entity can access the data without obtaining consent from the data subject, who retains the ability to grant access.
Specifically, the solution asserts the following:
- Data can be stored on any cloud solution, including those offered by U.S.-based providers. Data can be stored in “non-secured” storage like U.S. cloud solutions (“non-secure” meaning that access is possible due to the U.S. CLOUD Act and not yet technically restricted). This includes using commercial off-the-shelf solutions from Google, Microsoft, Amazon, or other U.S.-based providers.
- Data is wrapped in a layer of protection (encryption). Data is encrypted and wrapped in a secure layer of protection that can only be unlocked by the designated customer or recipient. While the data is still accessible, given that it remains encrypted, the cloud provider is unable to “read” the header of the secure wrapper or the contents of the payload.
- The keys that unlock that protective layer are managed outside of the cloud solution. While encryption is the first step to securing data in the cloud, data sovereignty is only achieved when the keys are managed by the customer or recipient. The solution dictates that the customer or recipient owns and manages the encryption keys and encryption mechanisms outside of the cloud vendor’s control. Virtru offers the capability to store the encryption component on-premises or in a private cloud.
With such a technology solution, data sovereignty can be achieved. Companies can use their preferred cloud solution provider and ensure that they are not able to access their data without obtaining consent from the data subject. Data creators must be asked for access to their data and will be able to decide whether to share based on their jurisdictions. This empowers our customers to make their judgments about how their data can be accessed and used, fostering trust and often leading to increased collaboration.
Encryption: Policymakers’ Prevailing Data Protection Safeguard of Choice
Following the Schrems II decision in November 2020, the European Data Protection Board (EDPB), the body that oversees the national privacy regulators in each EU member country, adopted guidance that details accepted supplementary measures that provide additional safeguards to mitigate the risks that arise when transferring personal data outside the EU.
The EDPB considers encryption to be an effective supplementary measure if:
- Personal data is processed using strong encryption before transmission.
- The encryption algorithm and its parameterization (e.g., key length, operating mode) can be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them.
- The strength of the encryption takes into account the specific period during which the confidentiality of the encrypted personal data must be preserved.
- The encryption algorithm is flawlessly implemented by properly maintained software such that the algorithm chosen has been verified or certified.
- The keys are reliably managed, generated, administered, stored, if relevant, and linked to the identity of an intended recipient, and revoked.
- The keys are retained solely under the control of the data exporter, or another entity entrusted with this task that resides in the EEA or a third country which the EU considers has adequate levels of data protection.
The rationale of the rule is: if personal data remains properly encrypted, with a strong encryption algorithm, only the data exporter (business in the EU) has the encryption key to decrypt the data and re-identify individuals to whom the data belongs. In this scenario, the data exporter is the final controller of the data. Simultaneously, the data importer (cloud provider) does not have the decryption keys to access the data. Because of this, the EDPB guides that using end-to-end encryption contributes to the security of processing operations and is a key enabler for E.U. companies to comply with Schrems II requirements.
In an ever-shifting policy landscape wrought with declining trust, geopolitical strife, and a worldwide pattern of isolationism worsened by the novel coronavirus pandemic, Virtru remains focused on what matters: ensuring data sovereignty, empowering end customers with unique controls of their data, and fostering trusted collaboration across borders. Virtru’s end-to-end encryption, coupled with a distinct infrastructure for key management, offers data subjects the power to control their keys and access their information, constituting a level of advanced protection.