Technical measures for GDPR and data sovereignty
How to use encryption to create appropriate safeguards for EU personal data, meet GDPR requirements for international transfers, and work around Schrems II
The complexity of holding EU personal data
The data of EU citizens can only flow to nations that have adequate privacy protections. The U.S. does not gurantee privacy to any non-U.S. citizens, which conflicts with EU constitutional privacy guranatees and GDPR.
As a consequence, agreements between the U.S. and EU have repeatedly been struck down. Most recently, the EU-U.S. Privacy Shield Framework was struck down in a case called Schrems II.
In 2020, when the Court of Justice of the European Union ruled that the framework was invalid, they cited U.S. intelligence overreach and the lack of redress options for EU citizens. That left U.S. companies once again without a legal basis for holding EU personal data.
The rollercoaster ride of data protection agreements and policies has led to uncertainty, lost business, and numerous lawsuits seeking to halt U.S. software companies from doing business in Europe.
Avoid gray areas with technical solutions
Encryption, when used appropriately, safeguards access to EU personal data by ensuring due process that meets EU privacy standards. One way to achieve this is to make U.S. government agencies work with their counterparts in the EU to get access to EU personal data.
There are two encryption patterns that accomplish these goals.
Data sovereignty encryption patterns
End-to-end encryption
Data is encrypted and decrypted on user devices, and the software companies holding the data don’t have access to the keys needed to decrypt it. Their servers never see anything but meaningless bytes.
A government agency wanting access to the data will either need to compel it from the data owner, gain access to an authorized device that holds the key, or otherwise break or undermine the system.
Bring your own key (BYOK)
Data is encrypted before being sent to the database or disk and the software company does not hold the keys needed to decrypt sensitive customer data.
For this to be effective, BYOK must be implemented in such a way that a U.S. agency would have to compel the software company to write code that undermines their access controls and security measures to get access to the unencrypted data.