Technical measures for GDPR and data sovereignty
How to use encryption to create appropriate safeguards for EU personal data, meet GDPR requirements for international transfers, and work around Schrems II
The complexity of holding EU personal data
The data of EU citizens can only flow to nations that have adequate privacy protections. The U.S. does not gurantee privacy to any non-U.S. citizens, which conflicts with EU constitutional privacy guranatees and GDPR.
As a consequence, agreements between the U.S. and EU have repeatedly been struck down. Most recently, the EU-U.S. Privacy Shield Framework was struck down in a case called Schrems II.
In 2020, when the Court of Justice of the European Union ruled that the framework was invalid, they cited U.S. intelligence overreach and the lack of redress options for EU citizens. That left U.S. companies once again without a legal basis for holding EU personal data.
The rollercoaster ride of data protection agreements and policies has led to uncertainty, lost business, and numerous lawsuits seeking to halt U.S. software companies from doing business in Europe.
Avoid gray areas with technical solutions
Encryption, when used appropriately, safeguards access to EU personal data by ensuring due process that meets EU privacy standards. One way to achieve this is to make U.S. government agencies work with their counterparts in the EU to get access to EU personal data.
There are two encryption patterns that accomplish these goals.
Data sovereignty encryption patterns
End-to-end encryption
Data is encrypted and decrypted on user devices, and the software companies holding the data don’t have access to the keys needed to decrypt it. Their servers never see anything but meaningless bytes.
A government agency wanting access to the data will either need to compel it from the data owner, gain access to an authorized device that holds the key, or otherwise break or undermine the system.
Bring your own key (BYOK)
Data is encrypted before being sent to the database or disk and the software company does not hold the keys needed to decrypt sensitive customer data.
For this to be effective, BYOK must be implemented in such a way that a U.S. agency would have to compel the software company to write code that undermines their access controls and security measures to get access to the unencrypted data.
Benefits of encryption solutions
Schrems II FAQ
Do you need to have a European company as a partner to protect EU personal data?
Can this be used to keep data sovereign for other countries and regions?
Can encryption be used to protect EU personal data held by U.S. companies from compelled access that bypasses EU privacy protections?
Yes. In protecting the data such that data subjects’ rights are preserved, it does. The European Data Protection Board also explicitly notes that encryption keys staying inside the EU is a way to manage access issues. Any encryption scheme attempting to solve this problem needs to meet these criteria:
-
The private data is meaningfully encrypted – meaning at the application layer so that fetching data from a database returns encrypted values, which is what would be produced in case of a warrant.
-
The key(s) for decrypting the data remain within the EU or trusted third countries, meaning that to gain access to the keys, legal processes must be used that protect the privacy of EU citizens. Implied in this is that the U.S. company holding the encrypted data can’t produce the keys to decrypt the data since those keys are held by another party such as the customer.
-
Not mentioned, but of equal importance: the software vendor may be able to decrypt data on their servers for various purposes, but they should not have a way to view or export the data in an unencrypted form.
Do you need keys to be stored by an EU company in the EU?
The European Data Protection Board provided guidance suggesting as much, but they also haven’t specifically evaluated a lot of scenarios that likely provide equivalent protection:
-
For example, Amazon claims they can’t produce unencrypted keys due to how their systems are designed. The master keys they hold are generated and held by hardware security modules and can’t be extracted from those. Subkeys are encrypted with those inaccessible root keys.
-
Some cloud providers also support making calls out to remote KMSes. For example, Google Cloud Platform has an integration with Thales that allows a Thales appliance to be the root of trust and to hold the master key that is needed to unlock other keys in the system.
The safest thing would be to use an EU KMS provider in some form.
What if a U.S. FISA court tries to compel access?
For IronCore Labs:
-
We don’t have any data of value – not that we can decrypt – so it’s unlikely they’d do this.
-
If they should anyway, we’ll respond appropriately to lawful requests, but that means delivering back encrypted data.
For our customers:
- As long as the data you pull off of disk or out of a database is encrypted (because it was encrypted before being sent to the data store using application-layer encryption) and as long as you can’t produce the keys, then complying with a court order means producing data that is encrypted, which poses no harm to EU citizens.
If a company can access a KMS to decrypt the data it holds, can’t a court mandate that they use that access to produce the data?
Not if the company doesn’t have a way already built into their software to extract the decrypted data.
In a properly designed system, the only way to produce the decrypted data would be to write software that decrypts it and writes it to disk. This should go against contractual promises, which means the U.S . government would have to have the power to compel a software company to build a backdoor that undermines its own security system.
What about the new Trans-Atlantic Data Privacy Framework (TADPF)?
A new trans-atlantic framework was agreed upon between the U.S. and EU that once again allows GDPR-compliant transfers of data to happen. This makes it far easier for U.S. companies to hold the private data of EU citizens, though it is still subject to the various rights and to the duties of care like the requirements for data protection by design.
In the last decade, we’ve had agreements in place for a year or two put there by politicians, then no agreements for a year or two as the courts strike them down, then rinse-wash-repeat. In our view, taking technical measures to deal with privacy will mean that the ups and downs of data transfer frameworks can be ignored.
Experts are skeptical this will survive a challenge
It’s no surprise that, after all the many ups and downs over the years, the software industry and legal experts are skeptical of the Trans-Atlantic Data Privacy Framework surviving a challenge.
Max Schrems, lead litigant in the “Schrems I” and “Schrems II” cases before the CJEU, released his initial reaction to the Trans-Atlantic Data Privacy Framework announcement and had this to say:
”We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the U.S. did not move. It is especially appalling that the U.S. has allegedly used the war on Ukraine to push the EU on this economic matter.”
“It is regrettable that the EU and U.S. have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”