Question 1

Do you need to have a European company as a partner to protect EU personal data?

Accepted Answer

No. That is one way you could potentially protect EU personal data from compelled access that bypasses EU privacy protections, but it is not the only way.

Question 2

Can this be used to keep data sovereign for other countries and regions?

Accepted Answer

The answer is probably yes, but you should consult with a lawyer on any specific laws.

Question 3

Can encryption be used to protect EU personal data held by U.S. companies from compelled access that bypasses EU privacy protections?

Accepted Answer

Yes. In protecting the data such that data subjects’ rights are preserved, it does. The European Data Protection Board also explicitly notes that encryption keys staying inside the EU is a way to manage access issues. Any encryption scheme attempting to solve this problem needs to meet these criteria:

The private data is meaningfully encrypted – meaning at the application layer so that fetching data from a database returns encrypted values, which is what would be produced in case of a warrant.
The key(s) for decrypting the data remain within the EU or trusted third countries, meaning that to gain access to the keys, legal processes must be used that protect the privacy of EU citizens. Implied in this is that the U.S. company holding the encrypted data can’t produce the keys to decrypt the data since those keys are held by another party such as the customer.
Not mentioned, but of equal importance: the software vendor may be able to decrypt data on their servers for various purposes, but they should not have a way to view or export the data in an unencrypted form.

Question 4

Do you need keys to be stored by an EU company in the EU?

Accepted Answer

The European Data Protection Board provided guidance suggesting as much, but they also haven’t specifically evaluated a lot of scenarios that likely provide equivalent protection:

For example, Amazon claims they can’t produce unencrypted keys due to how their systems are designed. The master keys they hold are generated and held by hardware security modules and can’t be extracted from those. Subkeys are encrypted with those inaccessible root keys.
Some cloud providers also support making calls out to remote KMSes. For example, Google Cloud Platform has an integration with Thales that allows a Thales appliance to be the root of trust and to hold the master key that is needed to unlock other keys in the system.

The safest thing would be to use an EU KMS provider in some form.

Question 5

What if a U.S. FISA court tries to compel access?

Accepted Answer

For IronCore Labs:

We don’t have any data of value – not that we can decrypt – so it’s unlikely they’d do this.
If they should anyway, we’ll respond appropriately to lawful requests, but that means delivering back encrypted data.

For our customers:

As long as the data you pull off of disk or out of a database is encrypted (because it was encrypted before being sent to the data store using application-layer encryption) and as long as you can’t produce the keys, then complying with a court order means producing data that is encrypted, which poses no harm to EU citizens.

Question 6

If a company can access a KMS to decrypt the data it holds, can’t a court mandate that they use that access to produce the data?

Accepted Answer

Not if the company doesn’t have a way already built into their software to extract the decrypted data.

In a properly designed system, the only way to produce the decrypted data would be to write software that decrypts it and writes it to disk. This should go against contractual promises, which means the U.S . government would have to have the power to compel a software company to build a backdoor that undermines its own security system.

Question 7

What about the new Trans-Atlantic Data Privacy Framework (TADPF)?

Accepted Answer

A new trans-atlantic framework was agreed upon between the U.S. and EU that once again allows GDPR-compliant transfers of data to happen. This makes it far easier for U.S. companies to hold the private data of EU citizens, though it is still subject to the various rights and to the duties of care like the requirements for data protection by design.

In the last decade, we’ve had agreements in place for a year or two put there by politicians, then no agreements for a year or two as the courts strike them down, then rinse-wash-repeat. In our view, taking technical measures to deal with privacy will mean that the ups and downs of data transfer frameworks can be ignored.

Experts are skeptical this will survive a challenge

It’s no surprise that, after all the many ups and downs over the years, the software industry and legal experts are skeptical of the Trans-Atlantic Data Privacy Framework surviving a challenge.

Max Schrems, lead litigant in the “Schrems I” and “Schrems II” cases before the CJEU, released his initial reaction to the Trans-Atlantic Data Privacy Framework announcement and had this to say:

”We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the U.S. did not move. It is especially appalling that the U.S. has allegedly used the war on Ukraine to push the EU on this economic matter.”

“It is regrettable that the EU and U.S. have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

Technical measures for GDPR and data sovereignty

How to use encryption to create appropriate safeguards for EU personal data, meet GDPR requirements for international transfers, and work around Schrems II

The complexity of holding EU personal data

Avoid gray areas with technical solutions

Data sovereignty encryption patterns

End-to-end encryption

Bring your own key (BYOK)

Benefits of encryption solutions

Schrems II FAQ