Technical measures for GDPR and data sovereignty

How to use encryption to create appropriate safeguards for EU personal data, meet GDPR requirements for international transfers, and work around Schrems II

The complexity of holding EU personal data

The data of EU citizens can only flow to nations that have adequate privacy protections. The U.S. does not gurantee privacy to any non-U.S. citizens, which conflicts with EU constitutional privacy guranatees and GDPR.

As a consequence, agreements between the U.S. and EU have repeatedly been struck down. Most recently, the EU-U.S. Privacy Shield Framework was struck down in a case called Schrems II.

In 2020, when the Court of Justice of the European Union ruled that the framework was invalid, they cited U.S. intelligence overreach and the lack of redress options for EU citizens. That left U.S. companies once again without a legal basis for holding EU personal data.

The rollercoaster ride of data protection agreements and policies has led to uncertainty, lost business, and numerous lawsuits seeking to halt U.S. software companies from doing business in Europe.

Avoid gray areas with technical solutions

Encryption, when used appropriately, safeguards access to EU personal data by ensuring due process that meets EU privacy standards. One way to achieve this is to make U.S. government agencies work with their counterparts in the EU to get access to EU personal data.

There are two encryption patterns that accomplish these goals.

Data sovereignty encryption patterns

End-to-end encryption

Data is encrypted and decrypted on user devices, and the software companies holding the data don’t have access to the keys needed to decrypt it. Their servers never see anything but meaningless bytes.

A government agency wanting access to the data will either need to compel it from the data owner, gain access to an authorized device that holds the key, or otherwise break or undermine the system.

Bring your own key (BYOK)

Data is encrypted before being sent to the database or disk and the software company does not hold the keys needed to decrypt sensitive customer data.

For this to be effective, BYOK must be implemented in such a way that a U.S. agency would have to compel the software company to write code that undermines their access controls and security measures to get access to the unencrypted data.

Benefits of encryption solutions

Safeguard sensitive data against misconfigurations, the most common data loss root cause
Add defense-in-depth by introducing a layer that secures your sensitive data and hobbles hackers
Avoid requirements to report a breach when the stolen data is encrypted and the attackers don't get the plaintext or the key
Comply with data privacy regulations like CCPA and GDPR
Meet the requirements for transfer of data from the EU following the Schrems II case
Start quickly with a single slice of data, then ramp up iteratively with low investment
Address customer security concerns by segmenting data by service or tenant and securing with separate master keys
Pair application-layer encryption with encrypted search to keep data protected and usable

Schrems II FAQ