We're hiring new talents!

Contents

Data Analytics

Legal Overview: Data Ana­lyt­ics lever­ag­ing Con­fi­den­tial Computing

Intro­duc­tion

Data is the new cur­ren­cy, as count­less busi­ness exec­u­tives around the world have already agreed on [1]. Com­pa­nies share a mas­sive shift to dig­i­tal trans­for­ma­tion, which also pro­vides great oppor­tu­ni­ties in terms of the data used. Data has a mas­sive val­ue and know­ing how to attract and extract it, can deter­mine the eco­nom­ic growth of enter­pris­es. This trans­la­tion of the raw data into valu­able insights comes with great com­plex­i­ty, both tech­no­log­i­cal and reg­u­la­to­ry. We see enter­pris­es increas­ing the bud­get for new tech­nolo­gies like AI machine learn­ing to learn to extract such data val­ue. Data ana­lyt­ics has, thus, become a high­ly valu­able source for busi­ness­es worldwide.

At the same time, high legal and reg­u­la­to­ry stan­dards enhance the com­plex­i­ty fur­ther. Espe­cial­ly in today’s con­text, ensur­ing data pro­tec­tion com­pli­ance proves to be hard­er than ever. Orga­ni­za­tions are not using Excel files and the fax in the back office any­more. Nowa­days, com­pa­nies rely heav­i­ly on a shared pro­cess­ing land­scape, with exter­nal data pro­cess­ing infra­struc­ture and ser­vices, and col­lab­o­ra­tion tools across the orga­ni­za­tion as well as with the out­side world. Con­se­quent­ly, ensur­ing a com­pli­ant use of per­son­al data is not as easy as it was back in the day. Now, com­pli­ance man­agers must also ensure com­pli­ance with any exter­nal data proces­sors used and oth­er third par­ties they work with. 

Fur­ther­more, dur­ing data trans­fer to (unsafe) third coun­tries, it is cru­cial to ensure that third par­ties can­not access the data even while it is being processed in the Cloud.

Thus, more than ever, IT com­pli­ance con­cern­ing data secu­ri­ty, espe­cial­ly for data ana­lyt­ics pur­pos­es, becomes more dif­fi­cult due to IT infra­struc­ture net­work­ing and third-par­ty process­es as well as cross-bor­der transfer.

ECJ rul­ing: Schrems II

To bet­ter under­stand the impor­tance of new tech­nol­o­gy mea­sures to ensure legal and reg­u­la­to­ry com­pli­ance for data ana­lyt­ics, it is impor­tant to grasp the legal changes with­in IT compliance.

Cross-bor­der data trans­fer to the US has been a prob­lem for decades. Already under the Data Pro­tec­tion Direc­tive 95/46/EG, the EU Com­mis­sion had agreed upon the so-called Safe Har­bor Agree­ment in 2000, which offered data recip­i­ents the option of cer­ti­fi­ca­tion and sub­se­quent­ly per­mit­ted legal­ly com­pli­ant data trans­fer. This deci­sion was declared invalid by the ECJ in 2015 (the so-called Schrems I deci­sion) [2]. The EU and the US respond­ed in 2016 by agree­ing on a new agree­ment called the EU-US Pri­va­cy Shield [3]. The Euro­pean Com­mis­sion has declared cer­tain non-EU coun­tries to have equiv­a­lent data pro­tec­tion safe­guards to the EU itself. As a result, orga­ni­za­tions in these coun­tries can freely trans­fer the data of EU cit­i­zens with­out the need for addi­tion­al secu­ri­ty mech­a­nisms. But the Pri­va­cy Shield met the same fate as the Safe Har­bor Agree­ment with the Schrems II deci­sion of the ECJ on July 16, 2020 [4].

In its rul­ing, the court clar­i­fies that even with cer­ti­fi­ca­tion accord­ing to the Pri­va­cy Shield, no ade­quate lev­el of pro­tec­tion with­in the mean­ing of Art. 45 GDPR can be assumed. It jus­ti­fies its deci­sion with the con­cern that US intel­li­gence ser­vices might use data trans­fer to solic­it access to EU cit­i­zens’ per­son­al data.

This cur­rent legal sit­u­a­tion pos­es chal­lenges for com­pa­nies of all sizes, espe­cial­ly when using Cloud com­put­ing. The top­ic is par­tic­u­lar­ly impor­tant because major providers of Cloud com­put­ing ser­vices have their serv­er loca­tion or their head­quar­ters in the US. In this respect, the so-called CLOUD Act of 2018 [5] must also be con­sid­ered, which, under cer­tain con­di­tions, allows US author­i­ties to access data stored in data cen­ters out­side the USA. And in prac­tice, com­plete or par­tial reliance on ser­vice providers with­out US-based head­quar­ters or serv­er loca­tion is near­ly impos­si­ble. This makes it even more urgent to devel­op tech­ni­cal and orga­ni­za­tion­al mea­sures that make it pos­si­ble, fol­low­ing ECJ case law, to con­tin­ue to make data trans­fers legal­ly com­pli­ant with an appro­pri­ate lev­el of secu­ri­ty in the future.

Con­fi­den­tial Com­put­ing as the new key driver

Overview of the solution

We already talked about what Con­fi­den­tial Com­put­ing is and how exact­ly the tech­nol­o­gy works. For a holis­tic overview of the solu­tion, please check out our Con­fi­den­tial Com­put­ing Explained blog post.

For the pur­pose of this arti­cle, we can sum it up as follows: 

The tech­ni­cal trade­mark of Con­fi­den­tial Com­put­ing lies in the fact that it enables the com­plete pro­tec­tion of the data. Not only when stored (“data at rest”) and trans­port­ed (“data in motion”) but also dur­ing pro­cess­ing (“data in use”). In par­tic­u­lar, Con­fi­den­tial Com­put­ing allows data to be processed in an iso­lat­ed, encrypt­ed form. Only the user with the appro­pri­ate key can recon­struct the data. 

A pre­req­ui­site for con­fi­den­tial com­put­ing is the use of com­put­er proces­sors (“CPUs”) with spe­cial secu­ri­ty exten­sions (e.g., Intel SGX/TDX, AMD SME/SVE). Numer­ous providers have already launched cor­re­spond­ing tech­ni­cal solu­tions, includ­ing the hyper­scaler Microsoft, AWS, IBM, and Google. With the help of these secu­ri­ty exten­sions, a com­put­er pro­gram and its data are sub­ject to the exclu­sive con­trol of the CPU: The data is now being processed in an encrypt­ed exe­cu­tion envi­ron­ment, the so-called enclave. Only the proces­sor can decrypt the data, process it, and store it encrypt­ed again in mem­o­ry. The result of enclav­ing is that data pro­cess­ing stays in iso­la­tion from the oper­at­ing sys­tem and the appli­ca­tions run­ning on it. Dur­ing pro­cess­ing, nei­ther the (Cloud) ser­vice provider nor the admin­is­tra­tor or a (com­pro­mis­ing) third par­ty has access to the data.

Anoth­er impor­tant prop­er­ty of Con­fi­den­tial Com­put­ing is the attes­ta­tion of the enclave. This takes into account the pre­req­ui­site that the user must be able to know whether the data pro­cess­ing takes place in the enclave or a non-pro­tect­ed exe­cu­tion envi­ron­ment, espe­cial­ly if the Cloud infra­struc­ture is pro­vid­ed by a third par­ty. With the help of cryp­to­graph­ic pro­to­cols (“remote attes­ta­tion”), the CPU can audit the exe­cu­tion of the enclave and gen­er­ate proof not only that the data pro­cess­ing took place in an enclave, but also that the data pro­cess­ing is com­pli­ant with reg­u­la­tions and per­son­al data stays anonym. Data con­trollers can there­fore attest that the data pri­va­cy is pro­tect­ed in con­for­mance with the data pro­tec­tion regulations. 

Prac­ti­cal Exam­ple for Data Analytics

It’s rea­son­able to argue then, that data ana­lyt­ics solu­tions lever­ag­ing Con­fi­den­tial Com­put­ing could ful­fil these reg­u­la­to­ry hur­dles. To illus­trate how Con­fi­den­tial Com­put­ing may help improve data pro­tec­tion com­pli­ance, let’s explain it using the fol­low­ing use case [6]:

We are a glob­al phar­ma­ceu­ti­cal com­pa­ny, with a US-based head­quar­ter. We want to join forces with health­care providers and gov­ern­ment bod­ies in the EU to devel­op a drug against can­cer. For this pur­pose, we are putting togeth­er dif­fer­ent data streams for joint analy­sis: health­care providers share the high­ly sen­si­tive per­son­al health data of the users, we as a phar­ma­ceu­ti­cal com­pa­ny share the data we col­lect­ed with­in our sec­tor and togeth­er we hope to gain valu­able patient behav­iour insights to proac­tive­ly devel­op an effi­cient can­cer treat­ment. Our insights will be based on new tech­nolo­gies such as AI algorithms.

How­ev­er, before we engage in these joint data ana­lyt­ics, we dis­cuss the fol­low­ing key reg­u­la­to­ry chal­lenges we will be facing:

  • Data secu­ri­ty: what kind of secu­ri­ty mea­sures do we need to pre­vent any unau­tho­rized access to this high­ly sen­si­tive data? Data can­not be leaked to any of the insid­ers, or the out­siders involved (i.e., infra­struc­ture providers)? [7]
  • Data pri­va­cy: how do we ensure the pro­tec­tion of per­son­al data through­out the data life­cy­cle (i.e., while the data is at rest, in tran­sit, or dur­ing pro­cess­ing)? [8]
  • Cross-Bor­der Data Trans­fer: what ade­quate lev­el of data pro­tec­tion can we pro­vide for the per­son­al data while trans­fer­ring it across bor­ders to our US servers? [9]
  1. The Poten­tial of Con­fi­den­tial Com­put­ing after Schrems II

How can we ensure that this col­lab­o­ra­tion can take place while meet­ing the require­ments of GDPR and Schrems II? Let’s look at each of these chal­lenges in detail.

Data secu­ri­ty

First, we need to under­take the nec­es­sary tech­ni­cal mea­sures to ensure no acci­den­tal or unau­tho­rized access to the data shared. This refers to both the data pro­cess­ing with­in our com­pa­ny but also when rely­ing on third-par­ty pro­cess­ing. Fur­ther­more, fol­low­ing EDPB’s rec­om­men­da­tions, it is required that the sup­ple­men­tary tech­ni­cal mea­sures used alone or in com­bi­na­tion with con­trac­tu­al or orga­ni­za­tion­al mea­sures shall be “state-of-the-art” [10].

For joint ana­lyt­ics involv­ing mul­ti­ple par­ties as in our exam­ple here, we would rely on a Cloud-based ana­lyt­ics solu­tion. This also means that the par­ties with­in our exam­ple need to extend their trust to the provider of this data ana­lyt­ics solu­tion. How­ev­er, as data breach­es are fre­quent, it is under­stand­able that busi­ness­es are reluc­tant to extend their trust to Cloud-based solu­tions. Fur­ther­more, since the data used is high­ly sen­si­tive, the bench­mark of the tech­ni­cal­ly enforced pro­tec­tion must be very high. 

A data ana­lyt­ics solu­tion using Con­fi­den­tial Com­put­ing tech­nol­o­gy could be the answer to this lack of trust. The CPU stores the cryp­to­graph­ic key, ensur­ing the integri­ty of the code that is pro­cess­ing the per­son­al data. It keeps infor­ma­tion away not only from Cloud or infra­struc­ture providers but also from (com­pro­mised) exter­nal par­ties. Thus, if mal­ware or unau­tho­rized code tries to access the encryp­tion keys the CPU denies access and can­cels the com­pu­ta­tion. In this way, sen­si­tive data remain pro­tect­ed with­in these enclaves for the entire data life­cy­cle time. And con­sid­er­ing this, it is not unlike­ly that Con­fi­den­tial Com­put­ing will become a state-of-the-art of data-secu­ri­ty method in the field of data pro­cess­ing in the fore­see­able future [11].

Data Pri­va­cy

Anoth­er impor­tant aspect our actors in the prac­ti­cal exam­ple above need to con­sid­er is how to ensure data pri­va­cy. To do so, they must first assess the like­ly effect of pro­cess­ing per­son­al data on the rights and free­doms of the data sub­jects and then design the pro­cess­ing in such a way as to pre­vent or min­i­mize the risk of inter­fer­ence with those rights and free­doms from col­lec­tion to dis­pos­al of data [12].

Specif­i­cal­ly for our data ana­lyt­ics exam­ple, we need to con­sid­er the fol­low­ing key data pro­tec­tion principles:

  • Pur­pose lim­i­ta­tion: con­trollers must col­lect per­son­al data only for explic­it, spec­i­fied, and legit­i­mate pur­pos­es. Pro­cess­ing the data in a way that is incom­pat­i­ble with these pur­pos­es is not allowed [13].
  • Pro­por­tion­al­i­ty and Data Min­i­miza­tion: the pro­cess­ing of per­son­al data must be pro­por­tion­ate to the legit­i­mate pur­pose pur­sued and reflect at all stages of the pro­cess­ing a fair bal­ance between the inter­ests con­cerned [14].
  • Account­abil­i­ty: con­trollers shall be able to demon­strate com­pli­ance of their data pro­cess­ing with applic­a­ble data pro­tec­tion prin­ci­ples and require­ments at all times [15].

Look­ing at the sec­tion above where Con­fi­den­tial Com­put­ing tech­nol­o­gy was briefly explained, we can deter­mine, that a data ana­lyt­ics solu­tion that relies on such Con­fi­den­tial Con­tain­ers tech­nol­o­gy ful­fils all the key data pro­tec­tion prin­ci­ples and require­ments. It enforces the tech­ni­cal­ly required prin­ci­ples but also ensures a remote attes­ta­tion at any giv­en moment. This allows data con­trollers to demon­strate data com­pli­ance through­out the entire ana­lyt­ics cycle.

Cross-Bor­der Data Transfer

Con­sid­er­ing cross-bor­der trans­fers between the EU and US (or oth­er non-EU coun­tries), there are only the fol­low­ing options to regard:

  • Do not use the per­son­al data of EU cit­i­zens out­side of the EU
  • Encrypt all per­son­al data trans­ferred out­side the EU
  • Fall into an excep­tion to trans­fer data, stip­u­lat­ed in Arti­cle 49 of the GDPR

Arti­cle 49 of the GDPR states that data trans­fer from the EU to third coun­tries can take place even in the absence of appro­pri­ate safe­guards if there is the explic­it con­sent of the data subject:

  • Nec­es­sary for the per­for­mance of a con­tract between the data sub­ject and the controller 
  • nec­es­sary for impor­tant rea­sons of pub­lic interest
  • nec­es­sary for legal claims
  • nec­es­sary to pro­tect the vital inter­ests of the data sub­ject or oth­er persons.

But as such excep­tions are not the norm, the real option remains to encrypt per­son­al data that leaves the EU. Con­se­quent­ly, no gov­ern­ment or oth­er orga­ni­za­tions can tap into sur­veilling, demand­ing encryp­tion keys. 

Sim­i­lar to arti­cles 25 and 32 of the GDPR, EDPB requires that the sup­ple­men­tary tech­ni­cal mea­sures shall be state-of-the-art. Encrypt­ing the data before trans­fer­ring it is pre­sumed one of the most impor­tant tech­ni­cal mea­sures. Here, EDPB also states that the encryp­tion keys must stay with­in the Euro­pean Eco­nom­ic Area (EEA).

The legal uncer­tain­ty sur­round­ing the con­di­tions for cross-bor­der trans­fers of per­son­al data can often be the rea­son why data col­lab­o­ra­tions between Euro­pean and non-Euro­pean coun­tries are not tak­ing place. The health­care providers in our exam­ple might see an issue in the par­tic­i­pa­tion of a glob­al phar­ma­ceu­ti­cal com­pa­ny, based in the US.

How­ev­er, the con­cern about the legal­ly enforced pow­ers of gov­ern­ment agen­cies to access data may be addressed by a data ana­lyt­ics solu­tion using Con­fi­den­tial Com­put­ing tech­nol­o­gy. As described above, no one has access to the source data inside the secure enclave. Health­care providers or glob­al phar­ma­ceu­ti­cal com­pa­nies can’t see the sen­si­tive data shared. Nei­ther can any oth­er par­ties pas­sive­ly involved such as the solu­tion- or infra­struc­ture providers. If any gov­ern­ment agency demands access to the health­care providers’ data, none of the par­ties would be able to com­ply. They do not have access to the data in the first place. The same goes for the decryp­tion keys since the CPU is hold­ing these, with­out any out­side par­ty being able to dis­close them. 

Con­se­quent­ly, it is safe to say that Con­fi­den­tial Com­put­ing ful­fils the data pro­tec­tion require­ments out­lined in the Schrems II rul­ing. It paves the way for new joint data pro­cess­ing across the globe, now also with actors based in coun­tries that do not pro­vide ade­quate data pro­tec­tion in the eyes of the ECJ.

Con­clu­sion

With the tech­no­log­i­cal jump made in recent years, Cloud-based solu­tions can become more appeal­ing, as the lack of trust in infra­struc­ture providers dimin­ish­es sig­nif­i­cant­ly. Data ana­lyt­ics solu­tions pow­ered by a Cloud land­scape are tak­ing on more and more promi­nence. How­ev­er, the risk of exter­nal­iz­ing the pro­cess­ing of high­ly sen­si­tive data cor­re­lates with the increased num­ber of cyber­at­tacks. More­over, leg­is­la­tors across the globe impose impor­tant com­pli­ance and reg­u­la­to­ry frame­works for data controllers. 

In this respect, Con­fi­den­tial Com­put­ing offers new pos­si­bil­i­ties, espe­cial­ly with­in the area of ​​Cloud com­put­ing. Specif­i­cal­ly, dur­ing data trans­fer to third coun­tries, this tech­nol­o­gy can ensure that out­side par­ties can’t access the data, even in a Cloud envi­ron­ment. This con­sid­ers the fun­da­men­tal require­ment of the ECJ in the Schrems II deci­sion. Fur­ther­more, based on the remote attes­ta­tion fea­ture, data con­trollers can demon­strate the com­pli­ance of per­son­al data processing. 

Fol­low­ing the hard­ware-based encryp­tion approach of this tech­nol­o­gy, it can be argued that Con­fi­den­tial Com­put­ing incor­po­rates cur­rent state-of-the-art mea­sures to ensure data secu­ri­ty and privacy. 

Thus, tak­ing Con­fi­den­tial Com­put­ing into account for future data pro­tec­tion pur­pos­es with­in any orga­ni­za­tion is worthwhile. 

[1]Michael Palmer, Data is the New Oil, Novem­ber 3, 2006 (blog-post at https://ana.blogs.com/maestros/2006/11/data_is_the_new.html, Jan­u­ary 31, 2022); 

Julia Limi­tone, Data is the new cur­ren­cy, (blog-post at https://www.foxbusiness.com/business-leaders/data-is-the-new-currency-hewlett-packard-enterprise-president-says, Jan­u­ary 24, 2019).

[2]Judgment of the Court of 6 Octo­ber 2015, C‑362/14.

[3]Commission Imple­ment­ing Deci­sion (EU) 2016/1250 of 12 July 2016 pur­suant to Direc­tive 95/46/EC of the Euro­pean Par­lia­ment and of the Coun­cil on the ade­qua­cy of the pro­tec­tion pro­vid­ed by the EU‑U.S. Pri­va­cy Shield, C/2016/4176.

[4]Judgment of the Court of 16. July 2020, C‑311/18.

[5]Clarifying Law­ful Over­seas Use of Data Act. 

[6]Use Case is relied upon the arti­cle from Matthias Eigen­mann, Enhanced Pri­va­cy for Data Ana­lyt­ics, LSR 1/2022 (blog-post at https://lsr.recht.ch/de/artikel/02lsr0122auf/enhanced-privacy-data-analytics). 

[7]Art. 32 GDPR.

[8]Art. 25 GDPR.

[9]Art. 44 GDPR.

[10]Recommendations 01/2020 on mea­sures that sup­ple­ment trans­fer tools to ensure com­pli­ance with the EU lev­el of pro­tec­tion of per­son­al data, 18 June 2021. 

[11]Matthias Eigen­mann, Enhanced Pri­va­cy for Data Ana­lyt­ics, P. 32

[12]Art. 25 GDPR.

[13]Art. 5 para. I, b GDPR.

[14]Art. 5 para. I, a GDPR.

[15]For a deep dive into these key data pro­tec­tion prin­ci­ples, see the legal overview pro­vid­ed by Matthias Eigen­mann in the arti­cle Enhanced Pri­va­cy for Data Analytics.

Facebook
Twitter
LinkedIn
WhatsApp
XING

Leave a Reply

Your email address will not be published.

Contact sales

Cookie Consent with Real Cookie Banner