2020 was not just a year shaped by the COVID-19 pandemic. There have been some incredible changes in the area of data privacy and data sovereignty. In July 2020, the Court of Justice of the European Union (CJEU) ruled on the case of Schrems II. The judgement has profound consequences for any organization within the EU or one dealing with EU data in non-EU countries.
Schrems II is the work of Max Schrems, an Austrian activist with a focus on data privacy. He went against Facebook Ireland. The company said it could not ensure data privacy for European users with respect to their personal data sent to Facebook in the US. This was due to the different nature of the US legal system’s rules on national security, privacy and data protection. As a result, the CJEU ruled that the Privacy Shield agreement between the EU and US was no longer valid due to the continued use of mass surveillance techniques in the US. The ruling emphasizes how important data sovereignty is and how essential its protection is.
What is the ruling about?
To better understand the judgment’s far-reaching implications, we need to first look at GDPR. The EU General Data Protection Regulation (GDPR) states that the transfer of personal data to third countries is only allowed if an adequate level of data protection is ensured. This regulation requires organizations processing the data of European citizens to comply with strict standards to maintain the security and privacy of confidential information. Appropriate safeguards need to be provided, regardless of the location of the organization involved. If this does not apply, organizations need to have additional security mechanisms in place, in order to freely transfer data of EU citizens.
The European Commission has declared certain non-EU countries to have equivalent data protection safeguards to the EU itself. As a result, organizations in these nations can freely transfer the data of EU citizens without the need for additional security mechanisms. This so-called Privacy Shield Agreement included also the US.
However, as a result of the ruling by the CJEU, invalidating the adequacy of the protection provided by the EU-US Data Protection Shield, US-based companies dealing with the personal data of EU citizens have to ensure in future, that adequate mechanisms are in place when processing data.
EDPB’s recommendations for data sovereignty
On this basis, the European Data Protection Board (EDPB) adopted its final version of its recommendations on supplementary measures on June 18th, 2021. They outline a 6‑step roadmap to assist companies to ensure compliance and data sovereignty with the EU level of protection of personal data:
- Know your transfers
- Identify the transfer tools you are relying on
- Assess the effectiveness of your transfer tool
- Adopt supplementary measures
- Take procedural steps if you have identified effective supplementary measures
- Evaluate at appropriate intervals
These recommendations should help controllers or processors, process personal data as stipulated under the GDPR, assess third countries and identify appropriate supplementary measures where needed. The EDPB provides a series of steps to follow and examples of the supplementary measures public and private institutions could enhance. Having such measures in place would ensure consistency in the application of EU data protection law across industries.
So how can organizations stay compliant?
There are a few options to transfer personal data now from the EU to the US (or to another non-EU country):
- Do not use personal data of EU citizens outside of the EU
- Encrypt all personal data transferred outside the EU
- Fall into an exception to transfer data, stipulated in Article 49 of the GDPR
Article 49 of the GDPR states that data transfer from the EU to third countries can take place even in the absence of appropriate safeguards if there is the explicit consent of the data subject, necessary for the performance of a contract between the data subject and the controller, necessary for important reasons of public interest, necessary for legal claims, necessary to protect vital interests of the data subject or of other persons.
As such exceptions are not the norm, the real option remains to encrypt all personal data that leaves the EU. Consequently, no government or other organizations can tap into surveilling, demanding encryption keys.
Similar to the requirements in article 25 and article 32 of the GDPR, EDPB requires that the supplementary technical measures used alone or in combination with contractual or organizational measures shall be “state of the art”. Encrypting the data before transferring it is considered one of the most important technical measures. Here, EDPB also states that the encryption keys must be maintained within the European Economic Area (EEA).
Protecting the data sovereignty with Confidential Computing
Confidential Computing protects data in use by encrypting the information in a secure enclave. Embedded encryption keys within the CPU secure the enclave, that are only accessible to the CPU. The cryptographic key is stored in the CPU, ensuring the integrity of the code that is processing the personal data. It keeps information away not only from cloud or infrastructure providers but also from external threat parties. Thus, if malware or unauthorized code tries to access the encryption keys the CPU denies access and cancels the computation. In this way, sensitive data remain protected within these enclaves.
With confidential computing, organizations have now strong security and privacy assurances in the cloud. The technology provides strong technical protection against any attacks from the outside. It also prevents potential insider attacks from other tenants such as the cloud provider or 3rd party IT software providers.
Using such technical measures, private and public institutions will be able to meet all requirements of GDPR and Schrems II. They can stay compliant while processing sensitive data and also keep direct control over both data and encryption keys.