Looking for enclaive's confidential multi-cloud solution. Click here.


Pro­tect­ing data sov­er­eign­ty post-Schrems II

2020 was not just a year shaped by the COVID-19 pan­dem­ic. There have been some incred­i­ble changes in the area of data pri­va­cy and data sov­er­eign­ty. In July 2020, the Court of Jus­tice of the Euro­pean Union (CJEU) ruled on the case of Schrems II. The judge­ment has pro­found con­se­quences for any orga­ni­za­tion with­in the EU or one deal­ing with EU data in non-EU countries. 

Schrems II is the work of Max Schrems, an Aus­tri­an activist with a focus on data pri­va­cy. He went against Face­book Ire­land. The com­pa­ny said it could not ensure data pri­va­cy for Euro­pean users with respect to their per­son­al data sent to Face­book in the US. This was due to the dif­fer­ent nature of the US legal sys­tem’s rules on nation­al secu­ri­ty, pri­va­cy and data pro­tec­tion. As a result, the CJEU ruled that the Pri­va­cy Shield agree­ment between the EU and US was no longer valid due to the con­tin­ued use of mass sur­veil­lance tech­niques in the US. The rul­ing empha­sizes how impor­tant data sov­er­eign­ty is and how essen­tial its pro­tec­tion is.

What is the rul­ing about?

To bet­ter under­stand the judgment’s far-reach­ing impli­ca­tions, we need to first look at GDPR. The EU Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) states that the trans­fer of per­son­al data to third coun­tries is only allowed if an ade­quate lev­el of data pro­tec­tion is ensured. This reg­u­la­tion requires orga­ni­za­tions pro­cess­ing the data of Euro­pean cit­i­zens to com­ply with strict stan­dards to main­tain the secu­ri­ty and pri­va­cy of con­fi­den­tial infor­ma­tion. Appro­pri­ate safe­guards need to be pro­vid­ed, regard­less of the loca­tion of the orga­ni­za­tion involved. If this does not apply, orga­ni­za­tions need to have addi­tion­al secu­ri­ty mech­a­nisms in place, in order to freely trans­fer data of EU citizens. 

The Euro­pean Com­mis­sion has declared cer­tain non-EU coun­tries to have equiv­a­lent data pro­tec­tion safe­guards to the EU itself. As a result, orga­ni­za­tions in these nations can freely trans­fer the data of EU cit­i­zens with­out the need for addi­tion­al secu­ri­ty mech­a­nisms. This so-called Pri­va­cy Shield Agree­ment includ­ed also the US.

How­ev­er, as a result of the rul­ing by the CJEU, inval­i­dat­ing the ade­qua­cy of the pro­tec­tion pro­vid­ed by the EU-US Data Pro­tec­tion Shield, US-based com­pa­nies deal­ing with the per­son­al data of EU cit­i­zens have to ensure in future, that ade­quate mech­a­nisms are in place when pro­cess­ing data.

EDPB’s rec­om­men­da­tions for data sovereignty

On this basis, the Euro­pean Data Pro­tec­tion Board (EDPB) adopt­ed its final ver­sion of its rec­om­men­da­tions on sup­ple­men­tary mea­sures on June 18th, 2021. They out­line a 6‑step roadmap to assist com­pa­nies to ensure com­pli­ance and data sov­er­eign­ty with the EU lev­el of pro­tec­tion of per­son­al data: 

  • Know your transfers 
  • Iden­ti­fy the trans­fer tools you are rely­ing on 
  • Assess the effec­tive­ness of your trans­fer tool 
  • Adopt sup­ple­men­tary measures 
  • Take pro­ce­dur­al steps if you have iden­ti­fied effec­tive sup­ple­men­tary measures 
  • Eval­u­ate at appro­pri­ate intervals 

These rec­om­men­da­tions should help con­trollers or proces­sors, process per­son­al data as stip­u­lat­ed under the GDPR, assess third coun­tries and iden­ti­fy appro­pri­ate sup­ple­men­tary mea­sures where need­ed. The EDPB pro­vides a series of steps to fol­low and exam­ples of the sup­ple­men­tary mea­sures pub­lic and pri­vate insti­tu­tions could enhance. Hav­ing such mea­sures in place would ensure con­sis­ten­cy in the appli­ca­tion of EU data pro­tec­tion law across industries.

So how can orga­ni­za­tions stay compliant?

There are a few options to trans­fer per­son­al data now from the EU to the US (or to anoth­er non-EU country):

  • Do not use per­son­al data of EU cit­i­zens out­side of the EU
  • Encrypt all per­son­al data trans­ferred out­side the EU
  • Fall into an excep­tion to trans­fer data, stip­u­lat­ed in Arti­cle 49 of the GDPR

Arti­cle 49 of the GDPR states that data trans­fer from the EU to third coun­tries can take place even in the absence of appro­pri­ate safe­guards if there is the explic­it con­sent of the data sub­ject, nec­es­sary for the per­for­mance of a con­tract between the data sub­ject and the con­troller, nec­es­sary for impor­tant rea­sons of pub­lic inter­est, nec­es­sary for legal claims, nec­es­sary to pro­tect vital inter­ests of the data sub­ject or of oth­er persons.

As such excep­tions are not the norm, the real option remains to encrypt all per­son­al data that leaves the EU. Con­se­quent­ly, no gov­ern­ment or oth­er orga­ni­za­tions can tap into sur­veilling, demand­ing encryp­tion keys. 

Sim­i­lar to the require­ments in arti­cle 25 and arti­cle 32 of the GDPR, EDPB requires that the sup­ple­men­tary tech­ni­cal mea­sures used alone or in com­bi­na­tion with con­trac­tu­al or orga­ni­za­tion­al mea­sures shall be “state of the art”. Encrypt­ing the data before trans­fer­ring it is con­sid­ered one of the most impor­tant tech­ni­cal mea­sures. Here, EDPB also states that the encryp­tion keys must be main­tained with­in the Euro­pean Eco­nom­ic Area (EEA).

Pro­tect­ing the data sov­er­eign­ty with Con­fi­den­tial Computing 

Con­fi­den­tial Com­put­ing pro­tects data in use by encrypt­ing the infor­ma­tion in a secure enclave. Embed­ded encryp­tion keys with­in the CPU secure the enclave, that are only acces­si­ble to the CPU. The cryp­to­graph­ic key is stored in the CPU, ensur­ing the integri­ty of the code that is pro­cess­ing the per­son­al data. It keeps infor­ma­tion away not only from cloud or infra­struc­ture providers but also from exter­nal threat par­ties. Thus, if mal­ware or unau­tho­rized code tries to access the encryp­tion keys the CPU denies access and can­cels the com­pu­ta­tion. In this way, sen­si­tive data remain pro­tect­ed with­in these enclaves. 


With con­fi­den­tial com­put­ing, orga­ni­za­tions have now strong secu­ri­ty and pri­va­cy assur­ances in the cloud. The tech­nol­o­gy pro­vides strong tech­ni­cal pro­tec­tion against any attacks from the out­side. It also pre­vents poten­tial insid­er attacks from oth­er ten­ants such as the cloud provider or 3rd par­ty IT soft­ware providers. 

Using such tech­ni­cal mea­sures, pri­vate and pub­lic insti­tu­tions will be able to meet all require­ments of GDPR and Schrems II. They can stay com­pli­ant while pro­cess­ing sen­si­tive data and also keep direct con­trol over both data and encryp­tion keys. 

Contact us

Cookie Consent with Real Cookie Banner