Enterprises face a digital dilemma: They want to leverage the productivity and security benefits of leading global cloud platforms but are concerned that, in so doing, they will face conflicting and shifting legal obligations and perhaps put the privacy of their customers at risk. For example, European companies are concerned that they could be compelled to hand over customer data to the U.S. government —because (a) the leading cloud providers are U.S.-based and subject to various laws requiring cooperation with the U.S. national and homeland security apparatus, and (b) there is currently no multilateral privacy framework.
Fortunately, as this post highlights, there is good news: With end-to-end encryption and properly implemented key management, companies do not have to trade privacy and the manifold benefits of the cloud. Importantly, in November 2020, the European Data Protection Board (EDPB)—the body that oversees the national privacy regulators in each of the EU member states—adopted guidance that clarifies that end-to-end encryption is an effective measure to enable both cloud adoption and EU data sovereignty requirements, which are often viewed as the global privacy gold standard.
With end-to-end encryption, enterprises can:
Virtru was founded to deliver on the full promise of end-to-end encryption to accelerate productivity, collaboration, and, ultimately, trust. Virtru was created to enable a future where fundamental rights are enforced at the data level, and protection travels everywhere the information goes.
Virtru has adopted an approach to data security that prioritizes privacy and controlled, granular access, as defined by the data owner (or, within an EU legal context, the “data subject”). With Virtru, encrypted data can be mobile across domains while the key that unlocks them remains within the sole control and jurisdiction of the data owner, enabling compliant, cross-border data flows, the economic and innovation benefits of which are well documented.
In the absence of a global privacy framework, governments are taking very different legal and policy approaches to data. For example, the European Union has adopted strong privacy protections for its European citizens. The U.S. has adopted far-reaching law enforcement legislation, with leadership on privacy issues residing at the State level (eg, the California Privacy Rights Act – CPRA). In particular, the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018) has codified that when data is hosted by U.S.-based cloud providers, even if their servers are located outside the U.S., they can still be compelled to hand over all data to the U.S. government.
Privacy has become a polarizing issue for these Western allies. For example, a key judicial decision by the European Courts (“Schrems II”) has highlighted potential risks to European residents’ privacy rights when transferring personal data from the E.U. to the U.S. As a result of the decision, the EU-U.S. Privacy Shield Framework, adopted by many commercial entities seeking to compete across borders, was invalidated, leaving businesses scrambling to navigate an increasingly complicated and heterogeneous global policy ecosystem.
The bottom line is this: the system of national and regional law will continue to evolve, and companies need flexible tools for navigating this changing landscape. Technology that simply and flexibly puts enterprises at the center of control can be and must be a central part of the solution.
To understand the escalating tensions between the U.S. and EU on privacy policy, it’s important to understand the U.S. CLOUD Act and the concerns it raises. Signed into law in March 2018, the U.S. CLOUD Act requires cloud providers to comply with search warrant requirements under U.S. rules and jurisdiction, regardless of whether a communication record or other information is physically located within or outside of the U.S. For example, data stored on a Google server in Belgium would still be subject to this law. A warrant or subpoena request under the U.S. CLOUD Act gives the U.S. government the ability to compel a recipient to hand over data regardless of where such data is stored, in any geographic location whether in the U.S., or anywhere else in the world.
These concerns are fast-growing and many find the requirements of the U.S. CLOUD Act unacceptable. This is particularly true among companies outside the U.S. The majority of affected companies, regardless of country, rely on the ability to keep intellectual property (IP), confidential information, and other secrets completely private and secure. These organizations need to keep these secrets private and protect themselves against access requirements such as those codified in laws like the U.S. CLOUD Act.
While the U.S. is home to the vast majority of enterprise cloud providers such as Amazon, Microsoft, and Google, it is uncertain how the U.S. tech industry will balance competing geopolitical demands in the absence of a formally adopted multilateral policy agreement to replace the Privacy Shield.
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield agreement, previously adopted as a mechanism to lawfully transfer personal data from the EU to the U.S., due to perceptions about the powers of invasive U.S. surveillance programs. This ruling by the CJEU is more commonly known as Schrems II. As a note, “Schrems I” was ruled October 16, 2015, on a Facebook Ireland case about data transfers under the predecessor of the EU-U.S. Privacy Shield Framework, Safe Harbor, which was invalidated as a result of the Schrems I ruling. Fair or unfair, the reality is that the 2013 Edward Snowden revelations continue to cast a long shadow over U.S. surveillance practices.
The Schrems II case addressed the validity of both the Privacy Shield and standard contractual clauses (SCCs). The decision of the CJEU is complex and far-reaching; in a nutshell, the Schrems II decision places additional obligations on companies concerning making lawful transfers of personal data from the EU to the U.S.
Transfers of personal data based on Privacy Shield are now unlawful; however, on a case-by-case basis and with additional stringent controls observed, SCCs remain a valid, legal mechanism for data transfers. Data controllers or processors, for our purposes, cloud providers, that intend to transfer data based on SCCs must ensure that the data subject is granted a level of protection equivalent to that guaranteed by GDPR.
The GDPR’s primary aim is to give individuals and companies for their employee and customer data, control over their data, affording transparency regarding how data is being used, under what timeframe, and for what purpose. U.S. companies must now deploy a transfer mechanism that demonstrates protection for EU residents’ personal data to a standard equivalent to the rights provided under GDPR when personal data is transferred outside of the jurisdiction of the EU.
Given the market dominance of U.S. cloud and software solution providers (i.e., organizations that fall under the scope of the U.S. CLOUD Act), most companies competing in the EU who leverage cloud technologies and collect consumer data (i.e., organizations that fall under the scope of the Schrems II decision) must face the issue of U.S. vs. EU dogma head-on as they operate. Some may avoid or slow down their adoption of cloud-based technologies potentially losing out on access and speed to market. Others may choose to only do business with EU or non-U.S. cloud providers, in alignment with the worrisome trend of isolationism and walled gardens that have sprung up around the globe.
Fortunately, another option exists for those businesses, one that enables full participation in the global economy, maintains the benefits of the public cloud, and provides complete control over data access.
Companies competing in the EU can pair these stringent security controls offered through the Virtru technology with SCCs, ensuring compliance with European law post-Schrems II while offering a managed path to authorized access for U.S. government agencies. With Virtru data protection, the European company, not the cloud provider, sets and enforces corporate policy at the data object level, ensuring that data can be accessed by any government or other entity seeking access before receiving the data subject’s authorization.
Schrems II is a great example of how technology can be architected to deal with conflicting legal constraints and dilemmas. Important, as law changes, or company policy changes, as is inevitable, Virtru is flexible and can be adapted to changes in national and international regulation of data. Virtru is cloud and provider agnostic; is crypto agile, including AES 256 encryption, and mandates that keys be managed separately from data, ensuring that no entity can access the data without obtaining consent from the data subject, who retains the ability to grant access.
Specifically, the solution asserts the following:
With such a technology solution, data sovereignty can be achieved. Companies can use their preferred cloud solution provider and ensure that they are not able to access their data without obtaining consent from the data subject. Data creators must be asked for access to their data and will be able to decide whether to share based on their jurisdictions. This empowers our customers to make their judgments about how their data can be accessed and used, fostering trust and often leading to increased collaboration.
Following the Schrems II decision in November 2020, the European Data Protection Board (EDPB), the body that oversees the national privacy regulators in each EU member country, adopted guidance that details accepted supplementary measures that provide additional safeguards to mitigate the risks that arise when transferring personal data outside the EU.
The EDPB considers encryption to be an effective supplementary measure if:
The rationale of the rule is: if personal data remains properly encrypted, with a strong encryption algorithm, only the data exporter (business in the EU) has the encryption key to decrypt the data and re-identify individuals to whom the data belongs. In this scenario, the data exporter is the final controller of the data. Simultaneously, the data importer (cloud provider) does not have the decryption keys to access the data. Because of this, the EDPB guides that using end-to-end encryption contributes to the security of processing operations and is a key enabler for E.U. companies to comply with Schrems II requirements.
In an ever-shifting policy landscape wrought with declining trust, geopolitical strife, and a worldwide pattern of isolationism worsened by the novel coronavirus pandemic, Virtru remains focused on what matters: ensuring data sovereignty, empowering end customers with unique controls of their data, and fostering trusted collaboration across borders. Virtru’s end-to-end encryption, coupled with a distinct infrastructure for key management, offers data subjects the power to control their keys and access their information, constituting a level of advanced protection.