On July 16, 2020, Europe’s top court, the European Court of Justice (ECJ), struck down the “Privacy Shield”, the “trans-Atlantic agreement that allows scores of companies to move data between the European Union and the United States”*. This means that companies are now obliged to make their data processing and data flows to Non-EU countries, such as the USA, legally compliant virtually overnight, or risk violation of the EU’s General Data Protection Regulation (GDPR).
This “Schrems II” decision injects new ambiguities and risks for legal processing of personal data in most countries outside the EU. Every company must now ensure for itself that an appropriate level of data protection – according to the ECJ ruling – is maintained wherever the data is processed. The ruling causes uncertainty for businesses that rely on moving digital information seamlessly around the world, and affects big tech companies like Facebook and Google, as well as thousands of other multinational businesses. (*E.U. Court Strikes Down Trans-Atlantic Data Transfer Pact, by Adam Satariano, The New York Times, July 16, 2020)
The transatlantic Privacy Shield Agreement between the European Union and the USA no longer provides adequate protection for the processing of personal data, the ECJ judges ruled (ECJ, Schrems II - C-311/18). According to the judges, this is because the U.S. government can access personal data under U.S. law without the EU citizens concerned having sufficient legal protection under the standard of the EU Charter of Fundamental Rights.
Many companies suddenly find themselves confronted with the problem that some of their data processing operations are now no longer legally permissible if they were previously based on the Privacy Shield. Unfortunately, the decision brings further uncertainties and risks for future legal data processing in most non-EU countries.
Regulatory authorities have already spoken out and made it clear that there is no transition period for the Privacy Shield. Severe fines are looming. In the event of violations of the GDPR principles, the European companies will probably be held primarily liable – while non-EU service providers may be forced into either losing business or setting up more expensive business operations within the EU.
Many companies are not prepared
At the moment it is unclear what legally compliant data traffic could look like in the future. Some companies have taken precautions and have already dealt with the implications, while others are now just beginning to address how to make their data flows legally compliant. But there are also some companies that have not made any provision for the case that has now occurred. State data protection authorities, such as the Bavarian DPA, have announced they will soon audit international data processing and sub-processing.
Every company must assess for itself whether the required level of data protection is observed in the country where the data are processed. An important element for the companies concerned is the review of their records of data processing and their technical and organizational measures (“TOMs”). However, this is only the start to identify risks under the latest ECJ jurisdiction, and does not solve the dual challenges of maintaining compliance and business processes at the same time.
Amended Standard Contractual Clauses or “SCC Plus” as a lifeline?
The supposed glimmer of hope presented by individual amendments to the EU Standard Contract Clauses (“SCC”) is under discussion and legal examination. According to the ECJ, these Amendments would have to meet the EU data protection standard. At the same time, the court also made clear that such amendments would be useless when there are no legal means against intelligence agencies that Non-EU data processors could invoke for the EU clients. The non-EU data processor is left between a legal “rock and a hard place” – contractually trying to meet the EU standard (which also allows certain surveillance activities) with their EU clients, while knowing that even the best contract would be useless if it cannot be enforced locally.
More and more sensitive data
To make matters worse, the volume of sensitive information is constantly growing: it is expected that by 2025 sensitive data will account for up to 80 percent of global data volumes. To gain insight from the use of data in this growing flood of information without exposing the company to unnecessary legal risks, it is necessary to identify sensitive data and map data flows as sensitive regulated data must be discovered, classified, and then secured accordingly. Only by proactively identifying and protecting this information will both internal and external users be able to effectively share and use information across multiple platforms, as well as geographic and organizational boundaries, while meeting security and privacy requirements.
What other means are available to reduce the business risks presented by the Schrems II decision?
Companies must protect their personal data as well as other high value data (e.g. trade secrets, intellectual property, etc.) regardless of the location of the data processor. The key word is encryption. In Schrems II, the ECJ addressed “other means” than legal contracts to provide for the security of data in non-EU countries. The German Data Protection Authority of Baden Württemberg recently clarified that they regard hard encryption as such permissible means in light of the Schrems II verdict.
So what would encryption look like in order to address the new challenges that have arisen? How is it possible to maintain one’s data business and operations while encrypting this data?
To enable privacy compliance and operational success, what’s required is a way to protect data selectively at the data field level, with flexibility to deliver either pseudonymization or anonymization, while preserving characteristics that enable the utility and usability of the data in its protected form. A pre-requisite is to identify the data that is sensitive, high value, and subject to regulation, map the flows, apply policy, and protect sensitive data as close as possible to the source. It is also important that only the data controller has the keys to decrypt and encrypt all data.
The Micro Focus Voltage portfolio offers proven solutions with innovative tools such as Voltage Format-Preserving Encryption (FPE). With over 80 patents and many years of experience, Voltage is a leader in data security solutions. With advanced format-preserving data encryption, hashing, tokenization, and stateless key management, Voltage enables persistent protection of data at rest, in motion, and in use in applications, analytics, data processing, and data sharing across hybrid IT. Voltage simplifies the protection of data in even the most complex use cases.
Protect sensitive structured data
The protection technologies in Voltage SecureData provide flexible implementation and encryption for a virtually unlimited number of structured data types in any language, and any region, with proven performance and scalability. Voltage FPE is a cryptographic standard that provides the pseudonymization necessary to enable compliance with data privacy regulations at data field and sub-field levels, while simultaneously enabling organizations to run business processes and analytics on protected data sets.
In specific use cases, such as an enforcement of the GDPR’s right to be forgotten, or in the creation of test data, the ability to recover data may present an unnecessary risk or be explicitly undesired. Voltage Format-Preserving Hash (FPH) offers full data anonymization but with the same benefits as FPE regarding structure, logic, partial field application, and usability for some analytics use cases, such as population or click-stream analytics. FPH employs a non-disruptive and more flexible one-way transformation that enables high-performance data usability, unlike traditional one-way transformation techniques such as SHA-256.
Protecting data in the cloud
In a public or hybrid cloud, the data is outside the classic sphere of influence by the data owner – data protection therefore plays a decisive role in the cloud. To what extent is it still possible to use cloud platforms of non-EU companies without legal and strategic disadvantages? To what extent can I trust my cloud provider? And how well is my data actually protected in the cloud?
Under the shared responsibility model, cloud providers will ensure that the hardware and software services they offer are secure, but the customer is responsible for the security of its own data assets. Through ensuring that data is simultaneously protected and useable by cloud applications and services in its protected form, Voltage SecureData for Cloud not only eliminates the risk of data breaches introduced through missing or misconfigured security controls but also enables the adoption of a continuous data protection model in multi-cloud environments through removing the need for in-cloud decryption.
By applying data-centric security, Voltage SecureData Cloud and SecureData Sentry protect the data itself and address the main security challenges in the cloud. They mitigate the risk of cloud adoption across the spectrum of cloud services that enterprises operate, providing consistent data security for hybrid IT, and enabling data privacy compliance in cloud-based analytics, applications, and business processes.
You don't know which data you should protect and how to protect it now that the Privacy Shield has been struck down? Want to learn more about what encryption looks like that can support your business needs?
Then contact our experts at Micro Focus. We will be happy to help you.
Free webinar on September 3
What are the immediate and long-term consequences of the ECJ ruling? What do the data protection authorities demand and what data should you protect and how? How can encryption help to meet the legal requirements? What must encryption look like to meet your business requirements? (Note: this webcast will be delivered in German. Please watch for announcement of our upcoming webcast in English.)
Andreas Bahr, Presales Manager Security, Risk & Governance at Micro Focus, Bernd Suchomski, Attorney-at-Law (Germany) and Certified Data Protection officer; Senior Legal Counsel at Micro Focus and Tobias Fuertjes, Presales Consultant Data Privacy at Micro Focus, will answer these and many more questions in the free webinar "After the Privacy Shield: The Art of Data Protection” on September 3, 2020 at 10 a.m. CET. Take advantage of this opportunity and get valuable information from our experts.
According to the Privacy Shield: The Art of Privacy
September 3, 2020, 10 am CET
Register now for the live webinar, or to get the on-demand link after September 1
About the Authors:
Carole Murphy, Senior Product Marketing Manager for Voltage Data Security, Micro Focus
Bernd Suchomski, Attorney-at-Law (Germany) and Certified Data Protection officer; Senior Legal Counsel at Micro Focus
Disclaimer: This article does not constitute legal advice or should be the sole basis for a purchase decision. The article has been carefully researched, but does not replace legal advice or an individual analysis of customer-specific circumstances.