Nearly two years on, the fallout from the Schrems II decision is continuing to cause organizations difficulties with international data transfers – especially when transferring data to the US. This is in part down to the legal framework of the US enabling government surveillance agencies access to personal information upon request and as such there has been widespread debate about the effectiveness of additional measures for protecting personal data.
This issue was recently put under the spotlight again when the Austrian Data Protection Authority (DSB) issued a decision in a case brought against an analytics service provider. The DSB found the operator of an EU website to have violated Article 44 of the General Data Protection Regulation (GDPR) by transferring personal data through the analytics service provider to the US without providing a level of protection that is essentially equivalent to that guaranteed in the EEA. In the case, it was noted that the analytics service provider had relied on Article 46 standard contractual clauses (SCCs) and technical measures that included encryption at rest to protect the personal data. The DSB found that the latter cannot be effective due to the US-based analytics provider having the ability to revert encrypted data to plain text as well as their obligation to provide access to US surveillance agencies on request, thus nullifying any legal protection that encryption provides.
While discussions are ongoing regarding a new transfer agreement between the EU and the US, organizations need to ensure that the protections they are currently applying to personal data are adequate. This is where Bring Your Own Key (BYOK) could be the solution for many EU organizations transferring personal data to the US. But what is BYOK? And how can it help businesses transfer personal data from the EU to the US given the complexity of the post-Schrems data transfer landscape?
BYOK is a method that organizations can employ to manage their encryption keys when hosting data with cloud service providers. BYOK gives organizations greater control over access to encrypted data by making the creation and storage of encryption keys separate from the cloud host. As a result, the organization has its own key to ‘unlock’ the encrypted data stored in the cloud.
Keeping access to encryption keys separate from encrypted data can be beneficial in several circumstances. In the event of a security incident, for example. BYOK quashes scenarios where personal data falls into the wrong hands and is subsequently decrypted to reveal personally identifiable information by removing the possibility of the hackers having the means to revert the data into plain text.
The benefits of BYOK protocols can also be seen when protecting personal data during international data transfers. The recent analytics service provider case highlighted the importance of ensuring that encrypted personal data cannot be reverted to plain text by third parties subsequently protecting it from government access in third countries.
It is worth noting that the security of the encryption keys is of paramount importance when utilizing BYOK. Not securing the encryption key appropriately would be like keeping your PIN and credit card in the same place.
BYOK could be used as a solution for many businesses transferring data internationally if control over access to the encryption key remains with the data exporter who would not be subject to government surveillance requests from the third country. In the case that was recently ruled upon by the DSB, if the EU website operator had implemented a BYOK protocol and retained sole control of the encryption key, the US surveillance agencies would have had to meet a significantly high legal threshold to successfully request the data from the EU exporter.
The idea of keeping control over encryption keys in the jurisdiction where the data exporter is based extends beyond the recent case brought before the DSB and can be applied to several scenarios where personal information is transferred from the EU to a third country.
For example, a vendor based in a third country may be obligated to hand over access to the encrypted personal data in the event of a government agency request. However, in this example, an EU-based data exporter has no obligation to hand over the encryption key to a third-country government agency without a lawful warrant that would be subject to the review and lawfulness test under the applicable EU laws – including the GDPR. Therefore, the vendor in such a scenario has no means to decrypt the personal data. The personal data remains safely encrypted and there is no legal way for the government agency to access personally identifiable information without also submitting a request to the EU exporter and passing the threshold for lawful request under the EU laws.
As a cloud service provider, OneTrust enables its customers to bring their own keys to encrypted data stored with us. When hosting data in our cloud environments OneTrust customers can manage their encryption keys via a secure OneTrust vault, helping to maintain control of creating, disabling, and revoking access. This can also prevent unauthorized third parties from having the ability to decrypt customer data including the potential to limit OneTrust’s access to the data.
Speak to one of our experts today and learn more about how OneTrust helps with implementing BYOK protocols.