Five months ago the European Court of Justice ruled that Privacy Shield did not comply with its citizens’ privacy rights. Known as the Schrems II decision, it created serious problems for organizations that transfer data from the European Union into the United States. With the nullification of Privacy Shield, and before that, Safe Harbor, companies were no longer protected from liability over those data transfers without putting in place a complicated series of Standard Contractual Clauses (SCCs).
Finally, in November the European Data Protection Board (EDPB) adopted recommendations on the supplementary measures following the Schrems II ruling that give organizations guidance on specific security measures they can use to ensure compliance with the EU level of data protection of personal data. Two important points standout in the recommendations:
- Technical measures, specifically encryption or pseudonymization, are necessary to overcome access to personal data by public authorities. EDPB also says that other supplementary measures (contractual and organizational) can be great complimentary measures but they alone can’t help to meet the GDPR compliance.
- Encryption is an effective measure for certain data transfer scenarios, where data is encrypted prior to being transferred to the data importer and the data importer does not require access to data in the clear. Special emphasis is given to the way encryption keys are managed. They need to be in the sole control of the data exporter within European Economic Area.
Lack of Transatlantic Trust on Data Privacy
Ultimately, the security of data flows between the U.S. and EU comes down to a lack of trust due to different data privacy regimes on both sides of the pond. Since the laying of the first transatlantic submarine cables, the free flow of data between the U.S. and Europe has been a cornerstone of transatlantic commerce. Today, transatlantic data flows account for more than half of Europe’s data flows and about half of U.S. data flows globally.
A Trusted Security Framework for Moving Forward
The new recommendations from the EDPB allow organizations to build a trusted privacy framework for transatlantic data flows which should follow these overarching principles:
- Discover your data wherever it is and classify it. That way you know what data you have so you can apply the appropriate security measures as outlined by GDPR.
- Protect sensitive data in motion and wherever it is stored using robust encryption. Encrypting network traffic and data stored in the cloud and data centers ensures that no one can read the data.
- Control access to the data by creating, storing and managing the encryption keys in the country of the origin of the data. That way, you own the keys, not the cloud provider and no government can access the data.
Trust in the security of the digital services that consumers use every day is the cornerstone of our digital economy. From online shopping and payments to mobile banking and social media, without the privacy of personal data, trust in the digital economy breaks down. This recent news from the EDPB demonstrates how the use of encryption and strong key management can help build a future we can all trust.
Taking a unified approach to data protection like that provided by the Thales CipherTrust Data Security Platform can help organizations ensure compliance with the EU level of data protection of personal data. The CipherTrust Data Security Platform unifies data discovery, classification, data protection, and unprecedented granular access controls with centralized key management under your control – all on a single platform. This results in less resources dedicated to data security operations, ubiquitous compliance controls, and significantly reduced risk across your business.
If you would like to discuss how Thales can help your organization implement the EDPB’s recommendations, please contact us.