Thales Blog

Why agnostic access security is critical for compliance in the post Schrems II landscape

July 28, 2021

Asaf Lerner Asaf Lerner | Director of Product Management More About This Author >

The Schrems II ruling has changed the data protection landscape and introduced new security requirements for the companies wishing to do business with the European Union (EU). In this regard, a cloud agnostic, flexible, and controlled access security solution may come in very handy for organizations.

What is the Schrems II ruling and what are its implications?

The Schrems II ruling was issued by the Court of Justice of the European Union (CJEU) in July 2020. The rule invalidated the EU-US Privacy Shield Framework, which permitted companies to freely transfer users’ personal data. The reasoning behind this decision is that the US surveillance law (FISA) does not provide adequate protections or remedies for non-US persons in the EU.

In essence, the Schrems II ruling identified gaps in GDPR related with securing personal data of EU citizens when it is processed outside the EU by other countries. With the invalidation of Privacy Shield, companies are no longer protected from liability over those data transfers and the conditions for the lawful transfer of this data have been removed.

Instead, businesses should implement data protection solutions that can adequately protect global commerce. This decision directly impacts transatlantic digital commerce that accounts for more than half of Europe’s data flows. However, the level of the impact depends on the location of the company, the industry vertical it is part of, and the strategic privacy planning that company has done for sustaining compliance with GDPR.

The fact that the major cloud service providers are not based in the European Economic Area (EEA) region, raises certain concerns regarding the access of EU personal data. The European Data Protection Board (EDPB) has identified two Unlawful Use Cases:

  • Unlawful Use Case 6: Transfer to cloud services providers or other processors which require access to data in the clear.
  • Unlawful Use Case 7: Remote access to data for business purposes.

The existence of Unlawful Use Cases 6 and 7 mean that common cloud vendor practices leave corporate officers and boards of directors open to liability risks from the potential for unlawful data access.

What are the EDPB recommendations for closing the gaps in data protection?

To address these gaps in data processing and protection, the European Data Protection Board (EDPB) has adopted recommendations on supplementary measures along with essential guarantees. These recommendations give organizations guidance on specific security measures they can use to ensure compliance with the EU level of data protection of personal data.

The EDPB recommendations allow organizations to build a trusted privacy framework for transatlantic data flows which should follow these overarching principles:

  • Discover your data wherever it is and classify it. That way you know what data you have so you can apply the appropriate security measures as outlined by GDPR.
  • Protect sensitive data in motion and wherever it is stored using robust encryption. Encrypting network traffic and data stored in the cloud and data centers ensures that no one can read the data.
  • Control access to the data by managing access credentials in the country of the origin of the data. That way, you own the keys, not the cloud provider and no government can access the data.

Why is agnostic access security the right strategy to address Schrems II?

Organizations can mitigate the risks for unlawful data access by deploying their own vendor-neutral access security solution to satisfy the EDPB requirements for lawful transfer of EU pseudonymized data.

Trust in the security of the digital services that consumers use every day is the cornerstone of our digital economy. From online shopping and payments to mobile banking and social media, without the privacy of personal data, trust in the digital economy breaks down. The EDPB recommendations demonstrate how the use of a cloud agnostic access security solution can help build a future we can all trust.

Opting for a cloud agnostic access security solution benefits organizations in many ways, including:

  • Be independent for the cloud service provider and avoid inheriting threats and vulnerabilities.
  • Control your own regulatory compliance regime.
  • Control your own cloud security posture.
  • Eliminate the dangers of vendor lock-in.

A cloud neutral access security solution empowers businesses to adopt solutions that provide the required flexibility to operate under various jurisdictions. Segregating duties from the cloud service provider and opting for access security solutions that meet specific business use cases and compliance requirements is the best practice for mitigating unlawful process of personal data.

With data sovereignty being an important factor to data privacy, being in control of your data protection and managing centrally and effectively your access security policies enables you to maintain compliance with GDPR and adhere to the EDPB recommendations for adopting Schrems II ruling.

If you want to learn more about how a cloud neutral access security solution, like Thales SafeNet Trusted Access, can help you navigate safely through the data security and privacy regulatory framework, I recommend you read the white paper 'Securing Access to Data in a Post Schrems II Era'.

For further reading about Shared Responsibility, please see my other articles, ‘Cloud Providers Native Access Security - What You Should Know Before You Trust It’ and ‘The 4 tangible benefits of deploying a Cloud Neutral Access Security Solution’

For further reading on Schrems II and for compliance tips, I recommend ‘Forrester and Accenture on Schrems II and the Security of International Data Flows’.