Schrems II Renders Hold Your Own Key (HYOK) More Imperative for GDPR Compliance

Schrems II & GDPR – Leverage encryption to enforce Geo-Fencing and Data Sovereignty

Companies hosting PII On EU citizens on servers physically located in the US or accessible from the US or any other geographic location outside of the EU need to take note.

Originally there was the Safe Harbor program that provided air cover for companies transferring PII of EU citizens (to the US at least).  However, the EU High Court invalidated it in Oct 2013 (Schrems I).

This was replaced with Privacy Shield which the same EU court on 16 July 2020 ruled also does not adequately protect EU citizen PII (Schrems II).  Named after Max Schrems, an Austrian lawyer that filed both cases with the Irish Data Protection Commission and eventually the EU High Court.

The decision left intact the Standard Contractual Clauses (SCCs) that many companies rely on as the legal basis for transferring personal data from the EU to the U.S.  These typically outline roles and responsibilities and a commitment from the service provider to comply with all GDPR Articles.  However, the court also stated SCC’s are no longer a guarantee of compliance with GDPR.

Companies that collect, store and process EU Citizen (Data Subject) PII remain responsible for ensuring EU Citizens maintain the same data protections under GDPR regardless of where their data is stored or processed, regardless of any SCC or other contractual agreements on GDPR compliance.

This now exposes many companies to non-compliance risk and financial penalties under GDPR that they had previously worked hard to avoid and assumed were adequately mitigated until now.  Refer to SecuPi’s Data Sheet on Privacy Violation Impact on Risk Management (2020-10-01) for details on the frequency and financial impact of data breaches involving PII, not to mention loss of other valuable Intellectual Property (IP).

These Data Subject rights include Restriction of Processing, Right to be Forgotten (RTBF), Conditions of Consent, Lawfulness of Processing, Right to Data Portability, Notification and Communication of a Data Breach and many others.  Any company or organization that shares or transfers PII they collect, store and process must remain in full compliance with GDPR regardless of hosting location.

            Data location is everything

Schrems II again raises an issue with the definition of location when referring to PII stored in digital form.  Privacy regulations including GDPR generally assume or imply the physical location of data when referring to geographic location.  Paper documents containing PII on EU Citizens must be kept in a location within the EU where GDPR regulations can be enforced.  They naturally imply that same intent to data in electronic form.  Unfortunately, the regulations are simply not keeping up with technology and this disparity is where companies can be in violation with GDPR while assuming they were fully compliant.

The physical location of data or quantum magnetic fields representing binary zeros or ones on the surface coating of a spinning aluminum disk, or the polarity of transistor outputs in a solid-state memory chip that represent each character of PII – become increasingly less important.

The Logical location of data is what actually matters.  Where the data “appears” to be logically, where it can be accessed from, where it is protected and unprotected (including encrypted, tokenized, obfuscated, anonymized, static and dynamically masked) all become much more important than the physical location of the binary zeros and ones of computers, network packets and storage media when it comes to complying with the actual intent and purpose of most data privacy regulations like GDPR.

Logical location is ultimately the only one that really matters

Physical location is only valid when where the data is stored, and where it is viewed, accessed or processed are the same.  This is the case with printed paper or hard copies of regulated data.

Under GDPR, a paper document containing PII or EU citizens locked in a filing cabinet in a building in Germany that can only be accessed by someone also physically in the EU, at that location, authorized to enter that building, enter that room, with the key to open that locked file cabinet, remove, read or copy the printed document is exclusively about the physical location and in full compliance with GDPR.

On the other hand, the exact same data stored in the exact same location but in electronic form on a computer server connected to a local network that is connected to the Internet and also only accessed by the same person within the EU is a completely different matter.  The logical location is all that ultimately matters in this scenario.  Consider each of the following factors:

• Physical location of the server and electronic media storing the PII.
• Government regulatory jurisdiction and authority for the location storing the data.
• Geo-location of the System Admins with privileged access to the computer system.
• Nationality of the System Admins with privileged access to the computer system.
• Geo-location of End-Users and Applications authorized to access, view or process the PII.
• Network connectivity between where the data is stored and where it is consumed.
• Is the data encrypted at rest?
• Is the data encrypted in transit?
• Is the data anonymized at rest or in use?
• Who manages the keys used to protect the data?
• Where are the keys used to decrypt the data stored?
• Who has access to the keys used to unprotect the data?
• Who approves or authorizes access to the data and/or the keys?

Almost any single factor, or combination of the above, can result in the logical location meaning everything and the physical location meaning nothing.  A simple example – most Internet traffic between eastern Europe EU countries and Germany or France for example will pass through a NOC in the Eastern US because this will provide the most bandwidth and fewest network hops between a German data center and an office building in Poland of Hungary.  Data can literally pass through a half dozen countries just traveling from client to server only kilometers apart in a 2-tiered architecture.

What is required for compliance with data privacy regulations like GDPR is fine-grained Purpose of Attribute Based Access Control (PBAC/ABAC) to ALL PII with full Accountability and Audit Trail regardless of where the data is physically stored or consumed.  Physical location of the PII and the data consumer are just one Data attribute and one User attribute respectively that must be considered in controlling access to any regulated data.

Other data protection methods must also be leveraged to reinforce this access control and accountability.  These include anonymization, obfuscation, encryption, tokenization, static and dynamic masking which when used appropriately enhance control and privacy compliance.

Any comprehensive solution needs to be centrally managed and incorporate a wide range of access control and data protection methods to independently, transparently, consistently and uniformly apply and enforce data privacy rules.  These include but are not limited to Restriction of Use, Least-Privilege, RTBF, Geo-Fencing, Consent & Preference Management and more.  The solution must be data layer and application platform agnostic and cannot require massive development efforts, code changes or modifications to core platforms without the risk of never being fully implemented or compliant.

The solution must support complex over-lapping hierarchies & matrixed access control requirements while being flexible and nimble enough to keep pace with constantly growing and changing data privacy compliance requirements.

Another critical component whenever data is hosted remotely or by a Cloud Service provider is support for Hold Your Own Key (HYOK).  When encryption or tokenization are used to provide customer or patient record anonymization, or an added layer of data protection for the most sensitive or identifiable PII fields, HYOK ensures that the keys remain On-Prem and only encrypted/anonymized records are hosted in the Cloud.  Records can only be re-identified back On-Prem by authorized Users.

SecuPi is exactly this type of solution – fully configurable for satisfying multiple different interpretations of each applicable data privacy regulation, corporate risk tolerance, level of sensitivity of the regulated data and the geographic distribution of the data, users and business processes.  SecuPi was the original inventor of Dynamic Data Masking over 10 years ago and has full support for HYOK encryption or tokenization along with advanced User Behavior Analytics, Anomaly Detection, Alerting and Blocking.

All this combines to deliver an easy to implement enterprise wide solution providing a single pane of glass control and compliance platform.  Implementations that are measured in weeks, not months or years because no changes are required to existing data repositories or applications.

Your business may be global but regulations are local

The Jury is still out on the final legal interpretation of physical versus logical data location.  This will likely be decided in the court room through case precedent and ultimately end up in a future modification or clarification of various data privacy regulations as privacy laws struggle to keep pace with technology.  Companies cannot currently rely on SCC’s to protect them by transferring responsibility for privacy compliance to a business partner or Cloud Hosting provider.  Cloud Hosting providers are also quick to point this out and abdicate responsibility for data privacy compliance.

SecuPi enables full compliance with current data privacy regulations (GDPR, CCPA, HIPAA, PCI-DSS, SOX, POPI, PDPB, etc.) and their intent ensuring that a solution implemented today will remain valid and in compliance in the future with minimal maintenance.