Data Sovereignty and Privacy Compliance Post Schrems II

The past year has had an unprecedented impact on business technology strategies as organizations scrambled to adapt to operating in the COVID-19 pandemic. However, there have also been some seismic shifts in the realm of data privacy and security. In July 2020, the Court of Justice of the European Union (CJEU) gave its judgment on Schrems II, a case with profound consequences for any organization in or dealing with EU data in the United States (US). In normal times this would have dominated the headlines, but instead it’s been overshadowed by the extraordinary disruption of COVID-19.

So, what is Schrems II, and what does it mean for businesses going forward?

The New Data Transfer Landscape for Europe and the US

To understand the judgment’s impact, we need to look at GDPR. This regulation requires organizations processing the data of European citizens to comply with strict standards to maintain the security and privacy of confidential information. Moreover, these rules apply internationally regardless of the location of the organization involved.

The European Commission has declared certain non-EU countries, including Japan, Israel, Switzerland and New Zealand, to have equivalent data protection safeguards to the EU itself. As a result, organizations in these nations can freely transfer the data of EU citizens without the need for additional security mechanisms. The Privacy Shield Agreement granted this same status to the US.

However, with the agreement now declared invalid by the CJEU, US-based businesses dealing with the data of EU citizens potentially face much stricter measures.

It should be noted that at the time of writing, the EU is still deciding whether the UK itself holds equivalent status, so UK-EU operations may also face new measures.

How Can Organizations Remain Compliant?

Organizations receiving the data of EU citizens must be able to prove in court that they’ve taken sufficient measures to protect it from being accessed by authorities using mass surveillance. Various measures are recommended, including data minimization procedures, transparency policies around governmental requests, and the applications of international security standards such as the ISO series.

The EDPB also recommends technical measures such as pseudonymization, where data is stored and processed in a way that cannot be used to identify an individual. Encryption is one of the most important technical solutions, although it must meet several factors to be deemed sufficient. Data must be protected with strong encryption prior to transmission, and the encryption must be strong enough to withstand attempted cryptanalysis by public authorities.

Perhaps most importantly, the cryptographic keys used in the encryption process must be maintained in the European Economic Area (EEA). The data exporter — the one ultimately responsible for the data in the event of a privacy or security breach — must be in sole control of the keys.

The Role of the Cloud and External Key Management

This ties into the concept of data sovereignty, where data is subject to the country’s laws where it is first collected. If data is encrypted when it leaves the country and not decrypted again until arrival, a form of virtual data sovereignty is assured.

Compliance can be further strengthened with the use of confidential computing. This new technology protects data from being compromised at runtime by using a completely isolated trusted execution environment known as a “secure enclave.” Thus, even if the infrastructure is compromised, the data will remain safe.

While uncertainty remains for organizations storing and processing EU data overseas, implementing the processes and technology in accordance with the EDBP’s guidance will give firms the best chance of operating normally. Furthermore, applying strong encryption to all data before it leaves the EU, backed with an effective BYOKMS strategy, will ensure that enterprises meet crucial requirements to keep both data and encryption keys under their direct control.

Originally published at

Fortanix™ has created the world’s first runtime encryption solution. Enterprises get provable, portable, and preventive security for their applications!