Privacy laws and access by US authorities

As a Swiss company, what do I have to consider regarding personal data protection if I rely on cloud applications from US companies? Which solution protects me?

Cloud computing and personal data protection - how do they fit together?

More and more companies embrace a cloud strategy and software-as-a-service offerings from established U.S. providers. Convenient because this allows more software offerings to be used with little technical expertise. Widely used services such as Microsoft's Office 365, Salesforce's CRM, or surveys with SurveyMonkey are applications powered by U.S. companies. Software offerings are increasingly purchased as a service, but infrastructure and platform services from Amazon AWS, Microsoft Azure, or Google are also experiencing high growth rates. The advantage is obvious: predictable costs, guaranteed maintenance, and easy access.

The disadvantage: The processing and storage of (sensitive) personal data are, therefore with US companies, subject to US law and thus also to the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). This law, which has been in place since 2018, regulates access by US authorities to stored data, even if the storage does not take place in the USA.

Is the legal coverage of existing privacy shields insufficient?

The informal agreement of 2016 between the EU and the US, known as the EU-US Privacy Shield, consists of a series of assurances by the US government to adhere to data protection according to European or Swiss understanding.

However, on July 16, 2020, the European Court of Justice (ECJ) invalidated the Privacy Shield in its «Schrems II» decision. As a result, the US-EU Privacy Shield is not a sufficient legal basis for a data transfer to the USA.

The Federal Data Protection and Information Commissioner (FDPIC) also came to the same conclusion regarding the US-Swiss Privacy Shield in its opinion of September 8, 2020. They deleted the reference to «adequate protection under certain conditions» for the US on its list of states. Swiss companies can therefore no longer base their data transfers to the US on the US-Swiss Privacy Shield.

Alternatively, the European Standard Contractual Clauses (SCC) or binding corporate data protection rules (so-called Binding Corporate Rules, BCR) are options. About the standard contractual clauses (SCC), the ECJ also has doubts that they can justify the transfer of personal data to the USA.

Neither the Privacy Shields nor the SCCs are mechanisms that can prevent access by the US authorities.

How can data be protected in the cloud to comply with local legal requirements?

By encrypting the data and keeping the keys safe, a legally compliant and secure technical solution can be offered to protect all data in the cloud from access - including from the US authorities. So-called data-centric or data-centric security is the generic term for various methods that protect the data in itself instead of protecting the data through the infrastructure.

Depending on the form and use of the data, different encryptions are used:

• Encrypt, anonymize, pseudonymize, or tokenize attributes in applications and databases

• Transparent end-to-end encryption of documents, emails, and attachments

The central element in data-centric security is the protection of its key. This is generated automatically during encryption and guarantees secure access to the encrypted data. It is recommended to store the key in a hardware security module (HSM). HSMs are specially built to execute cryptographic operations or applications efficiently and offer the highest possible protection for this.

The in-house encryption solution offers the best protection.

There are three ways to generate a key and store it securely, with the third, «hold your own key» solution being the most secure. It follows the principle of separation of powers: encryption and key are never held by the same provider.

1. Use someone’s key: The key is created at the cloud service provider (e.g., Microsoft Azure) and managed by the provider. Assessment: somewhat insecure.

2. Bring your own key (BYOK): Keys are created in one's environment and uploaded to the cloud service provider environment. Condition: a) The keys can only be used by the own tenant ID; b) Exporting the key from the cloud service provider's HSM is not possible. Assessment: secure.

3. Hold your own key (HYOK): your own HSM creates Keys and manages them. Assessment: the most secure of all variants.  

Encryption-as-a-Service: for SMBs that do not have their own IT security department.

More and more companies are focusing on their core competencies. Operating the IT infrastructure and being responsible for data security is rarely one. Managed HSM providers like Prewen offer alternatives for companies that want to know their security requirements are in good hands.

The encryption-as-a-service solution spectrum includes:

• Solutions to protect data in cloud applications.

• Transparent document encryption for any type of file.

• End-to-end encryption of emails and attachments of any size.

Original feature article Netzwoche 16 2020 by Andreas Dorta and Clara-Ann Gordon, IT and data protection lawyer, partner at the business law firm, Niederer Kraft Frey (Written in the German language)

Learn more about data-centric security or Prewen's data security offer.