Schrems 2, Brexit and the US Cloud Act: their impact on data transfers and the solution to maintain data liquidity
In the “Schrems II” ruling passed in July 2020, the EU Court of Justice invalidated the “Privacy Shield” self-certification mechanism that allowed the transfer of data from the European Union to the United States.
The cancellation of the privacy shield will, therefore, impact all companies that transfer personal data from EU countries to the US. That includes thousands of companies that have their headquarters or subsidiaries in the US, as well as the GAFAM and all major US cloud providers.
However, the transfer may still take place if the personal data exporter can prove that the company has the appropriate safeguards in place. These protections are usually documented using Standard Contractual Data Protection clauses and other organizational measures. Nevertheless, if the law of the third country allows the local government access to the data that they deem disproportionate, EU regulatory authorities can still suspend or forbid the data transfer.
Regarding Brexit, the Commission launched the process towards the adoption of adequacy decisions for transfers of EU personal data to the United Kingdom. – meaning that the UK will not be obliged to take specific measures to allow the transfer.
Considering the US Cloud Act of 2018, granting US court the right to issue a warrant demanding that companies subject to US law must hand over data they store for customers – even when that data is stored in the EU. It is increasingly difficult, and henceforth, increasingly expensive for companies to operate and comply with US data regulations all the while, keeping a high level of data liquidity (data usability combined with data protection).
Furthermore, all data transfer outside the EU can be banished unless the country it is transferred to is considered having a sufficient data protection adequacy level. Keeping in mind that simple access to a database is considered a data transfer, it is complex to cope with third-party application developers located in countries like India, China, etc…
A solution to the above-mentioned problems is for companies to protect the data before ever transferring it to the US or any non-compliant country.
With RegData Protection Suite (RPS) software, companies can apply over 100 REGDATA (Swiss-European) proprietary protection techniques of Anonymization, Tokenization, Encryption or Pseudonymization. The appropriate protection techniques can be chosen according to the business context to maintain performance and data usability in line with the data controller’s role matrix while safely and lawfully transferring data.
RPS is a highly configurable tool that allows to:
As remote working continues and the adoption of cloud apps and services increase, Cloud based attacks rose by 630% between January and April 2020[1]. The recent data breach that originated from a misconfigured Amazon Web Services (AWS) S3 bucket used for storing the data of hotel booking companies like Expedia and Booking.com is a blatant example of high impact attack exposing 10 million individuals to risks including identity theft, scams, credit card fraud, and blackmail and more[2].
Considering the above, and that the average cost of a data breach as of 2019 is 3.92M$[3], cloud threat protection is becoming strategic for companies’ digital transformation. Many are choosing to adopt a security strategy in which they decide not to trust their cloud providers-SaaS editors with their confidential data (Zero Trust Strategy). Zero trust focuses on protecting cloud services such as packaged SaaS applications and/or internal applications developed and tested in the cloud[4].
To help companies applying a Zero Trust Strategy while consuming cloud services in complete confidence, REGDATA proposes Regdata Protection Suite (RPS), a software that allows them to protect their confidential data before entering the cloud and to get auditable, automatic, and real-time evidences that all confidential data is continuously being protected. These security & compliance data regulatory reports are aimed at internal/external auditors and regulators.
With a RPS, they keep control on their confidential data while consuming cloud functionalities. By owning and controlling their RPS instance, they possess and operate their Swiss-European protection solution rather than trusting the public cloud to be secured or using an eventual data protection solution managed by the cloud provider. Making it impossible for the cloud service provider or any attacker to ever access confidential data in clear – hence minimizing business, legal and reputational risks in the event of a third-party data breach within the public cloud that stores their data.
A New Opportunity for the REGDATA solution
REGDATA is proud to announce its nomination for a C4DT sponsorship program. This is a great opportunity and is greatly rewarding for our partners, board and teams as this nomination provides an academic validation for our proposition. We wish to thank the Advisory committee for confirming our candidature as one of the start-ups selected.
The Center for Digital Trust (C4DT) is housed at the EPFL. They want to build a strong technical, legal and ethical framework that delivers strong guarantees, is universal, and reduces the cost of achieving trust in the digital world. They bring together partners, laboratories, civil society, and policy actors to collaborate, share insight, and to gain early access to trust-building technologies, building on state-of-the-art research at EPFL and beyond.
This partnership has been greatly anticipated and we are eager to continue this journey with such a committed partner. This collaboration will enable us to have constructive, innovative, and academic exchanges with like-minded individuals. The exchange of theoretical techniques and concepts can lead to fantastic cross-industry applications which can themselves be the catalyst for change, adaptation, and innovation. We hope to be able to provide as much inspiration as we are sure to receive from this dynamic method of integrating digitalization into our society. REGDATA will be able to provide a real-world application view to academic discussions held during workshops or sessions held with other nominees, students, and corporate sponsors.
Our goal, through this commitment, is to provide a vetted Swiss/European solution to corporations that are eager to apply a Zero Trust Paradigm strategy for their cloud security journey. We are certain that this partnership will be positive, and we look forward to meeting the other stakeholders to continue building trust in the Swiss/European digital world together.
REGDATA SA
Campus Biotech Innovation Park Genève
Avenue de Sécheron 15
1202 Genève - Suisse