European recommendations following Schrems II Privacy Shield ruling cast doubt on cloud encryption practices
Bring-your-own-key may no longer be enough for EU data protection body
The European Data Protection Board (EDPB) has issued guidance that calls into question recommendations to cloud services providers in responding to the Schrems II ruling, which struck down the Privacy Shield arrangement for moving data from the EU to the US.
The EDPB, which is responsible for European data protection law, said [PDF] encryption could safeguard against contravening the ruling, but only when keys remain within the EU or trusted third countries.
In July, the EU Court of Justice ruled that the now-dead Privacy Shield arrangement – itself a replacement of Safe Harbor – does not allow EU citizens to challenge a breach of the arrangement by a company in the US handling EU personal data.
The Schrems II ruling resulted from a case brought by privacy activist Max Schrems, complaining that Ireland's data protection agency did not prevent Facebook Ireland Ltd (as EU representative of the Zuckerberg empire) from sending his data to the US.
The ruling triggered a fresh wave of legal confusion over the transfer of EU subjects' data to countries outside its jurisdiction – particularly the US. Trusted third countries with "adequate" data protection rules allowing the transfer of data include Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. Whether the UK will be on the list will be determined by ongoing Brexit negotiations.
Following the Schrems II ruling, AWS issued guidance saying its "customers and partners can continue to use AWS to transfer their content from Europe to the US and other countries, in compliance with EU data protection laws" as it was covered by standard contractual clauses (SCCs).
The SSCs might need to include “supplementary measures” where laws in a third country create risks to data protection. These supplementary measures can be contractual, technical or organisational or a combination of the three.
Among measures to mitigate risk, AWS pointed to "a number of advanced encryption and key management services that customers and partners can use to protect their content".
Key management services include "bring-your-own-key" encryption, which allows organisations to manage their own encryption key services for data in the AWS cloud.
However, in its recommendations the EDPB said that encryption would only be an adequate measure if "the keys are retained solely under the control of the data exporter, or other entities entrusted with this task which reside in the European Economic Areas" or a third country with an adequate level of protection.
Speaking on a UKCloud webinar this week, Owen Sayers, enterprise architect and data protection, privacy and security specialist, said encrypting the data and storing it as a blob in a country outside the EU and trusted jurisdictions, retaining the keys, then bringing the data back down and decrypting was "perfectly OK" so long as there was sufficient encryption.
The problem with BYOK encryption arises if the data exporter uses a cloud provider in a third country where it can be obliged by the authorities to hand over data. If the exporter uses that cloud service and puts the encryption keys into the cloud, or makes them available to the cloud provider to decrypt data and process data inside the cloud then that data could be intercepted, copied, or manipulated. That’s insufficient to meet the needs of the EDPB recommendations.
"When it comes to accessing data from a third country or doing anything with the live data in a clear text format, they're very clear that encryption has very little benefit. An awful lot of solutions that the industry has put forwards [involving] bring-your-own-key encryption... the reality is that has never really been a good thing to do, and the EDPB are now saying that they don't believe that that would be adequate," Sayers.
As such, it would not make a requirement for a supplementary measure in SCCs to help comply with the Schrems II ruling.
The issue may not be unique to AWS. GCP and Microsoft Azure have both issued guidance saying their services are safe to use in accordance with the ruling due to overlapping SCCs, although neither mentioned encryption as a supplementary measure. Both do offer forms of BYOK encryptions.
An AWS spokesperson told The Reg: "Because the Court of Justice of the European Union (CJEU) has validated the use of Standard Contractual Clauses (SCCs) as a mechanism for transferring data outside the European Union, our customers can continue to rely on the SCCs included in the AWS Data Processing Addendum for any data transfer outside of the European Union.
"To address the European Data Protection Board's recent recommendation regarding the CJEU ruling, in addition to the supplemental measures we implement, customers can choose to encrypt their data, at rest or in motion, using AWS tools or a number of supported 3rd party security solutions, while maintaining full control of the encryption keys." ®