How encryption can make companies compliant with the upcoming EU Data Protection Directive
In January 2012, the European Commission proposed a comprehensive reform of data protection rules in the EU.
The recent invalidation of the Safe Harbor agreement — which allowed U.S. companies to “transport” personal data of European Union citizens — created uncertainty for companies relying on those rules. Although negotiations over a new agreement are still ongoing, it’s clear that the European Union will continue to seek protection for the citizens of its member countries from undue surveillance by the U.S. government.
Any company that does business in the cloud can be potentially affected. Cloud service providers are especially concerned, as they store huge amounts of data in the United States on behalf of their EU clients. One step companies can take now is to encrypt their data before sending it across the Atlantic. Proper encryption is the single best way of securing data and ensuring that even if it falls into the wrong hands, the data is secure.
Safe Harbor and Why It Failed
The Safe Harbor law, which had been in place since 2000, allowed more than 4,000 U.S. companies to operate in the European Union. Unlike the United States, the European Union has had a comprehensive privacy directive since 1995 that restricts how private information can be used and shared. The Safe Harbor agreement, between the United States and the European Union, was a way for licensed U.S. companies to transfer digital data of EU nationals across the Atlantic as well as store it at U.S. datacenters — as long as they self-certified that they upheld the safety and privacy of that data to the stringent EU requirements.
Leaked National Security Agency documents by former contractor Edward Snowden led to revelations that the U.S. government conducted mass surveillance through a program called PRISM that affected not just U.S. citizens but also foreign nationals. Through PRISM, the NSA gained access to private communications directly from several major online providers.
A complaint against Facebook by Austrian law student Max Schrems eventually made its way to the European Court of Justice. Schrems contended that the social network — one of the nine companies that were said to be part of PRISM — didn’t do enough to protect its user data. The ECJ said that “a significant number of certified companies” didn’t comply with Safe Harbor either fully or partially — and rendered the agreement invalid.
Protection Provided by Encryption
Encryption dates back to the ancient Greeks, who used ciphers to encode their messages. In modern practice, it is used for safeguarding data from unauthorized access.
At the basic level, encryption modifies the data into a secret code. The encrypted file cannot be read unless you have the key — so even if data falls into the hands of hackers, for example, it’s useless to them because they can’t access the content.
It’s not enough to encrypt data only in transit, either, as many cloud providers already do. For the data to be fully protected, it must be encrypted while it’s at rest — being stored away in the datacenter. Encrypting data at rest is a best practice that also helps companies in certain industries, like healthcare, comply with regulations. For example, in the event of a breach, often times companies that use encrypted data don’t have to send out a mandatory breach notice to its users, because the data itself was not actually compromised.
There’s a wrong and a right way to use encryption. When the cloud-service provider rather than the company encrypts the data, the provider’s administrator has access to the key. That means the provider can view the data as well as turn it over to authorities — without notifying the company — when compelled by law. On the other hand, using your own encryption keys ensures no one else can use them without your permission. Unfortunately, only a sliver of cloud providers — around 1 percent — currently allow for tenant-managed keys.
Safe Harbor, which affected as much as half of the digital data globally, impacted not just tech giants like Google and Facebook, but also businesses from all sorts of verticals, from financial institutions and retailers to healthcare providers. A new version of the agreement has been in negotiations for quite some time, but the ECJ ruling has put pressure to have Safe Harbor 2.0 in place as early as this coming January.
Although the new framework has already drawn criticism, there’s little doubt that Safe Harbor 2.0 will attempt to achieve what its predecessor has been trying to accomplish for 15 years — and the European Union will likely seek to tighten its requirements even more. But regardless of how the chips fall, the bottom line for companies is that they need to protect their customers’ data from falling in the wrong hands — whether that’s the government or cybercriminals.
The number of cybersecurity breaches has been steadily on the rise, and Ponemon/IBM research study estimates that nearly half of all data-breach incidents globally are the result of malicious actors. The constant cat-and-mouse game against hackers has led many security experts to adopt a mindset of assuming a breach is likely to happen — which means the focus needs to be on what happens in the event of that breach. Theoretically, encryption, when done correctly, is the best defense in the event of an attack — effectively accomplishing the same purpose as Safe Harbor.