A Strategy for Data Privacy Compliance With Cloud Identities
Just when you thought it was safe to go back into the water, along comes Schrems II. Data privacy is a tough gig. Of course, it’s undeniable that each of us has a fundamental right to the adequate protection of our personal data to prevent it from misuse or from falling into the wrong hands. And we want to know that the same level of protection is afforded when our personal data is transferred internationally.
Meanwhile, the health of nearly all businesses – and the delivery of cloud-based services – rely upon constant information exchange. In this boundaryless world that we live in, that’s a significant challenge – especially while delivering enterprise-grade security. The general public is quickly catching up with the way tech giants handle our personal data, and it’s activists like Max Schrems who have taken this battle to the courts.
The recent Schrems court decision invalidates the EU-US Privacy Shield. But what does this mean for your organization? And even more importantly, how do you stay compliant with this complex EU regulation?
Setting the Stage
It’s probably worth a quick recap on how we got here. In 2000 came The Safe Harbor Agreement, a set of principles that governed the exchange of data between the United States of America, the European Union (EU), and Switzerland. It was ruled invalid by the Court of European Justice (CJEU) on 6 October 2015 (in what we call Schrems I) and led to the creation of the EU-US Privacy Shield.
The General Data Protection Regulation (GDPR) followed on 25 May 2018, offering the toughest privacy and security law in the world for any organisation targeting or collecting data from people residing in the EU.
What is the Schrems II Decision?
Shortly after GDPR came into effect, an Austrian activist, Max Schrems, filed suit in Ireland under GDPR against Google and Facebook for coercing users into accepting their data protection policies. Amazon, Apple, Spotify, Netflix, and Youtube followed in January 2019. The Irish High Court referred the case, informally referred to as Schrems II, to the CJEU with questions related to the validity of the standard contractual clauses (SCCs) employed by Google and Facebook.
In July 2019, the courts ruled that the EU-US Privacy Shield did not provide adequate protection and invalidated that agreement. This was mostly due to the National Security Agency’s (NSA) surveillance of personal data, which was brought to the world’s attention by Edward Snowden. He leaked a mass of information while working for the NSA, including communication data collected under a top-secret program named Prism that accessed various US Internet companies’ servers.
That’s the history. So, where do we go from here?
Working Across Borders
Of course, GDPR persists, and with it the requirement to ensure that personal data transferred outside of the EU is afforded an “essentially equivalent” level of protection as it is within it. This particularly concerns laws regarding national security and access of public authorities to personal data.
SCCs for data controllers and processors remain valid but do not, in themselves, guarantee adequate protection. A data importer must inform the data exporter of any inability to comply with its obligations under the SCCs. If compliance isn’t possible, then data can’t be transferred.
A further consideration is that of actionable rights and judicial redress for data subjects. Do they have the same rights in the country to which their personal data has been exported?
If your organisation uses the public cloud services of SaaS vendors, you need to know where any personal data you share with them is stored. If that includes an identity access management (IAM) and governance (Identity Governance and Administration) provider, then employee, customer, and/or third-party data is likely to be involved.
Managing Your Options
So, what are your options? Embark on a journey of due diligence and assessment for all data processors and sub-processors, following the European Data Protection Board’s (EDPB) six-step process and guidance? If you do, be aware that the process is likely to prove extremely burdensome and does not allow for any risk-based judgement, meaning that all data is treated equally.
Don’t transfer the data? This option is likely to be infeasible if you want to continue using the services of your US head-quartered IAM/IGA vendor.
Don’t transfer your data outside of the EU? At first glance, this option seems the most attractive but trying to find a cloud-based IAM/IGA vendor with servers located entirely within the EU was, until recently, very challenging. If you then extend the infosec requirements to accommodate local-only (EU) data visibility and platform support, the search becomes even more difficult. Then, if you really want to apply Schrems II guidances to your organisation, you may even want to demand BYOK (Bring Your Own Key) management, to ensure that nobody outside your organisation can decrypt any data held within the service.
How Are Vendors Responding?
Saviynt recognised early on the challenges Schrems II poses to organisations. With a strong desire to provide customers with responsive, local service, Saviynt is setting up a cloud-based environment located entirely within the EU from which to deliver its Enterprise Identity Cloud service to customers.
So, what does the future hold? It’s a pretty safe bet that tech companies will continue to come under increasing pressure to enforce measures that assure even greater levels of protection and due diligence when handling personal data. So now is the time to weigh up your options and determine your path to Schrems II compliance – just remember that doing nothing is not one of them.