A recent study by Thomson Reuters highlighted that 69 percent of firms (70 percent in 2015) expected regulators to publish even more information in the coming year, with 26 percent expecting significantly more.1
One thing is certain about the impending avalanche of data privacy regulation – it will not make compliance any less expensive.
Take the European GDPR (General Data Protection Regulation), which spells out increased compliance demands for data security and privacy on Personally Identifiable Information (PII) that cover every European state.
The financial exposure, in case of non-compliance, is substantial as spelled out in article 83: “… subject to administrative fines up to 20 000 EUR, or […] up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
The other hidden cost is the requirement to hire 28,000 data protection officers, per the International Association of Privacy Professionals estimations.
A second certainty is that US-based cloud services providers will be most affected given the explicit requirements in regulations such as the GDPR on the sovereignty of PII, i.e., where information may be physically stored.
Our interest here is to explore technical solutions that will help streamline compliance requirements for European companies as data controllers and make it economically feasible for cloud services providers as data processors.
One piece of good news is that some data protection authorities (DPAs), like the Belgian Privacy Commission (BPC), have stated that “A notification to the data subjects is not required if the data have been sufficiently encrypted.”2
The term “sufficiently encrypted” appears also in GPDR writings about breach notification. Providers with sufficiently encrypted data are exempt from notification requirements in case of breaches. Encryption then appears to be one avenue for assuring compliance with the sovereignty and privacy requirements of regulations such as the GDPR.
So, let’s go into what “sufficiently encrypted” may mean. One obvious pre-condition is that files that can potentially contain in-scope data are encrypted in transit and at rest, when stored by the processors. We will assume that strong algorithms and key sizes are employed.
The next question to ask is: “Who controls the encryption keys”? This is no trivial question to answer. In most systems control over keys is enforced by controlling the identity of the user. In this case, to be a crypto-purist, the system must provide assurance and audit trails that no entity other than the data controller may exert control over the keys. Data controllers, who are the cloud services providers’ customers, must have the mechanism to authorize key use and be able to digitally “pull the plug” at any time and for any reason without depending on the provider to perform those tasks for them. Processors can help controllers meet that requirement through technologies such as Information Rights Management (IRM) or the provision of Customer Managed Keys (CMK).
The above path is optimistic since it assumes that regulators will agree that sovereignty of encrypted data lies within the sovereignty of the encryption key, sometimes known as “logical control” of location. In other words, as long as the key control is within the appropriate jurisdiction, it does not matter where the encrypted content is physically stored. But what if even encrypted content is deemed to be in scope?’
This, clearly, will force providers to establish a presence in geographical locations, or “physical control” of the location. Simple replication of the full stack of services may prove to be prohibitively costly, so, as a customer, I would look for providers that are able to separate storage and processing from metadata. If the European “piece” of the system acts like a mount point for the main services and only components that participate in data processing are ported over, the cost of maintaining such a system is substantially less and will make compliance affordable and competitive.
Any new privacy regulation, while it may achieve the goal of securing data, certainly comes with a cost. Cryptography as a technical control to achieve compliance is very appealing. Hopefully, regulators will reach consensus on this subject. Until then, for Data Controllers, choosing trusted providers with a long and proven track record of securing sensitive content and who can provide optionality in supporting these regulatory requirements is clearly going to provide a safer and more cost effective option.
- “Fintech, Regtech, and the role of compliance: A regulatory opportunity or challenge?” Thomson Reuters. N.p., n.d. Web. 14 Feb. 2017.
- Belgian Privacy Commission clarifies data breach notification requirement. Stibbe, n.d. Web. 15 Feb. 2017.