Lawful Cloud: How Tech Controls Help
The recent EDPB Coordinated Enforcement Action[1] (“EDPB Enforcement Actionâ€) highlights common mistakes and misconceptions that make international cloud processing
The EDPB Enforcement Action, which provides guidance on the requirements for the lawful international use of cloud-based services,[3] highlights the following common mistakes and misconceptions:
- Stakeholders often mistakenly rely entirely on the security measures provided by the Cloud Service Provider (“CSPâ€), resulting in violation of their obligations under GDPR Articles 28, 35, and otherwise.[4]
- The location of servers in the EEA does not resolve the issue of unlawful international data transfer nor prevent unauthorized government access to personal data stored in the EEA.[5]
- Promises by global CSPs to notify regarding, and to resist, foreign government requests for disclosure of personal data subject to compliance with third-country laws do not resolve the issue of unlawful international data transfer nor prevent unauthorized government access to personal data stored in the EEA.[6]
- The EDPB Enforcement Action repeatedly cites the obligation to implement supplementary measures, ?including technical controls, to ensure the lawful use of CSP services[7] and highlights EDPB Recommendations 1/2020 for measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.[8]
This peer-reviewed law journal article describes the requirements and benefits of “Statutory Pseudonymization†as initially defined under the GDPR and subsequently adopted by other countries' privacy statutes[9] and five (5) U.S. state privacy laws.[10] The article explains that Statutory Pseudonymization is distinguished from older, less demanding concepts of pseudonymization, which only require the simple removal of direct identifiers, as would satisfy non-statutory definitions of the term.[11] As explained in the article, Statutory Pseudonymization allows lawful data use by public and commercial entities to help accomplish two primary goals:
- Economies of scale
: Being able to make use of economies of scale provided by cloud-based infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) offerings; and - Data sharing and secondary processing
: Artificial intelligence (AI), machine learning (ML), advanced analytics, and other capabilities by leveraging services offered by third parties as cloud-based software-as-a-service (SaaS) offerings.
The article highlights the following four elements of high-quality/high-defensible data processing that Statutory Pseudonymization helps to enable:
- Surveillance-proof processing: complying with Schrems II and U.S. CLOUD Act requirements.
- Lawful processing
: overcoming the limitations of consent and contract to enable lawful advanced analytics, AI, and ML processing by helping to support GDPR-compliant legitimate interest processing as a legal basis for processing. - Breach-resistant processing
: embedding controls to protect and de-risk data at rest and when in use, with controls that are only accessible to the data controller or its designee. - Data supply chain defensibility: enabling lawful and ethical data sharing, combining, and processing.
The benefits of technical controls that protect data when in use and prevent misuse are critical to ensure sustainable global cloud processing. The availability of these controls is even more significant since the EU justice commissioner, Didier Reynders, is quoted as only giving the recently proposed EU-U.S. Data Privacy Framework a '7 or 8 out of 10' chance of withstanding legal challenge. [12]
If you enjoyed this Statutory Pseudonymization Alert, please consider joining the LinkedIn Statutory Pseudonymization Listed Group, which is curated by Anonos.
领英推è
[1] See European Data Protection Board (EDPB) 2022 Coordinated Enforcement Action – Use of Cloud-based services by the public sector adopted on 17 January 2023, available at https://edpb.europa.eu/system/files/2023-01/edpb_20230118_cef_cloud-basedservices_publicsector_en.pdf (“EDPB Enforcement Actionâ€).
[2] See Technical Controls That Protect Data When in Use and Prevent Misuse by Magali Feys, Joseph W. Swanson, Patricia M. Carreiro and Gary LaFever, published in Journal of Data Protection & Privacy, Vol 5 No. 3 (2022) ISSN (print) 2398-1679; ISSN (web) 2398-1687, available at https://Pseudonymization.com/TechnicalControls.
[3] The scope of the EDPB Enforcement Action applies to EEA public bodies, including EU institutions, covering a wide range of sectors (e.g., health, finance, tax, education, central buyers or providers of IT services) under the GDPR, or the EUDPR concerning EU institutions, bodies, offices, and agencies. However, the principles and obligations identified in the EDPB Enforcement Action apply equally to all organizations established in the EU, as well as to organizations based outside the EU that intentionally offer goods or services to the EU or that monitor the behavior of individuals within the EU.
[4] See EDPB Enforcement Action at pages 10-16.
[5] See EDPB Enforcement Action at page 17-19.
[6] Id.
[7] See EDPB Enforcement Action at pages 3, 17, 26, 27, 31, and 32.
[8] See EDPB Enforcement Action footnote 33 at page 17 referencing EDPB Recommendations 1/2020, which recognizes Use Case 2: Transfer of Pseudonymized Data as a lawful technical supplementary measure on pages 31-32.
[9] See § 2(i-2) of South Korea (the Republic of Korea) Personal Information Protection Act.
[10] See Cal. Civ. Code § 1798.140(aa); VA Code Ann. § 59.1-571; Colo. Rev. Stat. § 6-1-1303; Utah Code Ann. § 13-61-101(28); Conn. Pub. Acts No. 22-15 5 of 27.
[11] See https://dictionary.cambridge.org/us/dictionary/english/pseudonymization
[12] See https://techcrunch.com/2022/12/13/eu-us-data-privacy-framework-draft-decision/