back to article European recommendations following Schrems II Privacy Shield ruling cast doubt on cloud encryption practices

The European Data Protection Board (EDPB) has issued guidance that calls into question recommendations to cloud services providers in responding to the Schrems II ruling, which struck down the Privacy Shield arrangement for moving data from the EU to the US. The EDPB, which is responsible for European data protection law, said …

  1. PVecchi

    What about Office Suites?

    I guess most still wonder if they can/should use Office365, G Suite and similar to process EU citizens personal data.

    The short answer is: No, you are violating data subjects fundamental right to Privacy (art. 7 and 8) as stated by the EUCJ.

    You could do it if you obtain informed consent from the users, as their personal data will be often shared in Azure AD, and the people you are writing about/contacting by email/adding to your CRM/etc...(data subjects) stating clearly that their personal data will be transferred to a data importer (Microsoft/Google/etc) which, regardless if the contract is signed with a EU subsidiary and stored in EU, cannot ensure an adequate and equivalent level of protection and by doing so it will violate their right to privacy (and contribute to support the expansion of surveillance capitalism business models but that's another issue).

    Some more info: https://joinup.ec.europa.eu/collection/joinup/news/privacy-shield-invalidation

    These transfers fall under the Use Case 6 of the EDPB recommendations as the text you are writing in Word or the emails you are sending out are all processed in clear so at present you are not able to use those tools without violating people's privacy and naturally that will make your organisation also non GDPR/DPA compliant.

    EDPB's recommendations can be found here: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

    1. Zippy´s Sausage Factory

      Re: What about Office Suites?

      I can see a lot of consultants are going to be getting very rich selling a lot of snake oil solutions to this problem n the very near future...

      1. big_D Silver badge

        Re: What about Office Suites?

        I've used Office 365 Home for several years, but I'm in the middle of migrating all my data to an EU-only cloud storage solution at the moment.

        I really like O365/M365 as a service, but the current situation makes it unusable for anything other than the Office licenses themselves.

    2. thondwe

      Re: What about Office Suites?

      Check with your cloud provider - our O365 data is "mostly" hosted in the UK data cent res now - I say mostly, but e.g. Azure AD which is "Global" (and will have some personal info in it - telephone, personal e-mail etc + MFA info). MS have done the work on Model Clauses to cover all this which looks to a non-lawyer OK...

      https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-eu-model-clauses?view=o365-worldwide

      So all OK until the end of Dec, when I presume Microsoft et al will have to do some more leg work to cover data outside the UK and specifically in the EU?

      1. Strahd Ivarius Silver badge

        Re: What about Office Suites?

        Just wondering how the "Cortana Daily Briefing" will be taken into account, since it implies that MS is ready all your mails to provide you that digest...

        And as usual it is an opt-out feature.

        MS will have a difficult time (again) to prove they are not the data controller since you didn't agree to this.

        1. Nick Ryan Silver badge

          Re: What about Office Suites?

          Microsoft are the Data Controller because they are deciding what to do with the data, and dictating the data stored.

          It's a standard Data Controller vs Data Processor type issue where many people think that the Data Controller must be the originating entity, they don't have to be.

          The data controller determines the purposes for which and the means by which personal data is processed.

          For example, if your organisation uses an external accounting organisation for payroll then the external accounting organisation is the Data Controller. While this may seem contrary to how many people read the act (although in troth most people plainly haven't read it), this external accounting organisation is dictating the information that is required and how it will be processed. Your organisation cannot pick and choose the information provided. Ownership of the data and responsibility for the accuracy is usually contractually deferred to your organisation and while this is fair enough, it does not change the fact that both parties are legally resposnible for the data. While many try to take the simplistic route that every client of such an accounting organisation is in fact the Data Controller and the accounting organisation is the Data Processor, this would require that every such relationship would require that every client draws up their own Data Controller agreement that their accountants check through in detail and agree to this. Such a relationship where a service provider is the Data Controller and the client is the Data Processor is quite common and while people are hung up on choice, as the client chooses to use a particular accountancy firm, this does not make the client the Data Controller.

          In many ways the hard distinction between Data Controller and Data Processor is quite unhelpful as real interactions do not work that way. It would have been preferable to consider the origin of the data more strongly and the passing on of this data rather than going through the semantics wrangling of Data Controller vs Data Processor where if one is not careful almost everyone is a Data Controller. It's also important that for any given dataset, a single organisation may be both the Data Controller and the Data Processor, often multiple times over.

          1. Mike 137 Silver badge

            Re: What about Office Suites?

            "the external accounting organisation is the Data Controller"

            Where the GDPR is somewhat problematic is its lack of definitions of the terms "means" and "purposes", however, with apologies, as a long standing data protection professional I don't think this is quite correct.

            The decision as to purposes is vested in the business using the payroll service - they decide to employ staff and thus to perform payroll operations. The means is decided by the business using the payroll service - they decide to outsource the function rather than perform it in house.

            Particularly in this case, as payroll is for statutory reasons conducted using standard processes on standard data, it can not legitimately be asserted that the outsource either dictates the information that is required or how it will be processed - that's defined by a combination of law and common practice. In any case "means of processing" does not necessarily refer to the low level technical specifics of procedures, but may refer to the generality: automated versus manual, internal versus outsourced process and so on. The essence of the distinction between data controller and data processor is at whose behest the processing is performed, rather than who decides on the fine detail.

            A client of mine acted as a subcontractor for a large corporation that contractually left some day to day data processing decisions to the subcontractor (e.g. when specifically to delete redundant records) and thus defined the subcontractor as a data controller. However, as the overarching criteria were dictated by the corporation (whether they still required access to the records), they were wrong, and I successfully had the subcontractor redefined as a data processor.

            Where a "third party service" does become a data controller is, for example, if they decide to pre-purpose data received as a data processor in order to use it for their own purposes.

      2. Secon

        Re: What about Office Suites?

        It is often assumed that because you seect a UK/EEA region in a cloud provider that your data stays there.

        Sadly this is not the case, and even if it were the physical location of data is less important than you may assume.

        The Microsoft Terms if Service very clearly state that they can move your data internationally including to countries that do not meet EU requirements for data protection; the systems are in part administrated from outside of EEA and some if the core services within the M365 stack are only available outside of EEA (and your data moves there for processing).

        Finally the extra-territoriality of some US legislation means that even if none of the above were true your data is still exposed to disclosure to US authorities.

        I’m sorry to say therefore that your assumptions around residency and data protection are quite wrong - though you are correct that for some sectors at least the rules of Data Protection shall change again in January, but sadly these shall become MORE complex, not less.

      3. big_D Silver badge

        Re: What about Office Suites?

        German Data Protection Zars have declared Microsoft 365 to be illegal under GDPR.

        The problem is the CLOUD Act, which says, even if the data is held in Europe, by a European subsidiary, it is still American data under American law and they have to hand it over if required. The only way would be to have a wholly independent company running those cloud services in Europe, with absolutely no ties to the USA.

        1. Doctor Syntax Silver badge

          Re: What about Office Suites?

          What happened to that agreement to have a German company act as a custodian with MS not allowed to touch the data? Did that fall by the wayside? I haven't heard anything about it for a good while.

          1. Claptrap314 Silver badge
            Angel

            Re: What about Office Suites?

            Reading between the lines, the CLOUD act is stating that a US company cannot just create a shell to dodge their responsibilities. US incorporated company ==> US jurisdiction. Of course, do business in EU ==> EU jurisdiction. Have a data center in India ==> India jurisdiction. Employ Chinese nationals ==> Chinese jurisdiction.

            If all of these sovereign nations would just shut up & let businesses do what they want! We could have all of our bread and circuses, then!

          2. Anonymous Coward
            Anonymous Coward

            Re: What about Office Suites?

            Microsoft still mention it in their documentation if you read it all, but it has been closed for new admissions for a couple of years now and is essentially being withdrawn as folks move out of it.

            I'm not 100% sure why this is the case, and whilst I have heard from federal sources that it was a German state decision to shut it down, Microsoft are being both more coy and upbeat about it, suggesting its really because German customers want MORE not less Microsoft Global Cloud:

            "In 2015, we first introduced a new type of cloud region in Germany designed to offer an additional layer of privacy controls for German customers in highly regulated industries. These regions, referred to as the Microsoft Cloud Germany, are isolated from Microsoft’s global cloud network and access to customer data is managed by a German data trustee. Over the past three years, customers’ needs have shifted, and the isolation of Microsoft Cloud Germany imposes limits on its ability to address the flexibility and consistency customers desire today."

            Given that German federal authorities have banned use of M365 in schools and some states have effectively banned use of 365 for official business I suspect its NOT the case that they decided they didn't;t need a Germany specific cloud (which they have invested in heavily in parallel), or an EU led cloud - like Gaia-x; but that they felt the Microsoft offering was still too Us based for comfort.

          3. big_D Silver badge

            Re: What about Office Suites?

            T-Systems, the IT branch of Deutsche Telekom, was running it.

            But Microsoft cancelled it last year and opened their own data centers in Germany, instead.

          4. Doctor Syntax Silver badge

            Re: What about Office Suites?

            So more or less as expected. Thanks.

      4. Doctor Syntax Silver badge

        Re: What about Office Suites?

        "MS have done the work on Model Clauses to cover all this which looks to a non-lawyer"

        And those clauses are not worth the paper they're not written on. Because MS is subject to the US government they cannot abide by them if the US govt. says otherwise. That's the Schrems II ruling that is the whole point of the article.

      5. Missing Semicolon Silver badge
        Unhappy

        Re: What about Office Suites?

        Hosting in the UK is no good. The US CLOUD act has seen to that. If it's a Microsoft server, then Microsoft US must access it.

    3. big_D Silver badge

      Re: What about Office Suites?

      I had this discussion with my boss today.

      We have been using Microsoft 365 for about 2 years. But all accounts were anonymised and no data could be stored in Exchange Online, SharePoint, OneDrive etc. (We were just using for the licenses, which still worked out economical, even if we didn't use any of the "cloud" services that M365 brings with it).

      With the advent of Corona, we started rolling out Teams, but only to users who have signed a waiver that their name can be stored in the Microsoft 365 tenant. No other information, other than the conversations, can be stored in the M365 tenant, no recordings of meetings etc. Our DPO had a look at it and signed off on us using it in that way.

      1. PVecchi

        Re: What about Office Suites?

        If it's used only by your organisation to process non personal data then it's OK.

        If you use it to process and transfer personal data of clients or third parties that have not signed an informed consent then your DPO is doing it wrong.

        Please note that the "informed" part of the informed consent is also important. Your DPO cannot assume that the user and the data subjects may be fully aware of the implications of what they are signing.

        If you ask "Is it OK for you to use Microsoft Teams?", that's not informed consent.

        The data subjects, that includes also any other identifiable person you may mention in your conversations even if they are not employees, haven't been informed that by allowing their data to be processed in clear by Microsoft their are OK to waive their fundamental right to privacy. Today they may say OK for a badly performing chat platform, tomorrow they may be asked to do the same for other platforms.

        While each one of us could make an informed decision in regards to the information we want to share on LinkedIn, Facebook, Twitter, The Register, etc. and evaluate carefully what we want to say, we may not realise how much more we give away during an informal chat on Teams while we are using it and when we think we are not.

        1. big_D Silver badge

          Re: What about Office Suites?

          Which is why there is informed consent on the part of the users, they are explicitly told that their name will be stored in the Microsoft cloud (but no other information) and that they cannot upload any information into the MS cloud.

          The wording is something along the lines of, "if you want to use Microsoft Teams, you have to consent to your forename and surname being stored in our Microsoft 365 tenant, so that you are searchable by other Teams users." They then have to sign a waiver to say that they agree with this and that no PII or company confidential information can be sent via Teams.

          They also have no access to OneDrive, SharePoint, Exchange Online etc.

          1. Mike 137 Silver badge

            Re: What about Office Suites?

            "if you want to use Microsoft Teams, you have to consent to your forename and surname being stored in our Microsoft 365 tenant, so that you are searchable by other Teams users."

            Unfortunately that's flawed on two counts: [a] it's not sufficiently informed - the real issue is who other than "other teams users" might have access to it outside the EEA (e.g. in the good old USA where these services are based and where privacy Shield is no longer valid) so you'd have to spell this out in detail with clear description of its implications, and [b] "you have to consent" suggests constraint, which is unlawful (bad choice of words). Equally, for the same reason you couldn't make use of Teams mandatory if you were relying on consent.

            Consequently, consent (yet again) might not be the best choice of lawful basis. The final paragraph of Article 49(1) is worth considering. Although the relevant term ("repetitive") is not formally defined, it potentially allows for an occasional derogation under controlled circumstances on the basis of "compelling legitimate interests pursued by the controller". The legitimate interest would have to be justified formally as compelling using a properly conducted and documented assessment (Recital 47, Article 35) and the data subjects would have to be informed of both the determination of the assessment and the implications of the data transfer.

          2. Doctor Syntax Silver badge

            Re: What about Office Suites?

            It would also have to be the case that there continued job doesn't depend on it, nor anything such as appraisals. Add management are going to have to be completely onside with ensuring that that's the case. Good lock with that.

  2. Doctor Syntax Silver badge

    It looks like a case of stating the bleedin' obvious. Necessary, I suppose, if manglements have been ignoring the bleedin' obvious.

    1. Doctor Syntax Silver badge

      Considering the previous thread it can't be as obvious as I thought.

      “It is difficult to get a man to understand something, when his salary depends on his not understanding it.” Sinclair Upton.

  3. Anonymous Coward
    Anonymous Coward

    Naughty step here we come

    Whether the UK will be on the list will be determined by ongoing Brexit negotiations.

    If we pass 1st Jan 2021 with no deal as the only option we will be on the naughty step and Barnier and chums will make sure that we stay there for the next decade or more.

    BREXIT... the gift that keeps on giving (Sic)

    1. big_D Silver badge

      Re: Naughty step here we come

      And the ECHJ has already thrown back the UK's efforts at GDPR (Data Protection Act and, more importantly RIPA) as non-compliant anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: Naughty step here we come

        What is this ECHJ to which you refer? Did you mean the ECJ or the ECHR?

        1. big_D Silver badge

          Re: Naughty step here we come

          Sorry, ECHR.

          1. Doctor Syntax Silver badge

            Re: Naughty step here we come

            RIPA I knew about (HMG will tweak the wording for a new Act with a new name, SOP) but GDPR?

    2. Claverhouse Silver badge

      Re: Naughty step here we come

      Don't worry: no matter what happens, we can be reassured British authorities will continue to sedulously hand over any information the Cousins demand.

      Even if Boris has to break the law and ignore treaties.

  4. Rich 2 Silver badge

    How does this work?

    "...customers can choose to encrypt their data, at rest or in motion, using AWS tools or a number of supported 3rd party security solutions, while maintaining full control of the encryption keys."

    I know very little about AWS but how can you use a remote system like AWS to encrypt/decrypt your data WITHOUT also giving it the keys to do so (and thus immediately invalidating the method)?

    As suggested by the new EU memo, it seems the ONLY way you can be secure and compliant is to use local (or "trusted" external) encryption so that no keys are transferred anywhere. Any other "solution" is a kludge and cannot possibly be compliant.

    1. ThatOne Silver badge
      Devil

      Re: How does this work?

      > how can you use a remote system like AWS to encrypt/decrypt your data WITHOUT also giving it the keys

      Symbolic actions, akin to knocking on wood or throwing salt over your shoulder. Of course the fact you can choose the key yourself doesn't change anything, but boy it does make you feel good!...

    2. Brewster's Angle Grinder Silver badge

      Homomorphic

      If you're clever, it's possible.

      I suspect most people aren't doing that, though.

      1. ThatOne Silver badge

        Re: Homomorphic

        > If you're clever, it's possible.

        What you're saying is that you should encrypt your data, before you let AWS (or similar) re-encrypt it with the key you provided.

        Well, obviously in that case the data would be secure(ish), but it's very complicated, and no company will go through that kind of hassle, especially since they lack the know-how and (AFAIK) there is no off-the-shelf implementation of homomorphic encryption tools to be found yet. No serious company will risk rebuilding from scratch all the software they're using! They might only consider it if/when their current software providers offer FHE as an option.

        1. Anonymous Coward
          Anonymous Coward

          Re: Homomorphic

          @ThatOne

          Quote: "...you should encrypt your data, before you let AWS...."

          *

          Surely this is sensible advice for the transmission of ANY DATA OR MESSAGE BEFORE THAT DATA OR MESSAGE ENTERS A PUBLIC CHANNEL!

          *

          There are alleged backdoors in Cisco and Jupiter kit. There are calls by politicians in all the so called Five Eyes countries for backdoors to be implemented in ALL PUBLIC INTERNET SERVICES. Do we actually know what is going on.....or what has already been implemented?

          *

          So......even if it might be hard to do, why is this advice regularly criticised? Encrypt data or messaging in an off-line (air gapped) cipher machine. Transfer the encrypted data to a public service.....and take serious precautions to ensure that the original data (wherever it is hosted) is VERY difficult to hack.

          *

          Relying on a public service to secure private data seems like contradiction in terms!!!!

          1. ThatOne Silver badge

            Re: Homomorphic

            > Relying on a public service to secure private data seems like contradiction in terms!!!!

            True, but you forgot Reality: The board/shareholders don't worry about mathematical or philosophical issues, they only have two questions: Will it save us money? Are we at risk of having to pay (fines/reparations/whatever)? If the answer to those two questions is right, everything else is irrelevant and will be actively ignored.

            An overwhelming majority of people will happily relinquish control, security and sovereignty in exchange for economies and ease of use, both in their professional and their private lives. Take "Streaming vs. buying CD/DVDs" as the most general example.

      2. Anonymous Coward
        Anonymous Coward

        Re: Homomorphic

        For sure homomorphic encryption will be great - when it actually arrives.

        But its going to work must more readily on mathematical data than it can on text and (although findamentally of course all text is a number in computer terms) creating systems that can do such manipulations AND remain secure and not leak data about what changes you are making to the underlying clear text with high levels of confidence may be many many years away.

        Cribs and pattern analysis broke enigma, ensuring the same does not happen with homomorphic encrpytion will be an equal challenge.

      3. Rich 2 Silver badge

        Re: Homomorphic

        Possible, yes. Realistic? The last time I read anything about this, I found that it requires several orders of magnitude more computation than doing things the standard way, and (at least for now) probably unrealistic for the quantities of data the likes of faecesbook or googlies steal from their users, or for most (normal) commercial applications. Granted, the techniques will have improved over the years, but even so

        And it still fundamentally uses local encryption. So it doesn't really change anything

      4. Anonymous Coward
        Anonymous Coward

        Re: Homomorphic

        If the encryption is valid, the resultant data appears random.

        If anything can process that encrytped information, then the information isn't properly encrypted in the first place.

        What am I missing here?

        1. Brewster's Angle Grinder Silver badge

          Re: Homomorphic

          "If anything can process that encrytped information, then the information isn't properly encrypted in the first place."

          Imagine a string of bytes encrypted by adding them (mod 256) with a random sequence of bytes. That's properly encrypted - it's just a classic one time pad.

          But we could then add n (mod 256) to the cipher text and when we decrypted it, the plaintext would also have had n (mod 256) added to it. Or we could sum two encrypted strings of bytes and the decryption key would be the sum of the keys used to encrypt each.

          There are trite examples. But various encryption schemes support various mathematical operations. Whether it would be truly practical is another matter.

          1. This post has been deleted by its author

          2. Anonymous Coward
            Anonymous Coward

            Re: Homomorphic

            Thanks for the reply.

            OK, your explanation makes sense. However, I can't see what that would achieve that couldn't be achieved by the processing server simply sending the altering data, "n", and therefore, not needing, or groking, the original data at all.

            Still, you've provided a mechanism to alter the data which I hadn't thought about, and I guess the rest would be over my head anyway!

            Cheers!

      5. NetBlackOps

        Re: Homomorphic

        I keep an eye on it and there are severe limitations on its utility. Orders of magnitude greater compute required and limited, still, in the operations that can be performed. It will likely require custom chip architectures to handle in a decent manner and still operations allowed will be restricted. No magic bullet here. Unless there is an advance in pure mathematics, of course.

    3. DrewWyatt

      Re: How does this work?

      We store backups in AWS. The way we do it is backup -> gzip -> encrypt -> upload. The keys stay on the server that does the encryption, which is not the server that does the upload. Oh, yes, and the keys also sit in our password management solution.

      1. sgp

        Re: How does this work?

        There's more to AWS than storage..

  5. Anonymous Coward
    Anonymous Coward

    Cloud != Privacy

    What am I missing?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022