Schrems II and US cloud vendors: How AudienceProject remains GDPR compliant

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued the Schrems II judgement with significant implications for the future use of cloud hosting services.

Companies (like AudienceProject) servicing clients globally through international cloud services had to reassess their entire privacy setup with the Privacy Shield framework invalidated.

It is vital to point out that delivering highly scalable digital products internationally at a competitive price is almost impossible unless you embrace modern cloud services, which inevitably will result in you ending up with Amazon, Microsoft or Google as your vendor. All US-based companies.

In this article, we will share our experience in making a US-based cloud vendor – in this case, Amazon Web Services (AWS) – work for our clients and us in a GDPR compliant manner.

The end of the Privacy Shield and the establishment of Standard Contractual Clauses

Like many others, AudienceProject’s US infrastructure became subject to the Schrems II judgement. The CJEU’s well-known ruling from July 2020 struck down the Privacy Shield agreement and established that the transfer of personal data to the US was illegal unless a valid Standard Contractual Clause (SCC) was in place.

So what are SCCs? SCCs are a set of standard provisions defined and approved by the European Commission that can be used to enable personal data to be transferred in a compliant way by a data exporter to a data importer when transferring personal data outside the European Economic Area.

When these SCCs came into effect, the European Data Protection Board (EDPB) recommended introducing supplementary security measures. The essential security measure in our scenario is encrypting all Personal Identifiable Information (PII). Therefore, transferring data to third countries such as the US became forbidden unless a valid SCC was in place from that moment onwards.

Though you can’t build borders across the internet when you offer your services internationally, AudienceProject tackled this issue and came up with measures to ensure the security of data transfers.

Allow us to explain how AudienceProject manages to rely on US cloud vendors while ensuring compliance with GDPR.

Measures undertaken by AudienceProject to ensure compliance

Following the CJEU ruling C-311/18 “Schrems II” and, as recommended by the EDPB, AudienceProject carried out a full internal risk assessment of our internal data flows and decided to implement additional protective measures. The objective was to reduce the risk of access by third-parties to the data collected and stored by AudienceProject services.

Use case 1, 2 and 3 (scenarios for which effective measures could be found) in “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Adopted on 10 November 2020“, page 21 and forward were all applicable to AudienceProject’s protective measures:

• Encryption at rest and transit via Private Key
• Extensive use of pseudonymised data
• Encryption of data merely in transit
• Backup encryption via Private Key (Keys exclusively accessible by AudienceProject)
• Measures to limit the access of the security authorities

Additionally, we carried out a full scope audit of our current encryption at rest/transit configuration. We performed audits on service-level and drive (Amazon S3) levels. Legacy S3 buckets were migrated to private encryption keys instead of relying on default encryption keys.

With the data secured with state-of-the-art encryption, we also needed to ensure that the keys to breaking the encryption were secure.

AudienceProject would store the private encryption keys in our key management service (KMS) under complete AudienceProject control. We also sent a formal request about potential third-party access to our KMS to our cloud provider to ensure compliance with EU recommendations. Our cloud provider confirmed that keys stored in our KMS service are safe from outside access and under complete AudienceProject control.

Q: What safeguard do we offer when it comes to AudienceProject’s subcontractor AWS? Is it possible to rely on US cloud vendors and still ensure full compliance with GDPR?

Absolutely!

AudienceProject’s subcontractor AWS offers a GDPR compliant Data Processing Addendum (GDPR DPA), which includes the Standard Contractual Clauses required to enable the transfer of data outside of Europe. The AWS GDPR DPA is incorporated into the AWS Service Terms. The document outlines the standard contractual clauses’ scope and format between AudienceProject and Amazon Web services. Accordingly, we can provide our customers with documents that prove that a GDPR compliant data transfer to the US takes place.

Moreover, even though AWS is subject to US law, AudienceProject is storing encrypted data, which means they do not have access to the encrypted data due to custom encryption keys being controlled exclusively by AudienceProject, at AudienceProject’s Danish entity.

This means that US authorities would not be able to access such keys given that we are a European company following European data protection regulations. Thus we are exempt from complying with any US request. In other words, AWS will not have control over customer-managed keys (CMKs) and will not be able to make these CMKs available to any third-party. AudienceProject will not make our CMKs available to any third-party.

Furthermore, we have received written confirmation that Amazon cannot access our data given the current encryption schema as well as assurances that Amazon will not comply with requests requiring them to hand over clients’ data.

Additionally, AWS takes the following supplemental organisational measures to prevent customer content from being accessed by authorities:

• AWS challenges law enforcement requests for customer content from governmental bodies, whether inside or outside the EEA, where the request conflicts with EU law, is overbroad, or where AWS otherwise has any appropriate grounds to do so.
• AWS also commits that if, despite its challenges, AWS is ever compelled by a valid and binding legal request to disclose customer content, AWS will disclose only the minimum amount of customer content necessary to satisfy the request.
• AWS will not disclose customer content unless required to do so to comply with the law or a binding order of a government body.
• If a governmental body sends AWS a demand for customer content, AWS will attempt to redirect the governmental body to request that customer content directly from the customer.
• Lastly, if compelled to disclose customer content to a government body, AWS will give customers reasonable notice of the demand to allow the customer to seek a protective order or other appropriate remedies unless AWS is legally prohibited from doing so.

AudienceProject uses encryption in transit and encryption at rest for all relevant AWS services as well as various pseudonymisation techniques.

Furthermore, SCCs are utilised to transfer data between AudienceProject and AWS, and AWS uses SCCs for its onward transfers of personal data to its sub-processors located in countries outside the EEA with no adequate decision.

Hence, our commercial relationship with AWS is subject to the strictest regulations regarding security and data protection, ensuring the sufficient safeguards required by law.

Q: How can you ensure that the supplementary measures are sufficient to ensure compliance and protection according to GDPR standards?

We actually got a ruling!

There is a 2021 ruling from France’s highest administrative court, where a similar case of storing personal data through AWS was found to be sufficiently protective according to EU General Data Protection Regulation standards.

The ruling supports our assessment that the measures implemented by AudienceProject do indeed satisfy the security threshold imposed at European level.

Breaking down the French court ruling

The French court decision addresses legal and technical safeguards similar to those implemented by AudienceProject.

The key point was that:

• AWS offered a written guarantee that it would challenge any general access request from a public authority – the same guarantee AudienceProject has with AWS.
• Data hosted by AWS was encrypted, and the encryption key is under the control of the data owner in France, not AWS in the US. The data hosted on AWS on behalf of AudienceProject is encrypted with custom encryption keys, held and managed by AudienceProject in Denmark, EU.
• No special category data (in this case: health data) was being processed. AudienceProject does not allow the collection or processing of any special category data.
• Data was deleted after a certain period of time. AudienceProject adheres to our clients’ storage instructions on client data and operates with internal storage terms on AudienceProject data.

The Danish Data Protection Agency guidelines also confirm that our supplementary measures are enough to ensure GDPR compliance

On 9 March 2022, the Danish Data Protection Agency (Datatilsynet) issued a new set of guidelines on using cloud services.

These guidelines cover in-depth the topic of relying on third-party cloud vendors, particularly US cloud vendors, to once again confirm that an effective supplementary technical measure requires that the personal data is encrypted, that keys are under EU control, that only encrypted data is sent to and from the cloud service provider in the US, and that they do not have access to the personal data in clear text at any time, not even when the user is actively using the application. Hence, confirming once again that AudienceProject supplementary measures are indeed adequate to ensure compliance with GDPR requirements.

So, what are the implications of this ruling and guidelines? Operating with US cloud vendors is still an option with the right SCCs and the right supplementary measures in place.

Recent case law rulings from European courts, as well as guidelines from EU institutions, confirm that AudienceProject’s supplementary measures do satisfy the security threshold imposed by the EU General Data Protection Regulation.

AudienceProject is constantly seeking to implement industry-leading security measures to remain a pioneer in data protection and compliance. We are firmly committed to delivering best-in-class data protection and high-security standards.

For years, we have been working on building a ‘privacy-first’ culture in our business. In 2022, we will take it to the next level and reveal a whole new suite of additional privacy controls that we have been working on for our clients. We want to remain a pioneer in granting our customers maximum privacy and security guarantees when storing and processing customer data.

Consequently, if you have been unsure about how to fully comply with GDPR standards while relying on US cloud vendors, and maybe also in a position where you had to allow the movement of data to third countries, you can rely on AudienceProject’s protective measures and be on the safe side. Follow our privacy-first strategy.