4 min read

How BYOK Provides Schrems II Compliance for AWS-hosted Data

How BYOK Provides Schrems II Compliance for AWS-hosted Data

Companies who use Amazon Web Services (AWS) often choose to do so because of its scalability, ease of use and lower costs than other services or hosting their own data centers. However, it could bring a challenge for those in the EU who need to remain compliant with Schrems II to protect their data. Here we discuss the compliance challenges facing EU companies using AWS to host data and how Cryptomathic’s Bring Your Own Key (BYOK) Service can provide Schrems II compliance for AWS-hosted data.

Why is Shrems II compliance needed?

Let us take a moment to understand why Schrems II became necessary. In 2018, the General Data Protection Regulation (GDPR), officially known as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC came into effect. This regulation required all EU Member States to follow the rules for how personal data can be processed by physical or legal persons. It was created to provide a level of protection for personal data that is both uniform and harmonized that would not limit the free movement of personal data within the EU.

Schrems II came about when Austrian activist Maximillian Schrems requested that the Irish Data Protection Commissioner invalidate the European Commission’s Standard Contractual Clauses (SCC) for personal data transfers to the United States and throughout the world. Schrems’ argued that Facebook’s transfer of EU personal data to its U.S. headquarters could be accessed by the National Security Agency (NSA) under the U.S. Foreign Intelligence Surveillance Act (FISA) Section 702, Executive Order 12333 and Presidential Policy Directive 28. According to Schrems, this violated GDPR and EU law by violating the Privacy Shield, the EU Standard Contracting Clauses and Binding Corporate Rules. This would of course compromise the controls used in the EU to properly protect data subjects that could become targets of U.S. national security investigations.

What are the legal ramifications?

The European Union Court of Justice (ECJ) issued its judgment on Schrems II (Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) on 16 July 2020 that provided significant implications for EU companies that use cloud services in the United States. The EU-US Privacy Shield. However, the Court cast doubt over how data transfers could be legitimized under SCC. While SCCs can be used as a valid transfer mechanism, they now require some additional work.

It now falls upon companies to ensure that the recipient country has the equivalent data protection as that of the EU to be in compliance with GDPR. Companies can no longer rely on just SCCs.

The Court’s decision emphasizes that the data exporter must ensure adequate protection of the data before exporting it. The data recipient, in this instance AWS, must inform the exporter of any issues with SCC compliance. If local surveillance laws interfere with the GDPR, the exporter is required to stop the transfer and end the contract. If the data exporter fails to comply with their SCC obligations, the lead supervisory authority must intervene. This may cause the transfer to be prohibited.

BYOK-based solution could be the answer to Schrems II compliance challenges

The Court’s ruling on Schrems II raises the responsibility of EU companies that conduct data transfers to the United States or other countries outside of the EU to protect data. AWS does offer its KMS clients the option of bringing their own key. However, the user must choose their region wisely because AWS does not offer the ability to replicate encryption keys to use BYOK across regions. Its very design prevents the decryption of encrypted data outside the region in question (e.g., Frankfurt, Germany).

An interesting decision came from the Regional Court of Karlsruhe (Oberlandesgericht), which gave a court verdict on the case of a European subsidiary of a US company, where data is hosted in Europe. The court ruled that customers do not need to assume that the subsidiary would receive and follow illegal instructions from the US parent, as doubts in trustworthiness cannot be justified solely due to group affiliation. Applying the principle of “in-dubio-pro-reo” (in cases of doubt, favor the accused), customers are provided with legal assurance regarding GDPR compliance. This decision marks an important precedent for EU companies, enabling them to host data on the European AWS cloud with confidence.

Digital sovereignty with BYOK

Digital sovereignty refers to the degree of control an individual or organization has over their data. To ensure a high level of control, users may utilize Bring Your Own Key (BYOK), which prevents third parties from accessing unencrypted data. If BYOK is set up correctly, Amazon or other third parties are unable to access the unencrypted data outside Europe, as the customer owns and controls their own keys - even with a subpoena from a US government body. This means that BYOK addresses Schrems II when deployed in an AWS datacenter located in the EU.

Read White Paper

How to Bring Your Own Key for GDPR and Schrems II compliance

BYOK gives organizations the flexibility to manage and control their encryption keys while still taking advantage of the benefits provided by cloud computing platforms such as Amazon Web Services (AWS). 

The first step in deploying BYOK on AWS is to create an encryption key that meets AWS’s standards. After creating your key, you will need to securely transfer the key to AWS KMS.

Once your key is in place, you can enable encryption for your applications or services that are running on AWS. This process will vary depending on what type of application or service you are running, but generally, it involves enabling the feature in the relevant AWS console and then providing your encryption key.

All of this might sound simple, but not necessarily easily done. It requires having a hardware security module (HSM) at your disposal and trusting the organization with the logical control of said HSM. The key material must be generated and uploaded to the AWS KMS. However, this process can be made easier by using Cryptomathic’s AWS BYOK Service.

Cryptomathic’s AWS BYOK Service is designed to keep data protected and out of the reach of unauthorized third parties, including AWS employees unable to retrieve user plaintext keys. These keys are never written to the disk unencrypted. Instead, they are only used in volatile memory in the HSM. The user keeps a secure copy of the keys, where the keys can be re-imported or exported when needed.

Using Cryptomathic’s AWS BYOK Service on the European AWS cloud offers ownership and a high level of control over the permissions and lifecycle of the users’ keys. AWS provides users with the scalability of their databases while Cryptomathic allows for automatic scaling to manage multiple keys and use when needed to keep keys secure. The service defines the data residency and ensures the customer’s digital sovereignty over the data. A comfortable audit reporting feature empowers the customer to substantiate its compliance with European law, i.e. GDPR.


Contact us for more information about Cryptomathic's key management solutions or click below to try out Cryptomathic's AWS BYOK Service for free.

New call-to-action