For over two years, the Schrems II decision from the European Court of Justice has caused tremors in IT departments across EU countries, such as Denmark. This has raised serious questions about the legality of using American cloud giants.
Education in the cloud
In the spring of 2022, the Danish Data Protection Authority came up with a decision that caused a big rift in the relationship between Denmark’s municipalities' IT community, Kombit, and the American cloud supplier Amazon Web Services (AWS). As a result, Kombit has now started negotiations to change an agreement on Aula – a student engagement platform.
In the standard agreement, AWS reserves the right to hand over personal data from the communication platform used by primary schools and daycare centers across the country to US authorities. But the agreement is illegal according to the Danish Data Protection Authority, as it is an unsafe third country, which the European Union courts established with the Schrems II judgment in the summer of 2020. The Shremms II ruling was made because the US legislation can impact European citizens' privacy.
Hence, Kombit was urged before summer to ask AWS to promise that the tech giant will never send Aula users' personal data to the USA. After dropping future agreements with Microsoft at the beginning of 2021 due to the same concern, Kombit continued with AWS as a subcontractor for Aula following an investigation based on the Schrems II judgment. Although Kombit now must change the contract at the request of the Data Protection Authority to make the handling of Danish childrens' data legal, it is not yet known what AWS will do. To understand the pain Kombit is currently in, we turn back the clock to the spring of 2022, when the Danish Data Protection Authority published its guidance on how Danish companies can legally use cloud services. Many had been anxiously waiting to see if it would resolve the Schrems II issues but according to several legal experts, the guidance made it abundantly clear that using US cloud providers legally is nearly impossible.
Pensions in the cloud
Furthermore, the Schrems II ruling also caused Denmark's largest pension company (PFA) to halt its cloud adoption with the major US cloud providers. Municipalities and other public authorities obviously have major problems with the decision, but it also creates tension for the private business community. The Danish pension industry, in particular, has a sea of personal data, which is why Denmark's largest pension company, PFA, is particularly cautious. The PFA has a very low-risk appetite, and a large part of the work that has taken place around the cloud platforms has been about ensuring that it is legally sustainable.
The current uncertainty surrounding the use of cloud platforms does not make PFA completely abandon the technology, but it affirms that they take the legal aspect seriously in such situations.
How Cryptomathic addresses concerns around Schremms II
By default, cloud providers will generate encryption keys and then manage the lifecycle of said keys for their customers. However, this is unacceptable for organizations hosting sensitive data in the cloud because they must maintain sole control and ownership over their keys to remain compliant with their internal and external security requirements. This has generated the need for strategies that allow organizations to maintain full control over how and when their keys are used to access and protect their encrypted data.
To assure sound governance, compliance, and internal controls, businesses need to maintain control over their cryptographic keys – this is where the concept of Bring Your Own Key comes into the picture. Using “Bring Your Own Key” (BYOK) is crucial for mitigating ICT and security risks as it allows organizations to keep control of their critical keys while taking full advantage of the cloud’s efficiencies. BYOK also ensures that even the cloud service providers cannot access these critical keys in unencrypted form and, therefore, can provide further protections against insider attacks or even external government interventions.
Another advantage of BYOK is that the customer does not risk being caught in a cloud vendor lock-in. Getting data out, e.g., when moving to a different cloud or into a different subscription service, can be a tedious, time-consuming and consequently costly process without BYOK.
As applications run, encryption protects data, whether at rest in the database, in transit between data centers or user devices, or at public endpoints through TLS. When the right key management system is used for BYOK, a business’s data in the public cloud cannot be accessed by others, including third-party employees or government agencies.
Cryptomathic offers a comprehensive portfolio of cybersecurity and key management solutions that provides strong cryptographic protection against intruders accessing unencrypted data. The Schremms II is the reason why we provide BYOK solutions and fully managed services to organizations that want to use cloud services but are concerned about who has control over the keys that protect the sensitive data. In addition, Cryptomathic’s AWS BYOK Service specifically aims to mitigate security and legal concerns around storing data in the cloud
Click below to try your free trial of the AWS BYOK Service.