KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So, yeah, I, I, I start, so my name is grit heading the legal team of, of Dr. In Berlin. I understand that the main focus will be on tech. So I I'll be short. Let's just deep dive a little bit on the why we speak on technical measures. When we speak about FMS two compliance.
So let, let us check. What is the context behind You? Go on the next slide when? Sure.
So the, you see one, one guy on this slide, I'm sure you know, his name, max Schrems, actually, it's not the first time with shrimps two that we heard his name. He made some headlines on privacy before to tell you, just in a nutshell, it was in 2013 that he launched a complaint with the Irish data protection officer, focusing on data transfers from the EU to the us.
And actually he argued that also in the light of the Snowden regulations that the us law does not offer sufficient protection for data against us surveillance laws, the NSA, and that the instrument used until then two transfer data safe Harbor was not sufficient. And actually in the first ruling of 2016, the European court of justice agreed with the max swims.
And in validated this instrument safe Harbor, well then safe Harbor got replaced by what, you know, as a privacy shield, you can go on the next slide swing, but actually he was very successful Max's because there was a second ruling in July, 2020. Again, the European court of justice followed his argumentation and stated that the private shield also as transfer mechanism is not valid to transfer data to the us. And it stated that well, another transfer instrument standard clause would still be possible, but with an additional layer of measures.
And actually this is a really groundbreaking ruling. Why? Because it concerns every company that deals with international data transfer. So it's not at all restricted to one specific industry or sector. And it says the routine that many companies had to rely on SCC on standard contractor clause is not longer possible. You will need to check out more detail what's behind your data transfers and find additional measures to protect the data with the same level as under GDPR and very special actually too. There is no grace period with this ruling.
So no transition transition period, and the European court of justice actually established quite clear that it expects from the national data protection authorities to prohibit to, or to suspend or prohibit unauthorized data transfers. Next slide. So we are lucky today. There was a task force established with the up data protection board. So this is a body where the up data protection authorities work together and they issued guidelines on how to do with this recommendation to implement supplementary measures. So let's just quickly check what are these guidelines?
So ed PB said in the first step, actually, you should know about your data. So you must actually do risk mapping can be quite difficult for, for many, many companies. And you must check. Is it really adequate? Is it limited? Is it relevant for the purpose? I have defined for the, for the data processing as a second step check your transfer tool so that some transfer tools mentioned in GDPR like binding corporate rules, standard contractor clause and adequacy decision. So check what is your instrument tool?
And then as a third step, if you come to the conclusion that taking into the, into account, the instrument you use that the protection level is not equivalent to protection under GDPR, then actually you must implement additional, additional measures, supplementary measures to come bring the data transfer to the same protection level mixed times when And well, the among these measures, several types of measures can be, can be adopted. So for, for us, for legal guys, it's typically contractual, but we really see that contractual is not sufficient because it's really not binding to the yeah.
Us surveillance law. So it's important, but it's not sufficient. So it should be often combined with technical organizational organizational measures. And it always depends what is already in your instrument that you use for transferring the data and what is needed to fill the gap to come to the same protection level as under GDPR. So it's a quite individual analyzes transfer per transfer data category per data category. And that's, that's also what it makes so less scalable, so difficult for many, for many companies today. So the first measure was contractual.
This is typically you can adapt, amend your data protection agreement you have already in place and just put in these clause, what you also define as technical measures. Cause often you often you implement technical measures, but you just don't say it. So one strategy is to just put it in the classes and say that there will be, I dunno, how encryption standards implemented no back doors.
And that you just define also in, in the contract, which are the technical clause or technical measures you have taken transparency obligations can be also to say to the data importer help me on current understanding. What's the protection level in your country? What are the rules applicable? And show me how often you have data or handover requests, cuz this will allow me as data exporter to better understand what's the protection level in your country.
And then you can also have obligation for specific actions can be like notification obligation that you must be notified once there is a data handover request that you, that you actually can take action also as, as data subject that for instance, the data import is not allowed to disclose the data until a certain point when it's really, really a mandatory according also to the procedural rules of the request order and empowering, empowering. Well, depends on how mandatory the data handover request is.
In some cases there's no much space for the exercise of, of rights for the data exporter, but in some cases, however, you can claim, you can lodge a file. You can even claim damages and all these combined should just put it in the contract and work on amending the contract together with your, with your partner. But as I said, it's not sufficient and here where tech is where technical measures come into place.
And yeah, Swan will tell you a bit more on what, what can be done on technical level to come to the same protection level as under GDPR. Yeah. Thank you very much. Great.
So as you have seen, this is one, one step where, where you have really to cooperate with your legal department as, or you as security and privacy team has to work together because now it's not sufficient to just put some co contractual clauses and to, to do some organizational stuff now that you really need something technical and yeah, as, as all of you know, it really depends what kind of security measure makes sense for which case, or you cannot just say I'm using firewalls, I'm using encryption. So it really depends what you want to do.
And that's why it's very important that in the first step you have identified all the data streams that are sent to a country where you have to put this additional measure. So let's assume there, we have identified something that is transferred to the us because we use some us providers. There might be some people that are doing that. So then we have to think about the different cases. So one of the easiest cases we are doing data storage that that's easy. For example, you saw your backup at, at, I don't know, at one of the, the big providers.
So, and what you have to consider is that you have to make sure that that it's never possible for someone from the, from the, for in government, for example, protect the, the example before it's us. And there might be the us government want to access your backup. I don't know why, but maybe they want to access it. And then you have to make sure that it's not possible. So what can you do? Are there any technical measures to prohibit them?
So yes, as this part is very easy, of course this is encryption. So we choose to encrypted with state of the art. We encrypted in a way that it's not possible for the authorities there to get your access key. But what you have to consider is even if you store the data in Europe, on European service, that doesn't mean that your data is safe. So it's just means that is there. And it could be access by the, by the government. If this server belongs to a company, which is for example, as its headquarter in, in the us.
So even then you need some additional measures and here it would be data encryption. And the easiest cases. If you do a backup, you just encrypted in your own premise, you left a key there, or you store the European provider that's also possible. And then you upload the data and that's fine.
So, but we are not only using cloud service providers for backup, right? So there, there's more things that you can do as all of you know, and for example, you have a database and there are these nice features, like key management services. And we are all trying to, to, to use them because they're very scalable. But what you have to consider is that then the cloud service provider may have access to your key. So even if it's encrypted, if there's a possibility that it's still not sufficient, so you have to implement additional stuff on top.
So, and that means, for example, like using something called bring your own key services where you have an HSM, that is, that is securing the key. And in the end, you have to make sure that your master key is stored somewhere else where the cloud service provider is not able to access it. So this can be your premise. This can be also an HSM in, at the, at an European provider, there are several possibilities, but this is what you have to consider. So maybe a more complicated example.
So what if you want to process data and you want to do some big data analytics, you want to do some calculations. So, and you want to use a service from a provider that is take the example again in the us. So is there any possibility, one effective measure that allows you still to use these services? So this example is a bit more tricky, but of course it's possible because you have the possibility to anonymize that data.
If you don't have to map it back to an individual and this way, it's still possible to use the services, but you have to make sure that you anonymize it before you transfer it. So if you do the anonymization at your premise or it an European cloud provider, it's fine.
You can, you can go that way and you can still use the services for big data and analytics. So that's good. And one step more to make it a bit more complicated.
Why, what can you do if there is PII linkage necessary? So you have some, you have some data where there's PII included. You want to do some analytics. You want to process that data. You want to use an us service provider for that. What can you do? Are there any technical measures that are loaded?
And yes, there are, but now it's getting more complicated. What you can use now is ization. I think you all have heard about it. Makes sense if you, if you, if you think twice, it makes sense because you only transfer the part, which doesn't allow to map it with some individuals. Or if you take this example here, you have the guy here it's called Alexei and you have some personal data of him. You just divide it and you put all the stuff like his name and his last name. You put it somewhere else.
And you, you only transfer the data that is not, not identifiable. And this way you are able to still use the services, but what you have to do to make sure that you are getting the data back to the right person, you have to do some mapping. And for that mapping, you can, if use a mapping table within your own premise, of course that's always possible. Or you use again an new provider. So this is much more complicated as you can see, but it allows you still to be able to use all the services for that are provided by, by us providers, which is a great thing.
But it, if you are not using it now, it'll make a lot of effort to get to this point, I guess. So now we have one interesting point. So what do you think if there's data processing, where you have to process PI? So just assume an example, you, you are want to send emails, so that's easy, but, but you are using an us provider for that.
You, you are just hand over the data. So there's some text and there's there's of course there's some recipient address. So the recipient address, email address, this is of course personal data. And what do you think, is there any technical measure to do that? So it's really hard. And if we choose, consider from big picture, there's no, there's no technical measure for that. That means if you are using, for example, mail provider or using SMS provider or whatever, where PII has to be processed.
Now, if you want to be compliant to S two, there's no possibility at all. If you take it from a big picture, maybe you find some nice ideas how to do that, but it's getting really complicated. So the first glance it's, it's just not possible. You have to switch to European provider, and this is where it hurts, but this is where you have to check twice. Maybe there also, the providers are aware of that. So they are trying to find some real nice solutions to, to still make some business in Europe. But you have to think twice. And in the end, maybe it's easier to switch to European provider.
Yeah. As I said, there are more complex cases you have to do. Maybe there's no, there's no black and white, right? So there are possibilities. And what you have to do is of course, like always do your risk analyzes, check your contractor, organizational measures, and then do a case by case analyzation. And then you will maybe find a solution for it, but you have to consider that might be the possibility to switch. Thanks. Thanks a lot. This was very quick, but we only had this few minutes, but I hope it helped you.
