Balancing Compliance With US CLOUD Act and GDPR

In 2016, I wrote this blog on Lack of Trust in Big Brother. Since then, the U.S. Government created the Clarifying Overseas Use of Data Act (CLOUD Act), which introduces direct conflicts with the EU’s General Data Protection Regulation (GDPR). While enterprise migration to the cloud has progressed quite extensively over the past five years, many companies continue to wrestle with how to maintain compliance with these potentially conflicting laws. Fortunately, improvements in key management to support Bring Your Own Key (BYOK) services can mitigate those conflicts for easy and compliant cloud migration.

The GDPR is a legal framework, established in 2016. It sets guidelines for data protection and privacy in the European Union (EU). One of the key tenets of the GDPR is that service providers, which store personal data of EU individuals, must not export that data from the EU or turn it over to any third parties outside the EU. In 2018, the US enacted the CLOUD Act, which requires US service providers to turn over requested data stored on their systems regardless of whether the data are stored in the U.S. or on foreign soil. This creates a situation where companies storing personal information in EU based storage infrastructure could be faced with a situation of having to break either US laws by defying a subpoena or break EU laws by turning over GDPR protected data.  

These potentially conflicting laws create challenges for service providers and businesses storing data using these services. One solution is for enterprises storing data in the cloud is to use a Bring Your Own Key (BYOK) model rather than subscribe to encryption services from their Cloud Service Providers (CSP). With a BYOK model, the enterprise is in control of the encryption keys used to read and process encrypted data stored in the cloud. The CSP providing the data storage services cannot decrypt the client’s data, even if legally compelled to turn over the data.

Since the data cannot be converted into consumable plaintext without the associated encryption key, the privacy of the personal information and compliance with GDPR mandates can be maintained. However, BYOK can be difficult to implement and manage for many enterprises. They would prefer to subscribe to a hosted BYOK service, just not one from their CSP.

Secure Multiparty Computation (MPC) is a cryptographic technique for generating, using, and protecting secrets such as encryption keys. Because MPC can be implemented in software running on generic cloud servers, it is an ideal tool for providing BYOK and other Key Management as a Service (KMaaS) offerings. Third party service providers can easily offer these services to enterprise clients for use across multiple CSPs in any jurisdiction. Doing so provides a technical solution to achieve compliance even in the state of conflicting laws, and to enjoy the added benefit of a common, easy to use BYOK solution across multiple clouds. For more information on KMaaS and BYOK, or service providers offering these services visit Sepior Threshold Key Management.

Photo by Sora Shimazaki from Pexels