Storing Personal Data in the Cloud – Encryption as a Solution
As you all probably know, our product Boxcryptor is a German software solution. Many of our customers – especially German business customers – ask us about the privacy of their data in the cloud, especially when they use foreign cloud solutions, such as Dropbox, or Google Drive. The main question is: Does encrypted data still count as personal data? If yes, businesses have to be very careful with storing that data in the cloud. If no, they can store the encrypted data in the cloud without having to fear legal repercussions.
German privacy law is very strict. Therefore, businesses which use the cloud are right to inform themselves about this topic. But even if your country is less restrictive with the handling of personal data, this might be of interest for you. If you work for a company dealing with data of European citizens, this is relevant for you, too, since the new General Data Protection Regulation does not only affect European companies, but all companies that deal with personal data of European citizens. Therefore, we want to discuss this topic and provide our viewpoint on this issue.
What is the BDSG?
The “Bundesdatenschutzgesetz” (BDSG) is the German Federal data protection act that regulates the handling of all personal data that is processed in information- and communication systems. It applies to all public bodies and authorities, as well as to non-public agencies, such as companies, associations and individual persons (doctors, lawyers, architects, and so forth) that process, or use personal data. It does not apply when the data is only processed for personal or family-related purposes.
What is Personal Data?
German law defines personal data as all data that contains information about personal facts that identify a person or make the person identifiable. This includes information, such as name, address, occupation, IP address, but also income, ownership, political opinions, religious and philosophical belief, or health information. When a company stores a list of contact persons with their phone numbers or email addresses, it is personal data, and under German and European law deserves special protection.
Why Can’t You Just Store Personal Data in the Cloud?
German businesses can only store sensitive data at companies outside the European Union with special protection, such as encryption, and even this is a grey area. According to the European Commission, data protection is not strong enough in most countries outside the EU (Switzerland is one of the rare exceptions). The US are especially problematic because the Patriot Act allows extensive inspection of data by authorities, even without court order. Most companies that provide cloud solutions, such as Dropbox, Microsoft, or Google, have their data centers in the US.
In fact, many US-companies promise to hold up to European data protection standards. Therefore, they were able to declare themselves a ‘safe harbor’ for European data. But the European Court of Justice recently declared the Safe Harbor principle, under which those cases were summoned, as invalid. The successor of Safe Harbor, Privacy Shield, has by now been passed, but it has some flaws as well. The question remains, whether data of European citizens is protected sufficiently at US cloud providers. One solution is to use cloud providers with data centers in Europe – ideally with data centers in Germany – instead.
Update: By now and many US companies, Microsoft, for example, have joined Privacy Shield and therefore agreed to a higher privacy standard. However, there are still doubts whether the data is protected as well as it should be.
But what can you do, if your preferred cloud provider is an US company and you want to store personal data there, anyway?
The Debate of Encryption as a Solution
Encryption can be the solution to your problem. One can argue that encrypted data does not fall under the category of personal data anymore. However, by now there is no case-law for this problem. So far, no court decided whether encrypted data is personal or not. However, there are significant statements by law officials, authorities, and agencies that support both sides of the argument.
The highest agency for data protection regulation in Bavaria (“Landesamt für Datenschutzaufsicht”) holds the view that encrypted data does not fall under the category of personal data anymore (Source only available in German), under the premise that the data is encrypted with state of the art, strong cryptographic methods.
But the question remains what exactly counts as a state of the art, strong cryptographic method?
The most recent recommendation of ENISA – the highest European security agency – describes the Advanced Encryption Standard (AES) as secure in all key lengths. Boxcryptor uses AES-256 in combination with RSA and therefore provides one of the most secure, state of the art encryption techniques.
Update: Encryption and the new EU General Data Protection Regulation
The new European General Data Protection Regulation (GDPR) – it became effective in April 2016 – lists encryption as a measure to ensure a “level of security appropriate to the risk” (GDPR, p. 51) for personal data. Find out more about the GDPR and the use of the Cloud here.
There is a solution to the problem of how to store sensitive, personal data at (foreign) cloud providers: consequent, state of the art encryption of the data, before it is synchronized to the cloud. According to a number of law experts, encrypted files do not fall into the category of personal data, and therefore do not fall under the above mentioned privacy laws. However, it is important to implement consequent end-to-end encryption on zero knowledge basis, such as Boxcryptor is offering. With zero knowledge, nobody but the user can decrypt the data. Therefore, it is protected perfectly from all sorts of prying eyes.
Note: This article describes our opinion about this topic. It is not legal advice, nor should it be used to skip legal advice. This information is supplied without liability. We do not vouch for correctness, completeness or currency of the article. Time of the provided information: 01/26/2016. Time of the update regarding the GDPR: 07/19/2016, Update about Privacy Shield: 08/20/2016.
Take action now and protect your data with Boxcryptor
Boxcryptor encrypts your data client-side, before it is synchronized to the cloud. We help you make sure that nobody but you can access your data. Due to our zero knowledge approach, we never know your password. Therefore, there is no way that we could access your data.