Storing Personal Data in the Cloud – Encryption as a Solution
As you all probably know, our product Boxcryptor is a German software solution. Many of our customers – especially German business customers – ask us about the privacy of their data in the cloud, especially when they use foreign cloud solutions, such as Dropbox, or Google Drive. The main question is: Does encrypted data still count as personal data? If yes, businesses have to be very careful with storing that data in the cloud. If no, they can store the encrypted data in the cloud without having to fear legal repercussions.
German privacy law is very strict. Therefore, businesses which use the cloud are right to inform themselves about this topic. But even if your country is less restrictive with the handling of personal data, this might be of interest for you. If you work for a company dealing with data of European citizens, this is relevant for you, too, since the General Data Protection Regulation (GDPR) does not only affect European companies, but all companies that deal with personal data of European citizens. Therefore, we want to discuss this topic and provide our viewpoint on this issue.
What is the BDSG?
The “Bundesdatenschutzgesetz” (BDSG) is the German Federal data protection act that regulates the handling of all personal data that is processed in information- and communication systems. It applies to all public bodies and authorities, as well as to non-public agencies, such as companies, associations and individual persons (doctors, lawyers, architects, and so forth) that process, or use personal data. It does not apply when the data is only processed for personal or family-related purposes. Shortly after the GDPR of the European Union was coming into effect, in May 2018, the German BDSG was updated (BDSG-neu), in order to meet the new data protection requirements of the European directive.
What is Personal Data?
German law defines personal data as all data that contains information about individual personal facts, or information that makes a person identifiable. This includes information, such as name, address, occupation, IP address, but also income, ownership, political opinions, religious and philosophical beliefs, or healthcare information. When a company stores a list of contact persons with their phone numbers or email addresses, this is personal data. And under German and European law deserves special protection.
Why Can’t You Just Store Personal Data in the Cloud?
German businesses should only store sensitive data at companies outside the European Union, when they have special protection, such as encryption, in place – and even this is a grey area. According to the European Commission, data protection is not strong enough in most countries outside the EU (Switzerland is one of the rare exceptions). The US are especially problematic because the Patriot Act allows extensive inspection of data by authorities, even without a court order. This is problematic since most companies that provide cloud solutions, such as Dropbox, Microsoft, or Google, have their data centers in the US.
The question prevails, whether data of European citizens is protected sufficiently strong at US cloud providers. One solution could be to use cloud providers with data centers in Europe – ideally with data centers in Germany – instead.
The European Union seeks to find a solution for the mismatch in data protection regulations globally. An attempt to adapt the level of data protection requirements for American (US), European and Swiss companies, to the high level of data protection requirements of the EU is the Privacy Shield agreement. But the desired protection of personal data, belonging to European citizens seems not achievable with a framework like Privacy Shield. Even worse, the US administration under Donald Trump drafted a law explicitly allowing federal US agencies to access any data stored on a server, located on US soil, without the need for a court order (CLOUD Act).
But what can you do, if your preferred cloud provider is a US company and you want to store personal data there?
The Debate of Encryption as a Solution
Encryption can be the solution to your problem. Some argue that encrypted data does not fall under the category of personal data anymore. However, by now there is no case-law for this problem. So far, no court decided whether encrypted data is personal or not. The GDPR is clearly in favor of encryption, as a measure for protecting personal data. An organization with a strong encryption in place, for example, does not have to inform the data subjects in case of a data breach. This is the case when the encryption used renders the personal data unintelligible to any unauthorized person.
The highest agency for data protection regulation in Bavaria (“Landesamt für Datenschutzaufsicht”) has concluded that encrypted data does not fall under the category of personal data anymore (Source only available in German), under the premise that the data is encrypted with state of the art, strong cryptographic methods. But this definition raises the question what exactly is considered as a state of the art, strong cryptographic method?
The most recent recommendation of ENISA – the highest European security agency – describes the Advanced Encryption Standard (AES) as secure in all key lengths. Boxcryptor uses AES-256, in combination with RSA algorithms and therefore provides one of the most secure, state of the art encryption techniques.
Encryption and the EU General Data Protection Regulation
The European General Data Protection Regulation (GDPR) – fully enforceable since May 2018 – lists encryption as a measure to ensure a “level of security appropriate to the risk” (GDPR, p. 51) for personal data. Find out more about the GDPR and the use of the cloud here.
There is a solution to the problem of how to store sensitive, personal data at (non-European) cloud providers: consistent, state of the art encryption of the data, before it is synchronized to the cloud. According to a number of law experts, encrypted files do not fall into the category of personal data, and therefore, are not subject to the above-mentioned privacy laws. However, it is important to implement consistent end-to-end encryption with zero knowledge standard, like Boxcryptor is offering. With zero knowledge, nobody but the user can decrypt the data. Therefore, it is securely protected from all sorts of prying eyes.
Note: This article describes our opinion about this topic. It is not legal advice, nor should it be used to skip legal advice. This information is supplied without liability. We do not vouch for correctness, completeness or currency of the article. Time of the provided information: 01/26/2016. Time of the update regarding the GDPR: 07/03/2019, Update regarding Privacy Shield: 07/03/2019.
Take action now and protect your data with Boxcryptor
Boxcryptor encrypts your data client-side, before it is synchronized to the cloud. We help you make sure that nobody but you can access your data. Due to our zero knowledge approach, we never know your password. Therefore, there is no way that we could access your data.