Storing Personal Data in the Cloud – Encryption as a Solution
As you all probably know, our product Boxcryptor is a German software solution. Many of our customers – especially German business customers – ask us about the privacy of their data in the cloud, especially when they use foreign cloud solutions, such as Dropbox, or Google Drive. The main question is: Does encrypted data still count as personal data? If yes, businesses have to be very careful with storing that data in the cloud. If no, they can store the encrypted data in the cloud without having to fear legal repercussions.
German privacy law is very strict. Therefore, businesses which use the cloud are right to inform themselves about this topic. But even if your country is less restrictive with the handling of personal data, this might be of interest for you. If you work for a company dealing with data of European citizens, this is relevant for you, too, since the General Data Protection Regulation (GDPR) does not only affect European companies, but all companies that deal with personal data of European citizens. Therefore, we want to discuss this topic and provide our viewpoint on this issue.
What is the BDSG?
The “Bundesdatenschutzgesetz” (BDSG) is the German Federal data protection act that regulates the handling of all personal data that is processed in information- and communication systems. It applies to all public bodies and authorities, as well as to non-public agencies, such as companies, associations and individual persons (doctors, lawyers, architects, and so forth) that process, or use personal data. It does not apply when the data is only processed for personal or family-related purposes. Shortly after the GDPR of the European Union was coming into effect, in May 2018, the German BDSG was updated (BDSG-neu), in order to meet the new data protection requirements of the European directive.
What is Personal Data?
German law defines personal data as all data that contains information about individual personal facts, or information that makes a person identifiable. This includes information, such as name, address, occupation, IP address, but also income, ownership, political opinions, religious and philosophical beliefs, or healthcare information. When a company stores a list of contact persons with their phone numbers or email addresses, this is personal data. And under German and European law deserves special protection.
Why Can’t You Just Store Personal Data in the Cloud?
German businesses should only store sensitive data at companies outside the European Union, when they have special protection, such as encryption, in place – and even this is a grey area. According to the European Commission, data protection is not strong enough in most countries outside the EU (Switzerland is one of the rare exceptions). The US are especially problematic because the Patriot Act allows extensive inspection of data by authorities, even without a court order. This is problematic since most companies that provide cloud solutions, such as Dropbox, Microsoft, or Google, have their data centers in the US.
The question prevails, whether data of European citizens is protected sufficiently strong at US cloud providers. One solution could be to use cloud providers with data centers in Europe – ideally with data centers in Germany – instead.
An attempt to align the level of data protection requirements for US, European and Swiss companies with the high level of data protection requirements of the EU was the Privacy Shield. But the protection of personal data of European citizens is not feasible with a framework like Privacy Shield because the legal regimes in the EU and the US are too different. This is why the European Court of Justice overturned the Privacy Shield agreement in 2020.
There are major differences, for example, in the jurisdiction of courts in the area of data protection. But the U.S. CLOUD Act is also a major problem, because this law allows U.S. federal authorities to access all data stored in a cloud. Particularly explosive: a court order is not necessary.
Affected by the CLOUD Act is, on the one hand, data that is stored on servers that are located on US soil. On the other hand, however, it also includes data that is stored on servers that belong to a company whose headquarters are in the USA. With this all-around, it's mainly the big players of cloud providers that are covered.
So what do you do if your preferred cloud service is located in the USA and you still want to store personal data there - or storage of this data by employees, for example, cannot be ruled out in principle?
The Debate of Encryption as a Solution
Encryption can be the solution to your problem. Some argue that encrypted data does not fall under the category of personal data anymore. However, by now there is no case-law for this problem. So far, no court decided whether encrypted data is personal or not. The GDPR is clearly in favor of encryption, as a measure for protecting personal data. An organization with a strong encryption in place, for example, does not have to inform the data subjects in case of a data breach. This is the case when the encryption used renders the personal data unintelligible to any unauthorized person.
The highest agency for data protection regulation in Bavaria (“Landesamt für Datenschutzaufsicht”) has concluded that encrypted data does not fall under the category of personal data anymore (Source only available in German), under the premise that the data is encrypted with state of the art, strong cryptographic methods.
But this definition raises the question what exactly is considered as a state of the art, strong cryptographic method?
The most recent recommendation of ENISA – the highest European security agency – describes the Advanced Encryption Standard (AES) as secure in all key lengths. Boxcryptor uses AES-256, in combination with RSA algorithms and therefore provides one of the most secure, state of the art encryption techniques.
Encryption and the EU General Data Protection Regulation
The European General Data Protection Regulation (GDPR) – fully enforceable since May 2018 – lists encryption as a measure to ensure a “level of security appropriate to the risk” (GDPR, p. 51) for personal data. Find out more about the GDPR and the use of the cloud here.
There is a solution to the problem of how to store sensitive, personal data at (non-European) cloud providers: consistent, state of the art encryption of the data, before it is synchronized to the cloud. According to a number of law experts, encrypted files do not fall into the category of personal data, and therefore, are not subject to the above-mentioned privacy laws. However, it is important to implement consistent end-to-end encryption with zero knowledge standard, like Boxcryptor is offering. With zero knowledge, nobody but the user can decrypt the data. Therefore, it is securely protected from all sorts of prying eyes.
Note: This article describes our opinion about this topic. It is not legal advice, nor should it be used to skip legal advice. This information is supplied without liability. We do not vouch for correctness, completeness or currency of the article. Time of the provided information: 01/26/2016. Time of the update regarding the GDPR: 07/03/2019, Update regarding Privacy Shield: 07/03/2019.