‘Data residency’ is a relatively new term currently making the rounds in the global IT community: one that raises many questions and which should certainly be taken seriously in the specific context of data protection efforts on the part of the various countries and organizations. We have naturally examined the topic in some detail and can explain the background and the aspects that need to be considered in terms of cloud business.
While the Cybersecurity Law (CSL) of the People’s Republic of China entered into force a while back on 1 June 2017, many Data Protection Officers (DPO) at companies with global operations remain unsure as to what the repercussions of the CSL might be for their IT units. To understand the effects of the Chinese government’s CSL for an enterprise, we need to take a somewhat closer look at the actual provisions of the Law.
First and foremost, the CSL was adopted by the Chinese government to ensure the very highest level of security possible for data protection in the People’s Republic of China. Here, legislators in China have gone considerably further than the EU’s General Data Protection Regulation (GDPR), for example. In contrast to the GDPR, which explicitly envisages the processing of data outside the territory of the European Union, the Cybersecurity Law clearly stipulates that all data collected and processed in China must remain in the People’s Republic under all circumstances. While the government has the power to grant exceptions, this power is not expected to be exercised very frequently.
Draconian penalties can be levied for violations of the Cybersecurity Law
The Chinese government’s motivation here is very simple to understand: it is seeking an effective way to counter hacker attacks and cyberterrorism – and in doing so has adopted a law that is causing more than a few furrowed brows on the part of data protection officers. Not least because the maximum punishment for violations of the Cybersecurity Law involves the government deciding to revoke a company’s ‘Bei'An’ license. And this de facto means the end of the line for a company in China, since this license is a basic requirement for conducting business in the People’s Republic.
The CSL therefore gives rise to many questions – and especially from European companies – which are not quite so simple to answer. The most important question is probably “Who is actually affected by the CSL?” A closer look at the wording of the legislation is again helpful: the Law states that it applies to all companies involved in electronic business activities in China. This not only includes owners of online stores but also the providers of networks and critical information infrastructure – such as the operators of data centers for banks or medical facilities, etc. – and therefore all of the organizations and companies that collect, process, and store especially sensitive and business-critical data.
Cloud services in China are subject to very specific requirements
Another aspect of this unique scenario is the geographical distance between China and Europe and the correspondingly long latencies that result from this fact. And the ‘Great Firewall’ operated by the Chinese government also ensures that, in many cases, data simply never leave or never enter the People’s Republic. In both cases, many companies have operated for years on the basis of ‚content mirroring’, where content is hosted in redundant repositories on servers located in the Chinese territory. Often, these are cloud-based data servers that enable acceptable loading times and the circumvention of the Chinese firewall system. Yet by taking this approach, many companies now face a very special kind of dilemma due to the CSG, namely: how can the technical and data protection challenges be brought together under one roof?
The Swiss Federal Act on Data Protection: CSL ‘lite’
The Chinese government is not the only one to have taken legislative steps in the field of personal data. Lawmakers in Switzerland are now busy amending the 1992 Federal Act on Data Protection (FADP) to bring it up to date in light of recent changes. One of the most important of these changes is the European Commission’s GDPR, whose scope does not include Switzerland, however, as it is a non-EU country. Accordingly, the FADP will be harmonized with the GDPR in two phases, without neglecting the specific requirements of Switzerland itself. One such requirement is that the data controller’s business must be domiciled in Switzerland, for example. Another is that data must also be preferentially collected and processed in Switzerland. As a result, the FADP amendment, which enters into force in 2019 after a two-year transition period, represents a kind of CSL ‘lite’. Including all of the CSL’s restrictions and challenges when processing personal data – and especially those held in the cloud.
Cloud data encryption complies with strict data residency requirements
This is precisely the area where cloud data encryption has a decisive role to play. Not least because the one thing that legislation such as the Chinese government’s CSL or the Swiss FADP explicitly requires is the competent handling of personal and business-critical data, particularly where such data are held in cloud infrastructure. The reason for this could not be simpler: these data are relative simple to manipulate, since it is hard to be certain about what exactly the cloud service provider (CSP) can do with these data and whether the CSP has access to them.
However, this also makes it clear that a special kind of encryption is required that is able to render cloud-hosted data unreadable to the CSP. And this encryption technique must naturally encrypt the data BEFORE they are uploaded for storage on the cloud server. Lastly, this system must also ensure that only the data owner has access to the corresponding encryption keys. If this is the case, then only the data owner is able to access personal or business-critical data – and so fulfill a key criterion in the context of the strict data residency criteria set out by the CSL and FADP.
Handle data requirements on-the-fly with the eperi Gateway
To recap: an encryption technique is required that is capable of encrypting the data before they land on the cloud server. This system must also ensure that the plaintext data never leave the customer’s backend system, so as to comply with recent legislative changes such as the Chinese government’s Cybersecurity Law.
And the good news? All of this is possible: with the eperi Gateway and the solutions it can be used to implement eperi Cloud Data Protection, all of this can be achieved with very little effort: this is because an encryption platform is deployed that ensures that only the cloud customer is able to decrypt sensitive and personal data. Nor is that all: the eperi platform also makes sure that the data stays within a specified territorial area while simultaneously deploying sophisticated proxy techniques to allow the data to be processed outside this territory without violating any applicable legislation such as the Chinese Cybersecurity Law. This simple and straightforward approach means full compliance with data residency requirements is assured. In summary, this model encrypts sensitive data to ensure that they demonstrably remain within a prescribed jurisdiction and only ever leave this area as encrypted – and therefore illegible - data.
As countries start to tighten their data protection legislation – examples being the Chinese Cybersecurity Law or the Swiss Federal Act on Data Protection – data protection officers are facing entirely new challenges. With a suitable encryption platform such as the eperi Gateway, however, these problems can be solved very simply: the data remain unchanged in the country in which they were collected and with barriers to their wider dissemination in place. Companies are therefore assured of meeting both of these key duties: leaving data where they belong in terms of national law while ensuring optimal compliance with data protection regulations.
Recommended for You