Data Sensitivity in the International Data Governance and Security Landscape

As any organization tasked with storing and transmitting sensitive data knows, the associated compliance implications can be a minefield of complex rules, risks and expensive fines. This is true enough for organizations saving and sending sensitive data within the borders of their own country, but transferring data internationally presents an entirely new set of challenges. Differences in how governments define and class sensitive data as well as how they hold responsible the various parties involved in its storage and transmission have kept the topic of data security in the headlines for several years, and will undoubtedly long into the future.

Various initiatives, both domestic and international, have been put forth over the years to try and tackle this complex issue. The United States’ CLOUD Act, for example, enacted in 2018, gives federal law enforcement the power to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.

The Privacy Shield Framework, on the other hand, is an international initiative described on the official website as an “EU-U.S. and Swiss-U.S. framework designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.”

Privacy Shield has been a touchstone of the international data governance conversation after its recent rejection by the EU’s highest ruling body, the Court of Justice, this past July of 2020. The CJEU ruled that the framework favored US national security, public interest and law enforcement to the detriment of the third parties whose data was transferred to the US. As TechCrunch summarized succinctly in their coverage of the ruling in July, the Privacy Shield ruling “concerns the clash of two very different legal regimes related to people’s digital data: On the one hand US surveillance law and on the other European data protection and privacy.”

July’s Privacy Shield ruling is specifically aimed at restricting the practice of bulk outsourcing data from the EU to the US rather than governing data transfers deemed ‘necessary’. It could have far-reaching implications for well-known technology companies who store mass amounts of data pertaining to EU citizens on US servers. The CJEU did confirm that “the Standard Contractual Clauses remain a valid tool” and that transatlantic data flows “can continue based on the broad toolbox for international transfers provided by GDPR.”

While the fate of the Privacy Shield framework may be difficult to discern in light of this summer’s rulings, the value and sensitivity level of citizen data remains at the heart of the global debate. Thus, organizations are seeking data security technology and specifically cloud data security solutions that can eliminate the value of data itself to achieve absolute privacy, rather than relying on traditional encryption methods.

Microshard™ is one such technology, which eliminates data sensitivity by shredding data into pieces as small as single-digit bytes, mixing with false shards and distributing to multiple locations. For those organizations storing sensitive data, whether domestic or international in origin, effectively removing the value of that data through Microsharding is key to being able to ensure the absolute data privacy that more nations across the globe are demanding from technology companies.

Undoubtedly complex, the Privacy Shield and broader global data security conversations will continue to play out over the coming months and years. Those organizations that take proactive measures to devalue the data that they are tasked with storing now, though, will retain a distinct advantage in adhering to future global guidelines aimed at providing data privacy.