FAQ: Cross-border data protection and compliance
Q: What is Schrems II?
A: Schrems II is a 2020 data privacy case heard by the European Union’s Court of Justice. The case was brought by Maximillian Schrems, an Austrian lawyer and privacy advocate, against Facebook’s data transfer practices under the EU’s General Data Protection Regulation (GDPR).
In a nutshell, Schrems II signaled that EU personal data was not sufficiently protected by the 2016 EU-US Privacy Shield from access by US intelligence agencies and national security laws. As a result of Schrems II, organizations are now required to make case-by-case assessments and supplement their data transfer tools when necessary.
Learn more about Schrems II compliance in our blog post here.
Q: How does microsharding fit Use Case 5 of Schrems II?
A: In response to the Schrems II ruling, the European Data Protection Board (EDPB) outlined five key use cases — a.k.a. five acceptable types of supplementary measures to protect personal data. One of these, Use Case 5, focuses on split or multi-party processing.
In general, companies will meet the requirements of Use Case 5 if they process personal data by splitting it into two or more parts, none of which can be interpreted or attributed to a specific data subject. Microsharding fits the criteria for Use Case 5 by doing just this.
Specifically, ShardSecure’s Microshard technology splits data and distributes it across multiple customer-owned storage locations so that unauthorized parties cannot reassemble or read it. Check out our GDPR white paper for more details on Use Case 5.
Q: What if I want to store my data in different locations for compliance?
A: You’re in luck. With Microshard technology, organizations can use the cloud storage providers of their choice, in the geographic locations and jurisdictions of their choice.
We make the number and location of your storage locations user-configurable, so microsharded data can be stored in different jurisdictions. Data can be distributed across different regions of a single cloud provider, across multiple cloud providers, or across a hybrid mix of on-premises storage and one or more cloud providers.
The result? Organizations can remain in charge of their own data while storing it where they like, mitigating data transfer risks, and addressing data sovereignty concerns.
Q: Besides the GDPR, what other cross-border data regulations are there?
A: There are quite a few. The United Nations Conference on Trade and Development notes that 137 out of 194 countries have some form of data privacy or data protection legislation. This includes regulations like:
- Brazil’s General Data Protection Law (LGPD)
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- China’s Personal Information Protection Law (PIPL)
- Japan’s Act on the Protection of Personal Information (APPI)
- Russia’s Federal Law on Personal Data (No. 152-FZ)
- South Korea’s Personal Information Protection Act (PIPA)
Q: What are the consequences for noncompliance with cross-border data privacy laws?
A: The laws range in severity, but most include major penalties. The GDPR fines organizations up to $21.3 million, or up to 4% of the organization’s annual global turnover from the preceding financial year, whichever is greater. India’s Digital Personal Data Protection Act (still in draft form) would fine organizations over $60 million for violations, while South Korea’s PIPA issues penalties of over $79 million.
Q: Are cross-border data protection laws actually enforced?
A: Again, it depends on the exact legislation — but yes, many laws are strictly enforced. Some recent real-world fines include:
- $1.2 billion for Didi Global under China’s PIPL
- $50 million for Google under South Korea’s PIPA
- $239 million for WhatsApp under the EU’s GDPR
- $431 million for Instagram under the EU’s GDPR
- $795 million for Amazon under the EU’s GDPR
Q: How does microsharding provide strong cross-border data protection?
A: Microsharding helps satisfy cross-border data protection requirements by allowing companies to retain control of their own data. It does so by desensitizing data, shredding it into tiny microshards, and distributing those microshards across multiple storage locations. The result is that data can be stored anywhere and still be rendered completely useless and unintelligible to outside users.
Microsharded data cannot be reconstructed by anyone other than the original data owner. Our microsharding process adds user-configurable amounts of poison data and strips filenames, file extensions, and other identifying metadata, making unauthorized reassembly impossible.
Unlike encryption, microsharding does not rely on keys, so the issues of third-party key management that can arise in cross-border data protection are nonexistent. It is a strong technological safeguard that provides advanced data protection, wherever in the world your data may reside.
Q: Does this translate to cost savings?
A: Absolutely. When companies are free to store their data wherever they like, they can take advantage of cost savings with the cloud providers of their choice. Microsharding protects against third-party access, so organizations can use the most cost-effective storage options available to them without worrying about compliance.
Q: Microsharding helps with cost savings and GDPR compliance. What else does it do?
A: Quite a lot. Our Microshard technology was designed to provide advanced data security and resilience while keeping control in the hands of data owners. Microsharding can:
- Neutralize ransomware in the cloud, including the threat of double extortion.
- Provide strong data privacy for organizations in biotech, finance, and other industries where confidentiality is paramount.
- Offer unbeatable data resilience in the face of outages and attacks with self-healing data and high availability.
- Securely migrate cold data from on-premises storage to the cloud for cost savings.
- Provide file-level protection without the need to add resource-intensive encryption into applications.
- And more