Unbreakable cryptographic systems requested, but technical requirements are missing
by Andrea Monti – initially published in Italian by IlSole24Ore-Norme e Tributi
On 24 August 2020, the data protection authority of Baden-Württemberg (one of the sixteen federal states of Germany) issued guidelines for the international transfer of personal data, which impose strict rules on interaction with third countries and in particular with the USA. The guidelines, which are only valid within the German state, became necessary following the “Schrems II” ruling issued on 16 July 2020 by which the European Court of Justice annulled the European Commission’s “privacy shield” which allowed the exchange of data with the USA.
According to the guidelines, since the “privacy shield” is no longer valid, the “standard clauses” prepared by the Commission will rarely meet the requirements imposed by the GDPR to protect the personal data of European citizens. Consequently, data controllers based in Baden-Württemberg or processing data of citizens belonging to Baden-Württemberg must take additional measures to guarantee real data security. Among the many possible measures, the guidelines explicitly prescribe the use of cryptographic systems that US intelligence cannot breach.
This requirement does not run out the list of new duties (and responsibilities) of the data controller. Nevertheless, it provides a criterion for assessing the type and effectiveness of the (not merely formal) measures to be taken by data controllers, DPOs and external data processors.
There are, however, some problematic aspects.
Beyond the fact that imposing such a clause on an American company would make it inapplicable (certainly in Italy it would be null and void, because it would be contrary to public order), there are technical and organisational issues that complicate the possibility of meeting this requirement.
Firstly, unlike the USA, which has adopted the Advanced Encryption Standard, the European Union does not have an official cryptographic algorithm. Therefore, data controllers have no regulatory and technical reference points to carry out the assessments required by Articles 25, 32 and 35 of the GDPR.
Secondly, and consequently, there is no way of knowing what the real ability of the US to “break” the cryptographic algorithms available on the market is.
Thirdly, an attack to data does not necessarily imply violating a cryptographic system, as it can target other security links of the chain, up to the human factor.
Finally, was all this be feasible, the impact in terms of costs and restructuring of business processes would be hefty.
Overall, therefore, also if the German Data Protection Authority’s prescription is entirely consistent with the GDPR (and, in fact, also with the previous Directive 95/46), in practice it is challenging to apply.
Moreover, the guidelines create a misalignment with the other national data protection authorities that have not yet issued their guidelines and make it even more complicated for European companies operating in trans- and international contexts to adapt their organisational processes to the multitude of “soft-law” generated by the GDPR.