We will discuss the Evolving International Privacy Regulations. Cross Border Data Transfer for GDPR under Schrems II is now ruled by an EU court that defined what is required. This ruling can be far reaching for many businesses.
5. 5
What is Privacy?
Privacy
/ˈprīvəsē/
Definedin Generally AcceptedPrivacyPrinciples (GAPP)as
“therightsandobligationsofindividualsandorganizationswithrespect tothecollection, use, retention,disclosure, and disposal of
personal information.”
16. 16
PrivacyRegulations
Sweden, TheDataAct, a nationaldataprotectionlaw wentinto effectin
1974
India is passinga comprehensivedataprotectionbill that
includeGDPR-likerequirements
Finland's Data ProtectionAct
Japanimplementschangesto domesticlegislationto strengthen
privacy protectionin thecountry
Brazil passinga comprehensivedataprotectionregulation
similarto GDPR
1970, Germany passedthe firstnationaldataprotection
law, firstdataprotectionlaw in the world
TheNew York PrivacyAct wasintroducedin 2019
Source:Forrester
CCPA'simpact is expectedto beglobal
(12+ %), given California'sstatusasthe
fifth largestglobal economy
GDPR'simpactis expectedtobeglobal
19. 19
How Many Privacy Laws Are You Complying With?
Source:IAPP
GeneralDataProtectionRegulation(EU) 2016/679(GDPR)isaregulationin EU lawondataprotectionandprivacyintheEuropeanUnion(EU)
andtheEuropeanEconomic Area(EEA). ItalsoaddressesthetransferofpersonaldataoutsidetheEU and EEA areas.
CaliforniaConsumerPrivacyAct ( CCPA)isabill thatenhancesprivacyrightsandconsumerprotectionforresidents
ofCalifornia,UnitedStates.
By Region
22. 22
Failureto Comply . . .
What are the Consequences ?
• Companies liable fora fine ofup tofourper cent (4%) oftheir global turnover with a maximum fine of~$25Million USD. This is for non-compliance with no
data breach!
• The principles ofprotection should apply toany information concerning an identified or identifiable person.
• To determine whether a person is identifiable, account should betaken of allthe means likely reasonably to beused either by the controller orby any
other person toidentify the individual.
• Theprinciples of dataprotection should notapplytodata rendered anonymous in such a way that the datasubject is no longer identifiable.
Why What How
23. 23
GDPR — Data ProtectionPrinciples(Article5)
• Personal data shall beprocessed lawfully, fairly and in a transparent mannerinrelation to the data subject
• Collected for specified, explicit and legitimate purposes only
• Adequate, relevant and limited to what is necessary in relation to thepurposes for which theyareprocessed (‘data minimization’)
• Accurateand, wherenecessary, kept up to date, erased or rectified without delay
• Kept ina form whichpermits identification of data subjects for nolonger than is necessary for thepurposes for which the personal data
are processed
• Processed in a mannerthat ensures appropriate security of the personal data
88Pages(99Articles) of Detailed DataProtectionRequirements
24. 24
GDPR under "SchremsII"
• No transfer of data but nevertheless a riskof access by U.S. authorities because the EU-basedprocessor is a subsidiaryof a U.S. company.
• Thehosting of health data by a company bound byU.S. law was incompatible with theGDPR under"SchremsII"and violated the provisions of the
GDPR, due on the one hand, to the possibility of a transfer to the U.S. of the data collected by Doctolib throughits processor, and on the other
hand,even in theabsence of data transfer, to the risk of access requests by U.S. authorities to the processor, AWS.
• Thecourtnoted for the purposes of hosting its data, Doctolib uses the services of the Luxemburg companyAWSSarl, the data is hosted in data
centers located in France and in Germany, and the contract concluded between Doctolib and AWSSarl does not provide for the transfer of
datato the U.S.
• However, because it is a subsidiary of a companyunderU.S. law, the court considered AWS Sarl inLuxemburg maybe subject to access requests
byU.S.authorities in the frameworkof U.S. monitoringprograms based on Article702of the Foreign IntelligenceSurveillanceAct or Executive
Order 12333.
• Conseil considered that the level of protection offered was sufficient due to the manysafeguards
https://iapp.org/news/a/why-this-french-court-decision-has-far-reaching-consequences-for-many-businesses/
25. 25
GDPR under "SchremsII"
Conseil considered that the level of protection offered was sufficient due to the manysafeguards inplace, which are thefollowing.
Legal safeguards:
• Thejudgenoted the contract concluded between Doctolib and AWSSarl provides for a specific procedure in theevent of an access request by a foreign
authority; notably, AWS Sarl guarantees in its contract with Doctolib that it will challenge anygeneral access request from a public authority.
Technicalsafeguards:
• Thejudgealso noted technically the data hosted by AWS Sarl is encrypted and the keyis held by a trusted third party in France,not by AWS, to prevent data
from being read by third parties.
Other guaranteestaken:
• No health data: Thecourt also took into accountthat contraryto what was alleged by the plaintiffs, data transmitted to Doctolib within the frameworkof
the vaccination campaign does not concerninformation onthe reason whytheperson is eligible in priority for vaccination becauseof a specific pathology.
Thedata hosted relates only to the identification of individuals for the purpose of makingappointments.
• Data is deleted after threemonths
https://iapp.org/news/a/why-this-french-court-decision-has-far-reaching-consequences-for-many-businesses/
27. 27
Organizations needs to look at how the datawas captured,whois accountable for it, where it islocated and who has
access.
Data Flow MappingUnder GDPR
• If there is not already a documented workflow in place in yourorganization,it can be worthwhile for a team tobe sent out toidentify how the data
is being gathered.
• This willenable you tosee how your data flow is different from reality and what needs tobedone
Source:BigID
33. 33
The CCPA Effect
California Privacy Rights Act (CPRA)
1. On November 3, 2020, Californians voted to approve Proposition 24, a ballot measure
that creates the California Privacy Rights Act (CPRA).
2. The CPRA amends and expands the California Consumer Privacy Act (CCPA).
3. Most of the CPRA’s substantive provisions will not take effect until January 1, 2023,
providing covered businesses with two years of valuable ramp-up time.
4. Notably, however, the CPRA’s expansion of the “Right to Know” impacts personal
information (PI) collected during the ramp-up period, on or after January 1, 2022.
See https://en.wikipedia.org/wiki/2020_California_Proposition_24
35. 35
PrivacyStandards
11Published InternationalPrivacyStandards(ISO)
Techniques
Management
Cloud
Framework
Impact
Requirements
Process
20889 IS Privacyenhancingde-identificationterminologyandclassificationoftechniques
27701 IS Securitytechniques-ExtensiontoISO/IEC27001 andISO/IEC 27002 forprivacyinformationmanagement -Requirementsand
guidelines
27018 IS CodeofpracticeforprotectionofPIIinpubliccloudsacting as PIIprocessors
29100 IS Privacyframework
29101 IS Privacyarchitectureframework
29134 IS GuidelinesforPrivacyimpactassessment
29190 IS Privacycapabilityassessmentmodel
29191 IS Requirementsforpartiallyanonymous,partiallyunlinkableauthentication
29151 IS CodeofPracticeforPIIProtection
19608 TSGuidancefordevelopingsecurityandprivacyfunctionalrequirementsbasedon15408
27550 TRPrivacyengineeringforsystemlifecycleprocesses
36. 36
Different Data Protection Techniques
Data Store
DynamicMasking
2-way 1-way
FormatPreserving Computingonencrypteddata FormatPreserving
Tokenization
FormatPreserving
Encryption
(FPE)
HomomorphicEncryption
(HE)
Hashing
Static
Masking
DifferentialPrivacy
(DP)
K-anonymityModel
Random Algorithmic NoiseAdded
Fast Slow VerySlow Fast Fast
Fastest
ClearText
SyntheticData
Derivation
Fast
Anonymization
Of Attributes
Pseudonymization
Of Identifiers
37. 37
Example of Use-Cases & DataPrivacy Techniques
37
Vault-less tokenization Masking
Vault-less tokenization
Gateway
CallCenterApplication
PaymentApplication
Payment Data
Policy,Tokenization,Encryptionand
Keys
Salesforce
Payment
Network
SecurityOfficer
Data Warehouse
AnalyticsApplication
PI* Data
PI* Data
DifferentialPrivacy
AndK-anonymity
Dev/testSystems
PI* Data
VotingApplication
ElectionData
MicrosoftElectionGuard
39. 39
Randomized Tokenization
Data Store
DynamicMasking
2-way
FormatPreserving Computingonencrypteddata
Tokenization
FormatPreserving
Encryption
(FPE)
HomomorphicEncryption
(HE)
Random Algorithmic
Fast Slow VerySlow
Fastest
ClearText
Pseudonymization
Of Identifiers
Quantum Computers?
• Quantum computers and other strong
computers can break algorithms and patterns
in encrypted data.
• We can instead use random numbers to secure
sensitive data.
• Random numbers are not based on an
algorithm or pattern that computers can break.
Tech giants are building their own machines and
speeding to make them available to the world as a
cloud computing service. In the competition: IBM,
Google, Microsoft, Intel, Amazon, IonQ, Quantum
Circuits, Rigetti Computing
42. 42
Original Data
Fully Synthetic Data
Partially Synthetic Data
Artificially generated
new data points
Artificially generated
new data points
Synthetic Data
43. 43
6 Differential PrivacyModels
In differential privacy,the
concern is about privacyas
the relative difference in the
result whether aspecific
individual or entity is
includedin the input or
excluded
Random Differential Privacy
Probabilistic Differential Privacy
Concentrated Differential
Privacy
Approximate Differential Privacy
Computational Differential
Privacy
Multiparty Differential Privacy
Noiseisverylow.
Usedinpractice.
Moreusefulanalysiscanbeperformed.
Well-studied.
Widelyused
Canensuretheprivacyofindividualcontributions.
Aggregationisperformedlocally.
Strongdegreeofprotection.
Highaccuracy
Apuremodelprovidesprotectionevenagainstattackers withunlimitedcomputationalpower.
Canleadtounlikelyoutputs.
Tailoredtolargenumbersofcomputations.
44. 44
Area Timing Focus Comments Use Case: Bank
Requirements Short Internal requirements International regulations
Cloud Short Machine Learning Startwithbasic ML trainingand inference on sensitivedata in cloud
Competition Short Competitive advantage MLand NLP-powered servicescan give banks a competitiveedge
Data
Short Encrypted data Important
Long Synthetic data Computing cost?
Analytics
Medium AML/KYC Whatare otherLarge banks doing?
Short Analytics Initial focus
Short Operational on encrypted data Computing on sensitivedata tothe cloud. Trade-offswithperformance, protection and utility?
Industry Short Industry dialog Workinggroups instandard bodies (ANSI X9, Cloud Security Alliance,Homomorphic Encryption Org)
Model Short Encrypted model Important
Pilot
Short Experimentation Whatare otherLarge banks doing?
Short ScotiaBankCase Study QuerysolutionforAML/KYC
Proven Medium Fastfollower Whatare some proven solutions?
Quantum
Short Homomorphic Encryption post-
Lattice-basedcryptography isa promising post-quantumcryptography family,both in termsof foundational propertiesaswell as itsapplicationto both traditionaland homomorphic
encryption
Medium Quantum Plan forquantum safealgorithms
Long Quantum Plan forquantum MLalgorithms
Sharing Short Secure Multi-partyComputing (SMPC)
Withoutrevealingtheir ownprivateinputsand outputs. Encrypteddata and encryptionkeys never comingledwilecomputationon the encrypted dataisoccurringor an encryption key is
splitintoshares
Solutions
Short Vendor positioning
Nonlinear MLregressionneeded? LinearRegressionisone of the fundamental supervised-ML. Linearand non-linearcreditscoring by combininglogisticregressionand support vector
machines
Short Frameworkintegration Important
3rd Party Long 3rd party integration Miningfirst
TrainingML
Long Federated learning Complicated
Long TEE Emerging
45. 45
Data Protection Techniques:Deploying On-premisesand Clouds
Privacy enhancing data de-identification terminology
and classification of technique
DataWarehouse Centralized Distributed On-premises PublicCloud PrivateCloud
De-identification
techniques
Tokenization
Vault-basedtokenization Y Y
Vault-lesstokenization Y Y Y Y Y Y
Cryptographic Tools
Format preservingencryption Y Y Y Y Y
Homomorphic encryption Y Y Y
Suppression techniques
Masking Y Y Y Y Y Y
Hashing Y Y Y Y Y Y
Formalprivacy
measurementmodels
DifferentialPrivacy
ServerModel Y Y Y Y Y Y
LocalModel Y Y Y Y Y Y
K-anonymity model
L-diversity Y Y Y Y Y Y
T-closeness Y Y Y Y Y Y
46. 46
Example of Cross Border Data-centric Securityusing tokenization
SecurityOfficer
• ProtectingPersonally Identifiable Information (PII), includingnames,
addresses,phone,email, policyand accountnumbers
• Compliance with EU CrossBorderDataProtectionLaws
• UtilizingDataTokenization, andcentralizedpolicy, key management,
auditing,and reporting
Data
Warehouse
Completepolicy-enforcedde-
identificationofsensitivedata
acrossall bankentities
DataSources
AustrianData
GermanData
OtherSource
Data
Austrian
Data
German
Data
Other
Source
Data
53. 53
Protection of Data in AWS S3 with Separation of Duties
Protect data before
landing
Enterprise
Policies
Appsusingde-identified
data
Sensitivedatastreams
Enterprise
on-prem
Data lifted to S3 is
protected before use
S3
SecurityOfficer
• Applications can use de-identified
data ordata in the clear based on
policies
• Protection ofdata in AWS S3 before
landing in a S3 bucket
PolicyEnforcementPoint(PEP)
Separation of Duties
EncryptionKeyManagement
54. 54
Big Data Protection with GranularFieldLevel Protection for Google
Cloud Protectionthroughout the lifecycleof data in Hadoop
BigData Protectortokenizes or
encryptssensitivedata fields
Enterprise
Policies
Policiesmaybe managedon-
premorGoogleCloudPlatform
(GCP)
PolicyEnforcementPoint
Protecteddatafields
U
Separation of Duties
EncryptionKeyManagem.
Security Officer
55. 55
Multi-Cloud Considerations
Source:Securosis,2019
Consistency
• Mostfirmsarequitefamiliarwiththeiron-premises encryptionand key
managementsystems,sotheyoftenprefertoleveragethe same tooland
skills across multipleclouds.
• Firmsoftenadopta “best of breed”cloud approach.
Trust
• Some customerssimplydo nottrusttheirvendors.
Vendor Lock-in and Migration
• A commonconcern is vendorlock-in, andan inabilitytomigratetoanothercloud
serviceprovider.
• Some nativecloudencryptionsystemsdo not allow customer keys to move outside
the system, andcloudencryptionsystemsare basedonproprietaryinterfaces.
• Thegoal is to maintainprotection regardless of where data resides, moving between
cloud vendors.
Cloud Gateway
Google Cloud AWS Cloud Azure Cloud