Analysis of the Portuguese ruling to suspend data transfers to the USA and possible implications for SaaS

Analysis of the INE/Cloudflare case where the Portuguese DPA order suspension of data transfers to the USA according the Schrems II ruling and reasoning about general implications for SaaS solutions.

CDN services architecture

The INE/Cloudflare use case

Recently, the Portuguese Data Protection Authority (DPA) has ruled out that Statistics Portugal (INE in Portuguese) had to suspend all data transfers of the Portuguese census data to Cloudflare. The system used by INE relied on Cloudflare for Content Delivery Network (CDN), Web Application Firewall (WAF)and rate limit services. Portuguese census data contains religious preferences and health data of all Portuguese citizens.

Communication when using CDN services

Content Delivery Network (CDN) services refers to a group of servers, located in different geographic regions, that work together to provide a fast delivery of Internet content. CDN servers cache the web content like HTML pages, javascript files, etc. with the goal of improving websites performance. CDN services include protection against DDoS attacks, load-balancing and perform SSL offloading.

SSL-Offloading when using CDN services

SSL-offloading

When a client needs to connect to a website hosted in some origin server, (1) the client browser establishes a secure connection (using TLS in the majority of the cases) to the CDN server, (2) the CDN server performs the SSL-offload and (3) in case the content is not cached in the server, the CDN establishes again another secure connection (again TLS) with the origin server to retrieve the content.

Data flows of SSL-Offloading when using CDN services

Portuguese DPA considerations

After understanding how CDN services work, it becomes more clear why the Portuguese DPA requested INE to suspend all the census data transfers. In its deliberation document (english here) the DPA states the following main reasons:

  1. The census data can be routed through any of the CDN servers located in any of the 200 Cloudflare data centers. These data centers are located in more than 100 countries (including the USA), of which the majority does not provide the adequate level of protection according to GDPR requirements for data transfers (art. 45).
  2. The IP address of the INE census website was located in the USA and owned by Cloudflare.
  3. The TLS certificate and associated private key was in control of (and actually owned by) Cloudflare, therefore Cloudflare would be able to access all the communications (in cleartext) between Portuguese citizens and INE census website.
  4. At the time of the DPA deliberation (27 April, 2021) the INE had collected personal sensitive data of almost 6.5 million Portuguese citizens.

Setting up a precedent (or maybe not)

This ruling may open a precedence in how similar cases are being handled. Moreover, if we consider this scenario in more general terms, this might mean that collection and subsequent export of personal data by Software as a Service (SaaS) applications might impose a problem when the SaaS vendor or solution are not based in the European Economical Area (EEA).

Data flows when using a SaaS applications

Future considerations when using SaaS

As a follow up of the decision of the Portuguese DPA with regards to the INE/Cloudflare case, we may in the future consider the following points, when using a SaaS application to collect and process data of European citizens:

  1. Where is the SaaS application hosted (EEA or non-EEA). If the application is hosted in a non-EEA area, there is no guarantee that the data is protected according GDPR requirements, so you may need to apply additional safeguards for an adequate level of protection.
  2. Where is the SaaS vendor (service provider) original from (EEA or non-EEA). For instance, since the US Privacy Shield no longer provides adequate protection levels for exporting (personal) data from the EU to the US due to the Schrems II ruling, you may need to apply additional safeguards for an adequate level of protection when exporting data from EU to the USA.
  3. Where is the SaaS application accessible from. If the SaaS vendor is hosting the application within EU boarders, but is able to access it outside EU, then you need to apply additional safeguards for an adequate level of protection.

Applying additional safeguards

Certainly, there is no silver bullet when considering the application of additional safeguards. Also, in some cases, might not even be possible. But, as suggested by EDPB (EDPB guidelines for data transfers), application of additional safeguards or supplementary measures can be of the following nature (1) contractual, (2) organisational or (3) technical. If the combined supplementary measures allow you to reach the level of protection in accordance to Art. 46 of the GDPR, then may go ahead and continue using the (non-EEA) SaaS service.

Technical supplementary measures for SaaS

Despite not always being possible to implement supplementary measures of technical nature, some technical solutions may exist for certain SaaS solutions. Examples of these measures are:

  1. Double Key Encryption (DKE) feature for Office365 — this is a feature that enables the customer to encrypt Office files (with an encryption key under his/her control) before send it to the SaaS vendor (Microsoft) environment. This feature is still somewhat immature yet because it breaks some functionality, however, the SaaS vendor is not able to access the content of the files (more information here). Some key management service vendors (a.k.a. HSM vendors) developed plugins that directly integrate with DKE (e.g.: Thales Luna DKE, nShield HSM DKE, etc.) .
  2. Tokenisation/Encryption Gateway services for SaaS — an example of such service is provided by Eperi Gateway service. This service allows encrypting and tokenising the data before sending it to the SaaS service. Eperi Gateway, in particular, integrates with a lot popular SaaS services and does not require re-designing or changing the SaaS application, which represents a huge competitive advantage when compared to similar services.
  3. General Format-Preserving Encryption services — as the name implies, the goal of Format-Preserving Encryption (FPE) services is to encrypt the data while preserving their original formatting, thus allowing the encrypted data to be stored and used in the same way as plaintext data. Encryption/Tokenisations Gateway services are just an example of FPE services. Some commercial products (like the ones from IBM) enable FPE by default (e.g.: IBM PCIe cards incorporate this functionality) and can be leveraged to encrypt the data before sending it to the SaaS application.
  4. Multi-party computation based services — these services are based on secure multi-party computation (SMPC) techniques which allow different parties to jointly process their inputs while keeping those inputs secret. Some solutions in the market, like Partisia, allow for instance, performing statistical data processing in a jointly manner without compromising data privacy. Integration of SMPC based solutions with SaaS applications, however, may require re-designing the SaaS service.

Conclusion

The decision of the Portuguese DPA to suspend the data transfers of the INE to Cloudflare, may open a precedence in how similar cases are being handled, more specifically, it may open a precedent on how (non-EEA) SaaS applications may process or store personal data.

Acknowledgements

I would like to specially thank Christiane Peters for the fruitful discussions over the past couple months, specially on commercial PETs. Her in depth knowledge and perspective did strengthen the content of this post.

Disclamer

It goes without saying, but please note that this post reflects my own analysis and perspective. I’m not a person with legal background and my analysis is mainly focused on the technical aspects of the use cases.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bárbara Vieira

Security Engineer @ AWS. I mainly write about Security, Cryptography and Privacy. Opinions are my own.