The new era of transferring data.
Live webinar with Max Schrems.
System & Network Scanning
Find vulnerabilities in your entire infrastructure.
Web Application Scanning
Find vulnerabilities in your web apps and APIs.
Phishing & Awareness Training
Increase resilience against social engineering.
Efficient and secure in the cloud.
Installed in your infra with local storage.
System & Network Scanning
Systems, IoT, OT, SCADA etc.
Web App Scanning
All web apps and APIs.
Build your human firewall.
Sales Director India & SAARC
+91 8800-67 77 99
Hi! My name is Alok and I'm your local representative in India. Looking for a cyber security solution and vulnerability management? Let's talk!
Sales Director Southeast Asia
+60 19 434 2727
Hi! My name is Ahmad Faurani and I'm your local representative in Malaysia. Looking for a cyber security solution and vulnerability management? Let's talk!
Key Account Manager, Finland
+46 8-550 05 582
Hei! Nimeni on Cristian ja olen paikallinen edustajasi Suomessa. Etsitkö tietoturvaratkaisua ja haavoittuvuuksien hallintaa? Puhutaan!
Victor Bunge Meyer
Key Account Manager, Sverige
+46 08-550 05 582
Välkommen till Holm Security i Sverige! Jag heter Victor och är din lokala kontakt. Kontakta mig om du vill veta mera om vår platform för sårbarhetsanalyser.
Account Manager, Benelux
+31-20-238 63 94
Mijn naam is Beth Murrell en ik ben uw lokale vertegenwoordiger in Nederland, België en Luxemburg. Op zoek naar een cyberveiligheidsoplossing en kwetsbaarheidsbeheer? Laten we praten!
Key Account Manager, Norge
+46 8-550 05 582
Velkommen til Holm Security i Norge! Jeg heter Jens og er din lokale kontaktperson.Kontakt meg hvis du vil vite mer om vår plattform for sårbarhetsanalyser.
Country Manager Denmark
+45 31 12 10 05
Velkommen til Holm Security i Danmark! Mit navn er Ronnie og jeg er din lokale kontaktperson. Kontakt mig, hvis du vil vide mere om vores sårbarhedsanalyseplatform.
November 4, 2020
The Schrems II ruling disqualifies the transfer and processing of personal data from EU countries to the US. But how does this affect cyber security products? Products that store and process far more sensitive data than personal data. It can be data that shows vulnerabilities in internal and business-critical systems of government agencies within the EU. In the wrong hands, this data could pose a risk to national security.
Privacy Shield is a self-certification framework for US companies that allows companies in the US to register with the US Department of Commerce, declaring they've met the requirements of the Privacy Shield. According to a decision by the European Commission, EU data controllers have been allowed to transfer personal data to recipients who have joined the Privacy Shield.
On 16 July 2020, the Court of Justice of the European Union issued its decision on the Schrems II case. The Court ruled that the EU-US Privacy Shield Agreement doesn't provide adequate protection for personal data when transferred to the US. The disqualification of Privacy Shield means that personal data controllers in the EU are no longer allowed to transfer personal data to US recipients.
The Cloud Act is a US legislation passed in March 2018 and is an extension of the Stored Communications Act (SCA) which was passed in 1986.
The law gives US authorities the right to request data from US cloud service providers - regardless of where the data is stored. It is therefore irrelevant where the servers on which the data is stored are located physically. If a US company owns the servers and the service, they're bound by the Cloud Act, even if the customers and the customers' data are in another jurisdiction.
Most cybersecurity products handle and store sensitive data. It can be data of critical vulnerabilities in a local network of a European government agency, data that could be used by foreign powers for espionage or sabotage.
Regardless if the supplier is American or not, if the product is provided through infrastructure in e.g. AWS or Google, then the data is still under the control of US authorities.
The Schrems II judgment focuses on personal data, but the ruling clearly shows the risks of the general problems of transferring and storing sensitive data with an American actor. Companies now need to assess their trans-Atlantic and global data transfers based on the court's ruling.
Stefan Thelberg answers questions about the Schrems II ruling.
If data is stored outside the US - is it still in breach of EU regulations?
Yes, it doesn't matter if personal information is stored physically in the United States or if it is under the control of a US company in another part of the world.
Can AWS and Azure be used?
Many US providers have infrastructure and store data in AWS, Azure, Google Cloud, and similar cloud platforms. As soon as personal data is stored in these services, they are no longer secure and in breach of EU regulations.
Can on-premise products from a US supplier be considered safe?
Most products, even if installed in a local data center within the EU, often have connections to the internet for software updates, support, and diagnostics. As these connections go outside the customer premises, the customer loses control over which data is communicated from the product. As a customer, it's often impossible to ensure that personal data, or other sensitive data, isn't transmitted outside the company.
How are organizations outside the EU, for example, in Norway affected?
Since Norway adopts the same regulations as the EU regarding personal data, US companies may not be an option for Norwegian organizations.
What can we expect in the future in the matter?
The EU has put its foot down properly this time and US companies can expect higher security demands in the future. The United States may have to change some legislation, especially the Foreign Intelligence Surveillance Act, 702A, Executive Order 12333, and probably the Cloud Act before the EU cancels its disqualification. This will most likely be a tedious process.
Why has this not received more attention?
One reason is that the US wants to limit the market's reaction in the short term. It is also difficult for many organizations to action based on Schrems II, simply because they have their entire infrastructure in e.g. Azure or AWS.
Vulnerability Management is a cornerstone in a modern cyber security defense.