Update Proposal for Storage Node Operators

This has already been addressed in the Twitter Spaces, see summary post:

For those that don´t want to read all the 30 pages of legalese:
The article specifically states on P30:
Use Case 1: Data storage for backup and other purposes that do not require access to data in the clear 84. A data exporter uses a hosting service provider in a third country to store personal data, e.g. for backup purposes. If 1. the personal data is processed using strong encryption before transmission, and the identity of the importer is verified, 2. the encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and can be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them,80 3. the strength of the encryption and key length takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved, 81 4. the encryption algorithm is implemented correctly and by properly maintained software without known vulnerabilities the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification, 5. the keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of an intended recipient, and revoked), 82 and 6. the keys are retained solely under the control of the data exporter, or by an entity trusted by the exporter in the EEA or under a jurisdiction offering an essentially equivalent level of protection to that guaranteed within the EEA, **then the EDPB considers that the encryption performed provides an effective supplementary measure.”**

5 Likes