Skip to main content
banner image
venafi logo

Schrems II: Modernized Contractual Clauses and End-to-End Encryption

Schrems II: Modernized Contractual Clauses and End-to-End Encryption

modern-contractual-clauses-end-to-end-encryption
July 1, 2021 | Guest Blogger: Ambler Jackson

The General Data Protection Regulation (GDPR), which was adopted in part to facilitate the free flow of personal data, while preserving the fundamental rights and freedoms of individuals, allows for personal data transfers to third countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. But what exactly that means for encryption has been more or less open to interpretation.

The determination that a third country provides an adequate level of personal data protection is included in an “adequacy decision.” If the European Commission recognizes that a country offers an adequate level of personal data protection, the personal data can flow from the European Union (EU) to a third country without requiring additional safeguards.

In the absence of an adequacy decision, a data controller or processor may transfer personal data using one of the Article 46 GDPR transfer tools. These include standard contractual clauses (SCCs). The recent adoption of the European Commission’s modernized SCCs, however, will require organizations to revisit their approach to international data transfers.

Background

There are some names that are uniquely known to the data privacy space and Schrems is one of them. Maximillian Schrems, known for his privacy advocacy work, initially challenged personal data transfers from Facebook’s European headquarters in Ireland to the United States. In October 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor mechanism, which was previously an acceptable mechanism for transferring personal data for commercial purposes from the EU to the United States (US). This decision is commonly referred to as Schrems I.

While the Safe Harbor mechanism was invalidated, international data flows between companies were permissible using other mechanisms (or transfer tools), such as standard contractual clauses (SCCs) and binding corporate rules. Schrems later complained that Facebook Ireland continued to transfer personal data using standard contractual clauses. This resulted in additional legal proceedings. On July 16, 2020, the CJEU issued its judgment in what is commonly referred to as Schrems II, and declared the EU-US Privacy Shield, another data transfer mechanism, invalid. The CJEU upheld the validity of SCCs as a data transfer mechanism.

What are Standard Contractual Clauses (SCCs)

SCCs are an acceptable mechanism for personal data transfers from the EU to third countries. These clauses are model data transfer terms that are implemented between entities in the European Economic Area (EEA), who are the data exporters, and entities in third countries, defined as data importers. The following three characteristics make SCCs a logical choice when transferring personal data to third countries:

  • The data protection clauses are standardized and pre-approved
  • Organizations can incorporate SCCs into contractual arrangements on a voluntary basis to comply with data protection requirements
  • SCCs are an easy-to-implement tool, complete with authoritative guidance and reference materials for subject matter experts (SMEs)
Modernized SCCs and Supplementary Measures

On June 4, 2021, the European Commission adopted the following modernized SCCs:

  • SCCs for use between controllers and processors
  • SCCs for transfer of personal data to third countries

These new SCCs reflect the new requirements under GDPR, a broader range of processing scenarios, more flexibility for complex processing chains, and a practical toolbox to ensure compliance with the Schrems II.

The European Data Protection Board (EDPB) recently adopted its final recommendations on measures that supplement transfer tools such as SCCs to ensure compliance with an EU level of protection of personal data transfers. The Chair of the EDPB, Andrea Jelinek stated, in part, that the goal of the EDPB Recommendations is to “guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area.”

The recommendations are meant to help data exporters, regardless of whether the exporter is a controller, processor, private entity or public body, effectively assess third countries and identify appropriate supplementary measures where necessary to ensure that the data transfer provides protection that is equivalent to the EU data protection standard. Appropriate supplementary measures include technical measures such as end-to-end encryption of data.

If it is determined that the law of the third country prohibits a supplementary measure (e.g., the country prohibits the use of encryption to protect data) or otherwise prevents the effectiveness of the measure, organizations may not transfer personal data to the country. If the organization is already transferring data to the country, the transfer must be suspended.

Data Transfer Impact Assessment

The transfer impact assessment is still required under Schrems II. Assessments must be made on a case-by-case basis. The EDPB advises data exporters to know the details of the data transfer, verify the transfer tool relied upon to accomplish the data transfer and assess if there is anything in the law and/or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tool that is being relied upon.

Conclusion

Whether your organization can legally transfer personal data using SCCs will depend on the findings of the data transfer impact assessment. Data exporters are responsible for verifying whether the law or practice in the third country impinges on the effectiveness of the appropriate safeguards contained in the selected Article 46 GDPR transfer tool (e.g., SCCs). If there is a gap between the protection provided by the SCCs and the third country’s data protection laws, data exporters will need to implement appropriate supplementary measures to fill those gaps and bring the level of data protection up to the equivalent of the EU standard for protecting data.

In the following blog we will take a deep dive into the technical supplementary measures to ensure lawful data transfers and how Venafi can help you manage the machine identities used in end-to-end encryption to be compliant with Schrems II ruling and GDPR.


Related Posts

Like this blog? We think you will love this.
Featured Blog

Apple Passwordless Future Brings Passkeys Into Focus

Making passwords pa

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Ambler Jackson
Guest Blogger: Ambler Jackson
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more