The General Data Protection Regulation (GDPR), which was adopted in part to facilitate the free flow of personal data, while preserving the fundamental rights and freedoms of individuals, allows for personal data transfers to third countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. But what exactly that means for encryption has been more or less open to interpretation.
The determination that a third country provides an adequate level of personal data protection is included in an “adequacy decision.” If the European Commission recognizes that a country offers an adequate level of personal data protection, the personal data can flow from the European Union (EU) to a third country without requiring additional safeguards.
In the absence of an adequacy decision, a data controller or processor may transfer personal data using one of the Article 46 GDPR transfer tools. These include standard contractual clauses (SCCs). The recent adoption of the European Commission’s modernized SCCs, however, will require organizations to revisit their approach to international data transfers.
There are some names that are uniquely known to the data privacy space and Schrems is one of them. Maximillian Schrems, known for his privacy advocacy work, initially challenged personal data transfers from Facebook’s European headquarters in Ireland to the United States. In October 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor mechanism, which was previously an acceptable mechanism for transferring personal data for commercial purposes from the EU to the United States (US). This decision is commonly referred to as Schrems I.
While the Safe Harbor mechanism was invalidated, international data flows between companies were permissible using other mechanisms (or transfer tools), such as standard contractual clauses (SCCs) and binding corporate rules. Schrems later complained that Facebook Ireland continued to transfer personal data using standard contractual clauses. This resulted in additional legal proceedings. On July 16, 2020, the CJEU issued its judgment in what is commonly referred to as Schrems II, and declared the EU-US Privacy Shield, another data transfer mechanism, invalid. The CJEU upheld the validity of SCCs as a data transfer mechanism.
SCCs are an acceptable mechanism for personal data transfers from the EU to third countries. These clauses are model data transfer terms that are implemented between entities in the European Economic Area (EEA), who are the data exporters, and entities in third countries, defined as data importers. The following three characteristics make SCCs a logical choice when transferring personal data to third countries:
On June 4, 2021, the European Commission adopted the following modernized SCCs:
These new SCCs reflect the new requirements under GDPR, a broader range of processing scenarios, more flexibility for complex processing chains, and a practical toolbox to ensure compliance with the Schrems II.
The European Data Protection Board (EDPB) recently adopted its final recommendations on measures that supplement transfer tools such as SCCs to ensure compliance with an EU level of protection of personal data transfers. The Chair of the EDPB, Andrea Jelinek stated, in part, that the goal of the EDPB Recommendations is to “guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area.”
The recommendations are meant to help data exporters, regardless of whether the exporter is a controller, processor, private entity or public body, effectively assess third countries and identify appropriate supplementary measures where necessary to ensure that the data transfer provides protection that is equivalent to the EU data protection standard. Appropriate supplementary measures include technical measures such as end-to-end encryption of data.
If it is determined that the law of the third country prohibits a supplementary measure (e.g., the country prohibits the use of encryption to protect data) or otherwise prevents the effectiveness of the measure, organizations may not transfer personal data to the country. If the organization is already transferring data to the country, the transfer must be suspended.
The transfer impact assessment is still required under Schrems II. Assessments must be made on a case-by-case basis. The EDPB advises data exporters to know the details of the data transfer, verify the transfer tool relied upon to accomplish the data transfer and assess if there is anything in the law and/or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tool that is being relied upon.
Whether your organization can legally transfer personal data using SCCs will depend on the findings of the data transfer impact assessment. Data exporters are responsible for verifying whether the law or practice in the third country impinges on the effectiveness of the appropriate safeguards contained in the selected Article 46 GDPR transfer tool (e.g., SCCs). If there is a gap between the protection provided by the SCCs and the third country’s data protection laws, data exporters will need to implement appropriate supplementary measures to fill those gaps and bring the level of data protection up to the equivalent of the EU standard for protecting data.
In the following blog we will take a deep dive into the technical supplementary measures to ensure lawful data transfers and how Venafi can help you manage the machine identities used in end-to-end encryption to be compliant with Schrems II ruling and GDPR.