Author:
Corrales Compagnucci Marcelo,Fenwick Mark,Aboy Mateo,Minssen Timo
Abstract
AbstractIn July 2020, the Court of Justiceof the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) invalidated the EU-US Privacy Shield adequacy decision but found that Standard Contracting Clauses (SCCs) are a valid mechanism to enable GDPR-compliant transfers of personal data from the EU to jurisdictions outside the EU/EEA, as long as various unspecified “supplementary measures” are in place to compensate for any gaps in data protection arising from the third country law or practices. The effect of this decision has been to place regulators, scholars, and data protection professionals under greater pressure to identify and explain these “supplementary measures” to facilitate cross-border transfers of personal data. This chapter critically examines the current framework for cross-border transfers after Schrems II, including the new SCCs adopted by the European Commission, as well as the current European Data Protection Board (EDBP) guidance on “supplementary measures.” We argue that the so-called “supplementary measures” are not “supplementary” and that the CJEU’s characterization of such measures as “supplementary” undermines the original clarity of GDPR with regards to the required standards for the security of processing as well as the available mechanisms for cross-border transfers of personal data. We conclude that despite the legal uncertainty introduced by the CJEU several post-Schrem II developments have been helpful to increase awareness and improve the overall safeguards associated with cross-border transfers of personal data. These include the new SCCs and an increased understanding of the capabilities and limitations of the technical and organizational measures, including encryption, pseudonymization, and multi-party processing. Technical solutions such as multiparty homomorphic encryption (HE) that combine these three technical measures while still allowing for the possibility to query and analyze encrypted data without decrypting it has significant potential to provide effective security measures that facilitate cross-border transfers of personal data in high-risk settings.
Publisher
Springer Nature Singapore
Reference29 articles.
1. Article 29 data protection working party, adequacy referential (updated), WP 254 at 2 (6 February 2018). https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108. Accessed 17 Aug 2022
2. Bradford L, Aboy M, Liddell K (2020) International transfers of health data between the EU and USA: a sector-specific approach for the USA to ensure an ‘adequate’ level of protection. J Law Biosci 7(1):1–33
3. Bradford L, Aboy M, Liddell K (2021) Standard contractual clauses for cross-border transfers of health data after Schrems II. J Law Biosci 8(1):1–36
4. Braun M et al (2021) European Commission adopts and publishes new standard contractual clauses for international transfers of personal data. https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20210607-european-commission-adopts-and-publishes-new-standard-contractual-clauses-for-international-transfers-of-personal-data. Accessed 17 Aug 2021
5. Christakis T, Terpan F (2021) EU-US negotiations on law enforcement access to data: divergences, challenges and EU law procedures and options. Int Data Priv Law 11(2):81–106
Cited by
1 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献