Schrems II – Could encryption serve as a quick fix to continue cross-border data transfers?
These days you will never get bored if you are a privacy professional. This summer, Mr. Schrems, one of the most well-known privacy activists in Europe, managed to shake up our ever-evolving privacy landscape again. On July 16, the Court of Justice of the European Union (CJEU) issued its landmark decision no. C‑311/18 (the Schrems II Decision) in relation to cross-border data transfers in a case brought by Mr. Schrems against Facebook.
Our data protection and technology law expert, Petra Kovacsics LL.M., comments on the dilemmas privacy experts are facing now and the interplay of cross-border data transfers and encryption.
Background – What is the relevance of cross-border data protection law and the Schrems II Decision?
In the global data economy, businesses increasingly rely on cross-border data transfers. With the GDPR’s entry into effect, European data subjects enjoy an enhanced and uniform protection of their personal data within the European Economic Area (EEA). If their personal data is transferred outside of the EEA, European data subjects may lose the guarantees of the GDPR for the protection of their personal data. Accordingly, the GDPR restricts the transfer of personal data to countries outside the EEA, unless the specific requirements of the GDPR are met.
Mr. Schrems’ litigation against Facebook brought about significant changes to the potential means of cross-border data transfers. Given the extensive surveillance powers of US authorities and a lack of remedies by EU data subjects in such proceedings, the CJEU has now invalidated the EU-US Privacy Shield Framework (Privacy Shield). The CJEU found that data transfer agreements based on Standard Contractual Clauses (SCCs) issued by the European Commission were valid, but the applicability of SCCs has also become unclear.
(To learn more about these data transfers mechanisms, check out our recent podcast with Jitty van Doodewaerd.)
While the invalidation of the Privacy Shield has an impact on EU-US transfers, the CJEU’s findings on SCCs have significant effects on all data transfers from the EU. Companies transferring data outside of the EU need to review their arrangements and check if there is a valid mechanism in place they can rely on.
How to assess SCCs in practice
According to the iApp-EY Annual Governance Report, most companies have relied on SCCs to comply with the transfer requirements of the GDPR. After the Schrems II Decision, it seems that, as Commissioner Didier Reynders suggests, “it’s not just possible to use SCCs without any changes”.
In the Schrems II Decision, the CJEU held that data exporters are responsible for assessing the risks associated with data transfers based on SCCs and to apply supplementary measures, if necessary, to transfer data to a third country. The CJEU provides some examples of potential additional requirements SCCs, but it also seems that such additional safeguards are to be determined on a case-by-case basis, depending on the data protection landscape in the relevant jurisdiction.
Currently, it seems that there are more questions about such supplementary measures than there are answers to these questions. Even the European Data Protection Board asks for more time to analyze the Court’s decision “to determine the kind of supplementary measures that could be provided in addition (…) whether legal, technical or organizational measures.”
Could end-to-end encryption be the quick fix?
As a privacy professional, I have to agree with Mr. Schrems, who claims “the long-term solution has to be that we accept each others' fundamental rights (at least among the western countries and also within the EU) - not to stop data transfers.” But until then, what can we practically do to ensure compliance?
Not surprisingly, there are hundreds of different views among privacy fellows, but it seems that some of us agree that encryption as a technical measure may be a sufficient safeguard to protect EU data in certain cross-border data transfers. Moreover, the Data Protection Authority of the German federal state of Baden-Württemberg (the Authority) recently issued a guideline, and it seems that the Authority acknowledges that end-to-end encryption could be an accepted measure providing an additional safeguard to mitigate risks. According to the Authority, encryption suffices if (i) it is only the data exporter who has access to the encryption keys; and (ii) it cannot be broken by intelligence services.
This suggests that data exporters using end-to-end encryption may be compliant even when transferring data to risky jurisdictions. The rationale behind this is that, if personal data is properly encrypted and the encryption algorithm is particularly strong, it is only the data exporter who has the encryption key to decrypt the files and to re-identify individuals to whom the data belongs. At the same time, the data importer does not have the decryption keys to the files, thus is unable to re-identify the relevant individuals. Because of this, using end-to-end encrypted service providers may contribute to the security of processing operations – and help EU companies in their compliance with the CJEU’s requirements.
That said, encryption may not be the magic formula in all cases. If the activity outsourced to a company outside of EEA territory requires processing of personal data in an intelligible form, then end-to-end encryption is obviously not an option to guarantee the privacy of a cross-border transfer. Organizations should assess their cross-border data transfer mechanism and establish an approach to conduct due diligence in respect of the third-party processors. It seems that in certain cases data controllers may continue transfers if they implement sufficient technical measures such as end-to-end encryption. Then they will need to focus only on the rest of their third-country data processors.
The materials available on this website are for informational purposes only and do not constitute legal advice. To obtain advice with respect to a particular issue, you should contact your attorney.
E.g. requesting the data importer to inform the data controller if the recipient is unable to comply with the SCC
 para 133 of the Schrems II Decision
Frequently Asked Questions on the judgement of the Court of Justice of the European Union in Case-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximililian Schrems
https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in-question/ ; https://teachprivacy.com/schrems-ii-reflections-on-the-decision-and-next-steps/;