Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II
Research output: Chapter in Book/Report/Conference proceeding › Book chapter › Research › peer-review
Standard
Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II. / Corrales Compagnucci, Marcelo; Fenwick, Mark; Aboy, Mateo; Minssen, Timo.
The Law and Ethics of Data Sharing in Health Sciences. ed. / Marcelo Corrales Compagnucci; Timo Minssen; Mark Fenwick; Mateo Aboy; Kathleen Liddell. Singapore : Springer Nature Singapore, 2024. p. 151-172 (Perspectives in Law, Business and Innovation).Research output: Chapter in Book/Report/Conference proceeding › Book chapter › Research › peer-review
Harvard
APA
Vancouver
Author
Bibtex
}
RIS
TY - CHAP
T1 - Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II
AU - Corrales Compagnucci, Marcelo
AU - Fenwick, Mark
AU - Aboy, Mateo
AU - Minssen, Timo
PY - 2024
Y1 - 2024
N2 - In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) invalidated the EU-US Privacy Shield adequacy decision but found that Standard Contracting Clauses (SCCs) are a valid mechanism to enable GDPR-compliant transfers of personal data from the EU to jurisdictions outside the EU/EEA, as long as various unspecified “supplementary measures” are in place to compensate for any gaps in data protection arising from the third country law or practises. The effect of this decision has been to place regulators, scholars, and data protection professionals under greater pressure to identify and explain these “supplementary measures” to facilitate cross-border transfers of personal data. This chapter critically examines the current framework for cross-border transfers after Schrems II, including the new SCCs adopted by the European Commission, as well as the current European Data Protection Board (EDPB) guidance on “supplementary measures.” We argue that the so-called “supplementary measures” are not “supplementary” and that the CJEU’s characterization of such measures as “supplementary” undermines the original clarity of GDPR with regards to the required standards for security of processing as well as the available mechanisms for cross-border transfers of personal data. We conclude that despite the legal uncertainty introduced by the CJEU several post-Schrem II developments have been helpful to increase awareness and improve the overall safeguards associated with cross-border transfers of personal data. These include the new SCCs and an increased understanding of capabilities and limitations of the technical and organisational measures, including encryption, pseudonymisation, and multi-party processing. Technical solutions such as multiparty homomorphic encryption (HE) that combine these three technical measures while still allowing for the possibility to query and analyse encrypted data without decrypting it have significant potential to provide effective security measures that facilitate cross-borders transfers of personal data in high-risk settings.
AB - In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) invalidated the EU-US Privacy Shield adequacy decision but found that Standard Contracting Clauses (SCCs) are a valid mechanism to enable GDPR-compliant transfers of personal data from the EU to jurisdictions outside the EU/EEA, as long as various unspecified “supplementary measures” are in place to compensate for any gaps in data protection arising from the third country law or practises. The effect of this decision has been to place regulators, scholars, and data protection professionals under greater pressure to identify and explain these “supplementary measures” to facilitate cross-border transfers of personal data. This chapter critically examines the current framework for cross-border transfers after Schrems II, including the new SCCs adopted by the European Commission, as well as the current European Data Protection Board (EDPB) guidance on “supplementary measures.” We argue that the so-called “supplementary measures” are not “supplementary” and that the CJEU’s characterization of such measures as “supplementary” undermines the original clarity of GDPR with regards to the required standards for security of processing as well as the available mechanisms for cross-border transfers of personal data. We conclude that despite the legal uncertainty introduced by the CJEU several post-Schrem II developments have been helpful to increase awareness and improve the overall safeguards associated with cross-border transfers of personal data. These include the new SCCs and an increased understanding of capabilities and limitations of the technical and organisational measures, including encryption, pseudonymisation, and multi-party processing. Technical solutions such as multiparty homomorphic encryption (HE) that combine these three technical measures while still allowing for the possibility to query and analyse encrypted data without decrypting it have significant potential to provide effective security measures that facilitate cross-borders transfers of personal data in high-risk settings.
U2 - 10.1007/978-981-99-6540-3_9
DO - 10.1007/978-981-99-6540-3_9
M3 - Book chapter
SN - 9789819965397
T3 - Perspectives in Law, Business and Innovation
SP - 151
EP - 172
BT - The Law and Ethics of Data Sharing in Health Sciences
A2 - Corrales Compagnucci, Marcelo
A2 - Minssen, Timo
A2 - Fenwick, Mark
A2 - Aboy, Mateo
A2 - Liddell, Kathleen
PB - Springer Nature Singapore
CY - Singapore
ER -
ID: 329092868