Privacy Enhancing Technologies: An analysis of implementing encryption and pseudonymization to ensure personal data protection during third-country transfers
2024 (engelsk)Independent thesis Advanced level (professional degree), 20 poäng / 30 hp
Oppgave
Abstract [en]
The question of third-country transfers reflects a balancing act between two in- interests: protecting the personal data that is being exported outside the EU and encouraging cross-border transfers. According to Article 45 of the General Data Protection Regulation (GDPR), the European Commission (Commission) can decide that a third country, a territory, a specific sector within a third country, or an international organization provides an adequate level of protection. In that case, a data exporter can transfer the personal data based on the adequacy decision without additional measures. Article 46 of the GDPR further states that a data exporter can rely on providing appropriate safeguards in the absence of an adequacy decision.
In just under five years, the Court of Justice of the European Union (CJEU) invalidated two U.S. adequacy decisions from the Commission. In both the Schrems I and II judgments, the CJEU criticized exemption rules in the adequacy decisions that made it possible for U.S. public authorities to interfere and access the personal data. According to the court, this posed a breach of the fundamental rights of data subjects granted in the Charter of Fundamental Rights of the European Union (Charter).
Furthermore, the CJEU stated in Schrems II that appropriate safeguards alone cannot protect personal data, particularly from the interference of public authorities, since they only provide contractual guarantees between the data exporter and data importer. If a data exporter wishes to transfer personal data to a third country, with domestic laws and practices that pose a risk to the rights of the data subjects, it is therefore required to implement supplementary measures alongside the appropriate safeguards. These supplementary measures can be either organizational or technical.
This thesis, which has examined Privacy Enhancing Technologies, finds that such technologies can form effective supplementary measures to the appropriate safeguards in some cases. More specifically, encryption is an effective supplementary measure for data exporters that transfer personal data to a third country for storage purposes. Furthermore, pseudonymization is an effective supplementary measure for third-country transfers for research and analysis purposes. However, there are more possible reasons why personal data is transferred to a third country and in which Privacy Enhancing Technologies are proven non-functional. More specifically, there is, as of yet, no Privacy Enhancing Technology that suc- cessfully grants protection for personal data transferred to a third country for support purposes. The reason for this is that such data must be visible to the recipient and Privacy Enhancing Technologies hinders visibility. The visibility of personal data poses a threat to the rights of the data subjects, as national authorities in third countries have direct access to it if it is seized from the recipient. According to the CJEU, such access constitutes a breach of the rights granted in the Charter.
In the spirit of globalization, there is a wish for data exporters to transfer personal data to all corners of the planet. At the same time, they must ensure the protection of the personal data. It is therefore evident that controllers and pro- cessors who are engaged in third-country transfers of this sort need to be given clearer guidance on how to solve this balancing act.
sted, utgiver, år, opplag, sider
2024. , s. 60
Emneord [en]
Privacy Enhancing Technologies, Encryption, Pseudonymization, Protection of Personal Data, GDPR, EU Commission, Third Country Transfers, EU Charter, Controller, Processor, Court of Justice of the European Union, Binding Corporate Rules, Standard Contractual Clauses
HSV kategori
Identifikatorer
URN: urn:nbn:se:su:diva-231948OAI: oai:DiVA.org:su-231948DiVA, id: diva2:1882629
Presentation
2024-05-29, Frescativägen, 106 91 Stockholm, 20:21 (svensk)
Veileder
Examiner
2024-08-122024-07-052024-08-12bibliografisk kontrollert