Digitala Vetenskapliga Arkivet

Planned maintenance
A system upgrade is planned for 10/12-2024, at 12:00-13:00. During this time DiVA will be unavailable.
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Privacy Enhancing Technologies: An analysis of implementing encryption and pseudonymization to ensure personal data protection during third-country transfers
Stockholm University, Faculty of Law, Department of Law.
2024 (English)Independent thesis Advanced level (professional degree), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

The question of third-country transfers reflects a balancing act between two in- interests: protecting the personal data that is being exported outside the EU and encouraging cross-border transfers. According to Article 45 of the General Data Protection Regulation (GDPR), the European Commission (Commission) can decide that a third country, a territory, a specific sector within a third country, or an international organization provides an adequate level of protection. In that case, a data exporter can transfer the personal data based on the adequacy decision without additional measures. Article 46 of the GDPR further states that a data exporter can rely on providing appropriate safeguards in the absence of an adequacy decision.

In just under five years, the Court of Justice of the European Union (CJEU) invalidated two U.S. adequacy decisions from the Commission. In both the Schrems I and II judgments, the CJEU criticized exemption rules in the adequacy decisions that made it possible for U.S. public authorities to interfere and access the personal data. According to the court, this posed a breach of the fundamental rights of data subjects granted in the Charter of Fundamental Rights of the European Union (Charter).

Furthermore, the CJEU stated in Schrems II that appropriate safeguards alone cannot protect personal data, particularly from the interference of public authorities, since they only provide contractual guarantees between the data exporter and data importer. If a data exporter wishes to transfer personal data to a third country, with domestic laws and practices that pose a risk to the rights of the data subjects, it is therefore required to implement supplementary measures alongside the appropriate safeguards. These supplementary measures can be either organizational or technical.

This thesis, which has examined Privacy Enhancing Technologies, finds that such technologies can form effective supplementary measures to the appropriate safeguards in some cases. More specifically, encryption is an effective supplementary measure for data exporters that transfer personal data to a third country for storage purposes. Furthermore, pseudonymization is an effective supplementary measure for third-country transfers for research and analysis purposes. However, there are more possible reasons why personal data is transferred to a third country and in which Privacy Enhancing Technologies are proven non-functional. More specifically, there is, as of yet, no Privacy Enhancing Technology that suc- cessfully grants protection for personal data transferred to a third country for support purposes. The reason for this is that such data must be visible to the recipient and Privacy Enhancing Technologies hinders visibility. The visibility of personal data poses a threat to the rights of the data subjects, as national authorities in third countries have direct access to it if it is seized from the recipient. According to the CJEU, such access constitutes a breach of the rights granted in the Charter.

In the spirit of globalization, there is a wish for data exporters to transfer personal data to all corners of the planet. At the same time, they must ensure the protection of the personal data. It is therefore evident that controllers and pro- cessors who are engaged in third-country transfers of this sort need to be given clearer guidance on how to solve this balancing act.

Place, publisher, year, edition, pages
2024. , p. 60
Keywords [en]
Privacy Enhancing Technologies, Encryption, Pseudonymization, Protection of Personal Data, GDPR, EU Commission, Third Country Transfers, EU Charter, Controller, Processor, Court of Justice of the European Union, Binding Corporate Rules, Standard Contractual Clauses
National Category
Law
Identifiers
URN: urn:nbn:se:su:diva-231948OAI: oai:DiVA.org:su-231948DiVA, id: diva2:1882629
Presentation
2024-05-29, Frescativägen, 106 91 Stockholm, 20:21 (Swedish)
Supervisors
Examiners
Available from: 2024-08-12 Created: 2024-07-05 Last updated: 2024-08-12Bibliographically approved

Open Access in DiVA

fulltext(903 kB)169 downloads
File information
File name FULLTEXT01.pdfFile size 903 kBChecksum SHA-512
d07d36afbf3937cc88cd58416a4b72868975d7262c5e5eb1af28a950fda00c386485bd362989a35e5a3b879d6e459a0ed59498a8a8531316188154a4cf9832b7
Type fulltextMimetype application/pdf

By organisation
Department of Law
Law

Search outside of DiVA

GoogleGoogle Scholar
Total: 169 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 535 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf