A solution to the trans-Atlantic data transfer problem: Cryptoloc provides GDPR supplementary measures

Brisbane based Cryptoloc’s innovative encryption process may be the supplementary measure your business needs to solve its GDPR cross border data transfer problem.

The trans-Atlantic data transfer problem

In July 2020, the EU Court of Justice lobbed a grenade into established processes for EU-US transfers of personal data.

Deciding in Schrems II that the EU-US Privacy Shield did not provide adequate protection for the transfer of data across the Atlantic, the CJEU removed one of the major basis used for those transfers. The decision also threw the use of Standard Contractual Clauses (SCCs)  and Binding Corporate  Rules (BCRs) (the most widely used bases for transfer) into doubt.

The questions raised around the use of SCCs and BCRs has far broader impacts for the global community than the dismantling of the EU-Privacy Shield. Companies around the world , including those in Australia and the rest of the APAC region, use both SCCS and BCRs to support transfers of personal data from the EU. All these companies are affected by the Schrems II decision and are questioning what might be the appropriate basis for  on-going data transfers.

We have written more about the Schrems II decision, the court’s findings and its impacts here.

GDPR Supplementary measures

The European Data Protection Board (EDPB) has been busy trying to provide some direction for organisations struggling with the impacts of the July 2020 decision. In November 202o, the EDPB  issued guidance on establishing essential equivalency.  This guidance offers some pointers on how to proceed in the post-Schrems II world.  It directs organisations to undertake a ‘transfer impact assessment’ which should consider the rights available to data subjects and the rights of public authorities to access personal data in the non-EU jurisdiction and determine whether they are essentially equivalent to those in the EU.

Conducting the required foreign law assessment will be challenging in those jurisdictions where data access by public authorities is not regulated in a transparent way or where the regulatory landscape is complex and uncertain. Given these issues with the assessing foreign laws, the use of supplementary measures becomes even more important.

Where that assessment shows that the laws of the importing country are not essentially equivalent, supplementary measures are required. The purpose of these supplementary measures is to elevate the protection afforded to data in the local country so that it rises to the appropriate level of protection under the EU standards.

A non-exhaustive list of suggested supplementary measures issued by the EDPB include:

• Technical measures: such as forms of encryption, and pseudonymisation.
• Additional contractual measures: such as obligations to implement the technical measures, transparency obligations access to government authorities and increased audit rights.
• Organizational measures: such internal policies allocating responsibilities for data transfers and operating procedures in the event of an access request.

The EDPB further notes that exporters may need to combine several measures to ensure the appropriate level of protection.

Encryption as a GDPR supplementary measure

To be considered an adequate and appropriate supplementary measure, encryption keys must be retained solely under the control of the data exporter, or other entities entrusted with this task, residing in the EEA or a third country with an adequate level of protection.  There are also other requirements including:

• The Encryption algorithm can be considered robust against cryptanalysis performed by public authorities and foreign government agencies
• The strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved
• The encryption algorithm is flawlessly implemented by properly maintained software the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification
• The keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of an intended recipient, and revoked)
• The keys are retained solely under the control of the data exporter, or other entities entrusted with this task which reside in the EEA or a jurisdiction with an adequacy decision.

How Cryptoloc works as a GDPR supplementary measure

The state-of-the-art security measures and encryption protocols provided by Cryptoloc’s technology will enable data exporters to elevate the level of protection afforded to personal data transferring to (or via) a third country, when adopted as a technical measure to supplement the SCCs.

Cryptoloc’s unique three key architecture can be implemented as a stand-alone system, which could potentially be owned and controlled by an EEA entity, with an EEA based escrow agent, using only cloud storage based physically in the EEA. The system can be customised to allow for comprehensive oversight by the trusted escrow agent, as well as the provision of notice in the event of law enforcement or a relevant public authority requesting access to an encryption key.

Furthermore, the contract between the parties sharing the data will properly document the specifications of Cryptoloc and its efficacy as a supplementary measure in order to comply with the accountability principle of the GDPR. The contract will also contain provisions mandating the handling of government requests for access to personal data, as well as any technical controls to be applied to limit the use of the personal data.

Interested in more information?

Access a copy of our Whitepaper: 0321_Cryptoloc_Whitepaper GDPR V4.

Find out more about the Cryptoloc solution here.

Contact us for more information about how Cryptoloc can help.