Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II

Research output: Chapter in Book/Report/Conference proceedingBook chapterResearchpeer-review

Standard

Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II. / Corrales Compagnucci, Marcelo; Fenwick, Mark; Aboy, Mateo; Minssen, Timo.

The Law and Ethics of Data Sharing in Health Sciences. ed. / Marcelo Corrales Compagnucci; Timo Minssen; Mark Fenwick; Mateo Aboy; Kathleen Liddell. Singapore : Springer Nature Singapore, 2024. p. 151-172.

Research output: Chapter in Book/Report/Conference proceedingBook chapterResearchpeer-review

Harvard

Corrales Compagnucci, M, Fenwick, M, Aboy, M & Minssen, T 2024, Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II. in M Corrales Compagnucci, T Minssen, M Fenwick, M Aboy & K Liddell (eds), The Law and Ethics of Data Sharing in Health Sciences. Springer Nature Singapore, Singapore, pp. 151-172.

APA

Corrales Compagnucci, M., Fenwick, M., Aboy, M., & Minssen, T. (2024). Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II. In M. Corrales Compagnucci, T. Minssen, M. Fenwick, M. Aboy, & K. Liddell (Eds.), The Law and Ethics of Data Sharing in Health Sciences (pp. 151-172). Springer Nature Singapore.

Vancouver

Corrales Compagnucci M, Fenwick M, Aboy M, Minssen T. Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II. In Corrales Compagnucci M, Minssen T, Fenwick M, Aboy M, Liddell K, editors, The Law and Ethics of Data Sharing in Health Sciences. Singapore: Springer Nature Singapore. 2024. p. 151-172

Author

Corrales Compagnucci, Marcelo ; Fenwick, Mark ; Aboy, Mateo ; Minssen, Timo. / Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II. The Law and Ethics of Data Sharing in Health Sciences. editor / Marcelo Corrales Compagnucci ; Timo Minssen ; Mark Fenwick ; Mateo Aboy ; Kathleen Liddell. Singapore : Springer Nature Singapore, 2024. pp. 151-172

Bibtex

@inbook{4da2cd3d70ff4ef18f866451210689e1,
title = "Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II",
abstract = "In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) invalidated the EU-US Privacy Shield adequacy decision but found that Standard Contracting Clauses (SCCs) are a valid mechanism to enable GDPR-compliant transfers of personal data from the EU to jurisdictions outside the EU/EEA, as long as various unspecified “supplementary measures” are in place to compensate for any gaps in data protection arising from the third country law or practises. The effect of this decision has been to place regulators, scholars, and data protection professionals under greater pressure to identify and explain these “supplementary measures” to facilitate cross-border transfers of personal data. This chapter critically examines the current framework for cross-border transfers after Schrems II, including the new SCCs adopted by the European Commission, as well as the current European Data Protection Board (EDPB) guidance on “supplementary measures.” We argue that the so-called “supplementary measures” are not “supplementary” and that the CJEU{\textquoteright}s characterization of such measures as “supplementary” undermines the original clarity of GDPR with regards to the required standards for security of processing as well as the available mechanisms for cross-border transfers of personal data. We conclude that despite the legal uncertainty introduced by the CJEU several post-Schrem II developments have been helpful to increase awareness and improve the overall safeguards associated with cross-border transfers of personal data. These include the new SCCs and an increased understanding of capabilities and limitations of the technical and organisational measures, including encryption, pseudonymisation, and multi-party processing. Technical solutions such as multiparty homomorphic encryption (HE) that combine these three technical measures while still allowing for the possibility to query and analyse encrypted data without decrypting it have significant potential to provide effective security measures that facilitate cross-borders transfers of personal data in high-risk settings.",
author = "{Corrales Compagnucci}, Marcelo and Mark Fenwick and Mateo Aboy and Timo Minssen",
year = "2024",
month = jan,
language = "English",
isbn = "978-981-99-6539-7",
pages = "151--172",
editor = "{Corrales Compagnucci}, Marcelo and Timo Minssen and Mark Fenwick and Mateo Aboy and Kathleen Liddell",
booktitle = "The Law and Ethics of Data Sharing in Health Sciences",
publisher = "Springer Nature Singapore",

}

RIS

TY - CHAP

T1 - Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II

AU - Corrales Compagnucci, Marcelo

AU - Fenwick, Mark

AU - Aboy, Mateo

AU - Minssen, Timo

PY - 2024/1

Y1 - 2024/1

N2 - In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) invalidated the EU-US Privacy Shield adequacy decision but found that Standard Contracting Clauses (SCCs) are a valid mechanism to enable GDPR-compliant transfers of personal data from the EU to jurisdictions outside the EU/EEA, as long as various unspecified “supplementary measures” are in place to compensate for any gaps in data protection arising from the third country law or practises. The effect of this decision has been to place regulators, scholars, and data protection professionals under greater pressure to identify and explain these “supplementary measures” to facilitate cross-border transfers of personal data. This chapter critically examines the current framework for cross-border transfers after Schrems II, including the new SCCs adopted by the European Commission, as well as the current European Data Protection Board (EDPB) guidance on “supplementary measures.” We argue that the so-called “supplementary measures” are not “supplementary” and that the CJEU’s characterization of such measures as “supplementary” undermines the original clarity of GDPR with regards to the required standards for security of processing as well as the available mechanisms for cross-border transfers of personal data. We conclude that despite the legal uncertainty introduced by the CJEU several post-Schrem II developments have been helpful to increase awareness and improve the overall safeguards associated with cross-border transfers of personal data. These include the new SCCs and an increased understanding of capabilities and limitations of the technical and organisational measures, including encryption, pseudonymisation, and multi-party processing. Technical solutions such as multiparty homomorphic encryption (HE) that combine these three technical measures while still allowing for the possibility to query and analyse encrypted data without decrypting it have significant potential to provide effective security measures that facilitate cross-borders transfers of personal data in high-risk settings.

AB - In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) invalidated the EU-US Privacy Shield adequacy decision but found that Standard Contracting Clauses (SCCs) are a valid mechanism to enable GDPR-compliant transfers of personal data from the EU to jurisdictions outside the EU/EEA, as long as various unspecified “supplementary measures” are in place to compensate for any gaps in data protection arising from the third country law or practises. The effect of this decision has been to place regulators, scholars, and data protection professionals under greater pressure to identify and explain these “supplementary measures” to facilitate cross-border transfers of personal data. This chapter critically examines the current framework for cross-border transfers after Schrems II, including the new SCCs adopted by the European Commission, as well as the current European Data Protection Board (EDPB) guidance on “supplementary measures.” We argue that the so-called “supplementary measures” are not “supplementary” and that the CJEU’s characterization of such measures as “supplementary” undermines the original clarity of GDPR with regards to the required standards for security of processing as well as the available mechanisms for cross-border transfers of personal data. We conclude that despite the legal uncertainty introduced by the CJEU several post-Schrem II developments have been helpful to increase awareness and improve the overall safeguards associated with cross-border transfers of personal data. These include the new SCCs and an increased understanding of capabilities and limitations of the technical and organisational measures, including encryption, pseudonymisation, and multi-party processing. Technical solutions such as multiparty homomorphic encryption (HE) that combine these three technical measures while still allowing for the possibility to query and analyse encrypted data without decrypting it have significant potential to provide effective security measures that facilitate cross-borders transfers of personal data in high-risk settings.

M3 - Book chapter

SN - 978-981-99-6539-7

SP - 151

EP - 172

BT - The Law and Ethics of Data Sharing in Health Sciences

A2 - Corrales Compagnucci, Marcelo

A2 - Minssen, Timo

A2 - Fenwick, Mark

A2 - Aboy, Mateo

A2 - Liddell, Kathleen

PB - Springer Nature Singapore

CY - Singapore

ER -

ID: 329092868