Belgian court rules: Encryption as an additional measure when exporting data

The Schrems II ruling of the ECJ in July 2021 left many data controllers and processors perplexed. With this ruling, the ECJ overturned the EU-US Privacy Shield, which could no longer be used as a legal basis for data transfers to unsafe third countries. Unsafe third countries within the meaning of the GDPR are countries for which the EU Commission has not determined by means of a decision within the meaning of Article 45 of the GDPR that they offer an adequate level of protection. According to Chapter V of the GDPR, there are in principle other legal bases on which a data export to unsafe third countries can be based, e.g. the standard contractual clauses within the meaning of Art. 46(2)(c) of the GDPR. However, the ECJ has also emphasized for these options. There must be an adequate level of data protection and, if necessary, data controllers must ensure this via additional measures.

The question is: What can these additional measures be?

In its “Recommendations 01/2020 on measures complementing transfer tools to ensure the level of protection of personal data under Union law”, the European Data Protection Board described scenarios under which the export of encrypted data to insecure third countries is permitted. This applies, for example, under certain conditions to data to which access is not necessary and which is stored in third countries for back-up purposes (paragraph 79). According to the European Data Protection Board, encryption can only be sufficient under this scenario if the following conditions are met:

Encryption must be performed using a (1) powerful method and (2) algorithm as well as parameterization must be state of the art. (3) This must be guaranteed for the period for which the data is to be stored in the insecure third country. (4) In addition, the algorithm must be implemented correctly using specific software. (5) Furthermore, a reliable key management is required. (6) Furthermore, the key must not be in the control of an entity located in an insecure third country.

Even if the recommendations initially provide good guidance for data exporters, it remains problematic that the recommendations of the European Data Protection Board are not legally binding. The issue of additional measures to ensure a sufficient level of data protection has therefore not been clarified in court.

The Belgian ruling now shows that the recommendations of the European Data Protection Board could go in the right direction. As golem.de reported on September 17, 2021, the Belgian Council of State ruled in a judgment dated August 19, 2021 (file number 251.378) that encryption of data during data export can be an appropriate measure to ensure an adequate level of data protection.

The action was brought by a company that had lost a contract in a public bidding process to another bidder using the Amazon cloud service AWS. The company based the lawsuit on the fact that the data was not adequately protected by the use of AWS because the USA is considered an insecure third country within the meaning of the GDPR and the bidder should therefore not have been awarded the contract.

However, the ruling does not allow the general conclusion to be drawn that the use of the AWS cloud is possible in every case in compliance with data protection. This is how golem.de quotes the President of the Bavarian State Office for Data Protection Supervision, Michael Will. It always requires a “careful examination” by the data exporters. Kirsten Bock from the Independent State Center for Data Protection also points out, according to the golem.de report, that it is not clear from the ruling whether and how the encryption itself was checked.

Thus, the ruling of the Belgian court can be seen as pointing the way forward. However, many questions regarding the export of data to insecure third countries still remain unresolved. In addition, the scope of storing data in encrypted form for back-up purposes would be very narrow. In many cases, data is not only stored encrypted in insecure third countries, but must be processed unencrypted. What a practical solution might look like here still remains unclear. In many cases, it is expected that responsible parties will increasingly have to select European providers if a legally secure clarification of the issue is not achieved soon.

We will be happy to assist you with any questions you may have about data protection. Simply use our contact form. You can also contact us by phone at our headquarters in Hutthurm on +49 (0) 8505 91927 – 0 or at our branch in Munich on +49 (0) 89 413 2943 – 0.