Even if the recommendations initially provide good guidance for data exporters, it remains problematic that the recommendations of the European Data Protection Board are not legally binding. The issue of additional measures to ensure a sufficient level of data protection has therefore not been clarified in court.
The Belgian ruling now shows that the recommendations of the European Data Protection Board could go in the right direction. As golem.de reported on September 17, 2021, the Belgian Council of State ruled in a judgment dated August 19, 2021 (file number 251.378) that encryption of data during data export can be an appropriate measure to ensure an adequate level of data protection.
The action was brought by a company that had lost a contract in a public bidding process to another bidder using the Amazon cloud service AWS. The company based the lawsuit on the fact that the data was not adequately protected by the use of AWS because the USA is considered an insecure third country within the meaning of the GDPR and the bidder should therefore not have been awarded the contract.
However, the ruling does not allow the general conclusion to be drawn that the use of the AWS cloud is possible in every case in compliance with data protection. This is how golem.de quotes the President of the Bavarian State Office for Data Protection Supervision, Michael Will. It always requires a “careful examination” by the data exporters. Kirsten Bock from the Independent State Center for Data Protection also points out, according to the golem.de report, that it is not clear from the ruling whether and how the encryption itself was checked.