 Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data After Schrems IIMarcelo Corrales Compagnucci,
Mark Fenwick,
Mateo Aboy and
Timo Minssen
A chapter in The Law and Ethics of Data Sharing in Health Sciences, 2024, pp 151-172 from Springer Abstract: Abstract In July 2020, the Court of JusticeHealth data of the European Union (CJEU)Court of Justice of the EU (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”)Schrems II invalidated the EU-US Privacy Shield adequacy decision but found that Standard Contracting Clauses (SCCs) are a valid mechanism to enable GDPR-compliant transfers of personal data from the EU to jurisdictions outside the EU/EEA, as long as various unspecified “supplementary measures”Supplementary measures are in place to compensate for any gaps in data protectionData protection arising from the third country law or practices. The effect of this decision has been to place regulators, scholars, and data protection professionals under greater pressure to identify and explain these “supplementary measures”Supplementary measures to facilitate cross-border transfers of personal dataCross-border transfers of personal data. This chapter critically examines the current framework for cross-border transfers after Schrems IISchrems II, including the new SCCs adopted by the European Commission, as well as the current European Data Protection Board (EDBP)European Data Protection Board (EDBP) guidance on “supplementary measuresSupplementary measures.” We argue that the so-called “supplementary measures” are not “supplementary” and that the CJEU’s characterization of such measures as “supplementary” undermines the original clarity of GDPR with regards to the required standards for the security of processing as well as the available mechanisms for cross-border transfers of personal dataCross-border transfers of personal data. We conclude that despite the legal uncertainty introduced by the CJEU several post-Schrem II developments have been helpful to increase awareness and improve the overall safeguards associated with cross-border transfers of personal dataCross-border transfers of personal data. These include the new SCCs and an increased understanding of the capabilities and limitations of the technical and organizational measures, including encryption, pseudonymization, and multi-party processing. Technical solutions such as multiparty homomorphic encryption (HE)Multiparty homomorphic encryption that combine these three technical measures while still allowing for the possibility to query and analyze encrypted data without decrypting it has significant potential to provide effective security measures that facilitate cross-border transfers of personal data in high-risk settings. Keywords: Appropriate safeguards; Cross-border transfers of personal data; Multiparty homomorphic encryption; New standard contractual clauses (SCCs); Schrems II; Supplementary measures (search for similar items in EconPapers) There are no downloads for this item, see the EconPapers FAQ for hints about obtaining it. Related works: Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text Persistent link: https://EconPapers.repec.org/RePEc:spr:perchp:978-981-99-6540-3_9 Ordering information: This item can be ordered from DOI: 10.1007/978-981-99-6540-3_9 Access Statistics for this chapter More chapters in Perspectives in Law, Business and Innovation from Springer |
Is your work missing from RePEc? Here is how to contribute.
Questions or problems? Check the EconPapers FAQ or send mail to .
EconPapers is hosted by the
School of Business at Örebro University.