October 21, 2021

Volume XI, Number 294

Advertisement
Advertisement

October 21, 2021

Subscribe to Latest Legal News and Analysis

October 20, 2021

Subscribe to Latest Legal News and Analysis

October 19, 2021

Subscribe to Latest Legal News and Analysis

Belgian Council of State Considers Encryption a Sufficient Measure for U.S. Data Transfers

On August 19, 2021, the Belgian Council of State confirmed a decision of the regional Flemish Authorities to contract with an EU branch of a U.S. company using Amazon Web Services (“AWS”).

The decision was made in the context of a tender granted by the Flemish Authorities to a company that used AWS cloud services. An unsuccessful tender participant had challenged the outcome of the tender process before the Council of State, deploying several arguments, including that a lack of appropriate safeguards for data transfers to AWS in the U.S. infringed the GDPR’s restrictions on data transfers in light of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

In the Schrems II decision, the CJEU took the position that organizations relying on appropriate safeguards, such as the Standard Contractual Clauses (“SCCs”), under Article 46 of the EU General Data Protection Regulation (“GDPR”) to transfer personal data outside the EU must verify, on a case-by-case basis, whether the law of the destination country ensures a level of protection for the personal data that is essentially equivalent to that in the EU. If the level of protection is not essentially equivalent, organizations must implement supplementary technical, organizational and contractual measures. In addition, for data transfers to the U.S., the CJEU determined that U.S. law does not generally provide a level of data protection equivalent to EU law. As a result, transfers of personal data to the U.S. can only take place provided that supplementary safeguards are implemented.

In its decision of August 19, 2021, the Belgian Council of State took the position that the use of U.S. cloud services in and of itself does not violate the GDPR. In reaching its decision, the Council of State took into account the Guidelines issued by the European Data Protection Board on supplementary measures and an opinion issued by the Flemish Supervisory Commission, and concluded that encryption is a valid supplementary measure to transfer data to the U.S. in certain circumstances, including where the encryption keys are kept under the full control of the data controller.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 252
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement