Digitala Vetenskapliga Arkivet

Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Privacy Enhancing Technologies: An analysis of implementing encryption and pseudonymization to ensure personal data protection during third-country transfers
Stockholms universitet, Juridiska fakulteten, Juridiska institutionen.
2024 (Engelska)Självständigt arbete på avancerad nivå (yrkesexamen), 20 poäng / 30 hpStudentuppsats (Examensarbete)
Abstract [en]

The question of third-country transfers reflects a balancing act between two in- interests: protecting the personal data that is being exported outside the EU and encouraging cross-border transfers. According to Article 45 of the General Data Protection Regulation (GDPR), the European Commission (Commission) can decide that a third country, a territory, a specific sector within a third country, or an international organization provides an adequate level of protection. In that case, a data exporter can transfer the personal data based on the adequacy decision without additional measures. Article 46 of the GDPR further states that a data exporter can rely on providing appropriate safeguards in the absence of an adequacy decision.

In just under five years, the Court of Justice of the European Union (CJEU) invalidated two U.S. adequacy decisions from the Commission. In both the Schrems I and II judgments, the CJEU criticized exemption rules in the adequacy decisions that made it possible for U.S. public authorities to interfere and access the personal data. According to the court, this posed a breach of the fundamental rights of data subjects granted in the Charter of Fundamental Rights of the European Union (Charter).

Furthermore, the CJEU stated in Schrems II that appropriate safeguards alone cannot protect personal data, particularly from the interference of public authorities, since they only provide contractual guarantees between the data exporter and data importer. If a data exporter wishes to transfer personal data to a third country, with domestic laws and practices that pose a risk to the rights of the data subjects, it is therefore required to implement supplementary measures alongside the appropriate safeguards. These supplementary measures can be either organizational or technical.

This thesis, which has examined Privacy Enhancing Technologies, finds that such technologies can form effective supplementary measures to the appropriate safeguards in some cases. More specifically, encryption is an effective supplementary measure for data exporters that transfer personal data to a third country for storage purposes. Furthermore, pseudonymization is an effective supplementary measure for third-country transfers for research and analysis purposes. However, there are more possible reasons why personal data is transferred to a third country and in which Privacy Enhancing Technologies are proven non-functional. More specifically, there is, as of yet, no Privacy Enhancing Technology that suc- cessfully grants protection for personal data transferred to a third country for support purposes. The reason for this is that such data must be visible to the recipient and Privacy Enhancing Technologies hinders visibility. The visibility of personal data poses a threat to the rights of the data subjects, as national authorities in third countries have direct access to it if it is seized from the recipient. According to the CJEU, such access constitutes a breach of the rights granted in the Charter.

In the spirit of globalization, there is a wish for data exporters to transfer personal data to all corners of the planet. At the same time, they must ensure the protection of the personal data. It is therefore evident that controllers and pro- cessors who are engaged in third-country transfers of this sort need to be given clearer guidance on how to solve this balancing act.

Ort, förlag, år, upplaga, sidor
2024. , s. 60
Nyckelord [en]
Privacy Enhancing Technologies, Encryption, Pseudonymization, Protection of Personal Data, GDPR, EU Commission, Third Country Transfers, EU Charter, Controller, Processor, Court of Justice of the European Union, Binding Corporate Rules, Standard Contractual Clauses
Nationell ämneskategori
Juridik
Identifikatorer
URN: urn:nbn:se:su:diva-231948OAI: oai:DiVA.org:su-231948DiVA, id: diva2:1882629
Presentation
2024-05-29, Frescativägen, 106 91 Stockholm, 20:21 (Svenska)
Handledare
Examinatorer
Tillgänglig från: 2024-08-12 Skapad: 2024-07-05 Senast uppdaterad: 2024-08-12Bibliografiskt granskad

Open Access i DiVA

fulltext(903 kB)90 nedladdningar
Filinformation
Filnamn FULLTEXT01.pdfFilstorlek 903 kBChecksumma SHA-512
d07d36afbf3937cc88cd58416a4b72868975d7262c5e5eb1af28a950fda00c386485bd362989a35e5a3b879d6e459a0ed59498a8a8531316188154a4cf9832b7
Typ fulltextMimetyp application/pdf

Av organisationen
Juridiska institutionen
Juridik

Sök vidare utanför DiVA

GoogleGoogle Scholar
Totalt: 90 nedladdningar
Antalet nedladdningar är summan av nedladdningar för alla fulltexter. Det kan inkludera t.ex tidigare versioner som nu inte längre är tillgängliga.

urn-nbn

Altmetricpoäng

urn-nbn
Totalt: 292 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf