The Flemish Authorities initially considered the specific encryption tools as a valid supplementary measure in addition to the European Standard contractual clauses (SCCs). The measure was applied by a European branch of a US company using AWS cloud. The decision was confirmed by the Belgian Council of State upon a formal complaint of a third party.

Facts

The Flemish Region issued a tender for the established of a local Mobility center. The center as such would process a number of personal data of the users on a large scale. The tender was won by the Belgian affiliate of a US company which avails of the AWS as a cloud service. This decision was challenged in August 2021 before the Belgian Council of State by a Dutch company competing in the tender, that was not selected as winner. The ground of the action by the Dutch company was based on the fact that personal data would be transferred to US due to the use of the AWS cloud by the company that would manage the Mobility center. The transfer to US, according to the plaintiff, was not to be considered as a safe transfer, despite of the conclusion of SCCs between the controller and the US based processor, in the light of the Schrems II judgment. According to this reasoning, an alleged infringement of the Art. 28 and 44 GDPR and of Art. 32 GDPR by the Flemish Region was identified in the challenge of the plaintiff.

Decision of the Belgian Councel of State

The Council of State decision was not to suspend the Flemish region decision to appoint the Belgian Company as a winner of the tender and this was based on the following elements:

The Schrems II case did not invalidate the SCCs as a transfer tool for the transfers of personal data outside of the EEA as such. The transfer of personal data should be assessed on a case-to-case basis in the light of the additional measures applied to it with the goal to ensure an equivalent level of protection comparable to the EU standards if this is not granted by the importer country local law (such as the U.S.). In the present case, specific encryption measures were applied to the transfer and those ones, according to the Council of State, could be considered as a sufficient measure to ensure the protection of personal data transferred to the importer.

The additional measure of the case

As referenced in the European Data Protection Board (EDPB) Recommendations 01/2020, which were taken into consideration by the Belgian Council of State, encryption is one of the technical additional measures that could be considered sufficient to ensure an adequate level of protection to the personal data, particularly in the present case, the personal data would have been encrypted by the Flemish Region at the source before the transfer to the winner company that would keep the data in the AWS cloud. The encryption key would remain solely under the control of the Flemish Region, therefore in the EU. This measure, in addition to the contractual obligations set in the SCCs, would suffice to consider the personal data as safely stored even in the cloud based outside of he EEA.

Conclusions

The present decision defines the importance of the specific assessment of the transfer of personal data (TIA) to companies based outside of the European Economic Area (EEA). Provided that a valid transfer tool is used in compliance with Art. 44 GDPR, the transfer of personal data outside of the EEA may not be prohibited or considered unlawful if all the relevant aspects are taken into consideration during the TIA. For the lawfulness of the transfer, it is crucial to identify during the assessment, that appropriate additional safeguards are applied and contribute to bring the level of security to the standard granted by the EU. It is also important to note that the Council of State relied on the EDBP Recommendations which in the specific case, referred to the special encryption measures as a tool to provide security to the personal data.