Privacy Enhancing Technologies : An analysis of implementing encryption and pseudonymization to ensure personal data protection during third-country transfers

The question of third-country transfers reflects a balancing act between two in- interests: protecting the personal data that is being exported outside the EU and encouraging cross-border transfers. According to Article 45 of the General Data Protection Regulation (GDPR), the European Commission (Commission) can decide that a third country, a territory, a specific sector within a third country, or an international organization provides an adequate level of protection. In that case, a data exporter can transfer the personal data based on the adequacy decision without additional measures. Article 46 of the GDPR further states that a data exporter can rely on providing appropriate safeguards in the absence of an adequacy decision. In just under five years, the Court of Justice of the European Union (CJEU) invalidated two U.S. adequacy decisions from the Commission. In both the Schrems I and II judgments, the CJEU criticized exemption rules in the adequacy decisions that made it possible for U.S. public authorities to interfere and access the personal data. According to the court, this posed a breach of the fundamental rights of data subjects granted in the Charter of Fundamental Rights of the European Union (Charter). Furthermore, the CJEU stated in Schrems II that appropriate safeguards alone cannot protect personal data, particularly from the interference of public authorities, since they only provide contractual guarantees between the data exporter and data importer. If a data exporter wishes to transfer personal data to a third country, with domestic laws and practices that pose a risk to the rights of the data subjects, it is therefore required to implement supplementary measures alongside the appropriate safeguards. These supplementary measures can be either organizational or technical. This thesis, which has examined Privacy Enhancing Technologies, finds that such technologies can form effective supplementary measures to the appropriate safeguards in some cases.