GDPR & THE TRANSFER OF ENCRYPTED DATA OUTSIDE THE EU

02 August 2018

GDPR and transferring encrypted data outside of EU

Recently, there has been discussion regarding whether or not it is GDPR-compliant to transfer encrypted data on applications based outside of the EU. An example of this is Dropbox, as they have US-based servers, therefore if personal data is transferred through the Dropbox system, then technically it has been transferred outside of EU jurisdiction and is no longer GDPR compliant.

However, personal data sent in this format is usually encrypted and only the necessary individuals are given the encryption key to gain access to the data. So, in this instance, is the transference of the data compliant?

Although, the data may have been transferred outside of the EU the encryption key is not stored on the Cloud servers, therefore there is no identifiable information from the provider. However, there is always a possible risk that a data breach will occur if an unauthorised source obtains the key by force.

Dropbox has recently commented on this issue and has given organisations with at least fifteen seats the option to store data in the EU. Here is some further information on this matter:

https://blogs.dropbox.com/business/2016/09/making-european-infrastructure-available-to-our-customers/

Dropbox also “complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union.”

However, the effectiveness of the Privacy Shield has recently been questioned. It may, therefore, be more prudent to utilise programs with official EU servers, in order to ensure the organisation meets GDPR requirements efficiently.

How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070