At Tresorit we understand the concerns of DPO’s around the world as the Schrems II decision indeed shook up the world of EU-US data transfers. Let us share with you our interpretation of the current situation, and a few developments since 2020.
As the Schrems II decision invalidated the EU-US Privacy Shield Framework (Privacy Shield), Tresorit relies on standard contractual clauses (SCCs) as a transfer mechanism if data is transferred outside of the EEA. For the sake of clarity, the Schrems II decision did not invalidate data transfer agreements based on SCCs issued by the European Commission. That said, the CJEU held that data exporters are responsible for assessing the risks associated with data transfers based on SCCs and to apply supplementary measures, if necessary, to transfer data to a third country.
On 4 June 2021, the European Commission issued new SCCSs which better reflect requirements of the GDPR that was adopted in May 2018, as well as the Schrems II decision. Companies are required to update their SCCs by the end of 2022 and accordingly, Tresorit regularly reviews its data transfer agreements with all sub-processors.
On 18 June 2021, the European Data Protection Board issued Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (EDPB Recommendation). The EDPB Recommendations provide guidance on how to conduct a so-call transfer impact assessment to evaluate whether there is an essentially equivalent level of protection for data transfers to locations outside of the EEA. Even in cases where the assessment finds that a transfer tool (such as SCCs) alone would not provide an essentially equivalent level of protection, then supplemental contractual, technical and/or organisational measures should be identified to enhance the protection of the personal data.
Accordingly, our advice would be that you should carry out your assessment in respect of the Tresorit services and its sub-processors with a view to the amount and sensitivity of “Service Data” processed via our services.
Encryption as supplementary measure: The advantage of using Tresorit
According to point 84 (Annex 2) of the EDPB Recommendation, encryption as a technical measure may be a sufficient safeguard to protect EU data in certain cross-border data transfers if it meets the following conditions:
- the personal data is processed using strong encryption before transmission, and the identity of the importer is verified,
- the encryption algorithm and its parameterisation (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and can be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them,
- the strength of the encryption and key length takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved,
- the encryption algorithm is implemented correctly and by properly maintained software without known vulnerabilities the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification,
- the keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of an intended recipient, and revoked),
- the keys are retained solely under the control of the data exporter, or by an entity trusted by the exporter in the EEA or under a jurisdiction offering an essentially equivalent level of protection to that guaranteed within the EEA, then the EDPB considers that the encryption performed provides an effective supplementary measure.
Accordingly, the security measures applied by Tresorit are indeed relevant when performing a transfer impact assessment. All the above conditions are true for the content in the files that you upload to the Tresorit service. Regarding customer content all files are encrypted in such a way that not even Tresorit employees are able to access them – a feature that is truly unique.
The amount of data that is not protected by client-side encryption is kept secure by the highest “classical” security standards in the industry these would include but are not limited to names, email addresses, customer communication, application error logs etc.