News

Ny rekommendation om kompletterande skyddsåtgärder vid tredjelandsöverföring

Den Europeiska dataskyddsstyrelsen (EDPB) har publicerat ett utkast till en rekommendation[1] för överföring av personuppgifter till länder utanför EU/EES (tredjelandsöverföringar). Bakgrunden till rekommendationen är EU-domstolens avgörande i Schrems II (se här), vilket sedan sommaren 2020 har skapat stor osäkerhet inom EU när det gäller tredjelandsöverföring och, inte minst, användning av publika molntjänster som medför sådan överföring.

Liksom EU-domstolen i Schrems II placerar EDPB ett stort ansvar på de enskilda organisationer som för ut personuppgifter från EU (eller som använder tjänster som innebär överföring av uppgifter till länder utanför EU). Rekommendationen innehåller bl.a. en checklista för vilka steg personuppgiftsansvariga och personuppgiftsbiträden bör använda vid tredjelandsöverföringar. I det första steget krävs inventering av tredjelandsöverföringar och identifiering av rättslig grund för överföringen (t.ex. standardavtalsklausuler). Därefter krävs alltid en bedömning av skyddsnivån för personuppgifter  i mottagarlandet. Om skyddsnivån i ett visst mottagarland inte bedöms motsvara EU:s skyddsnivå krävs dessutom ”kompletterande skyddsåtgärder”.

EDPB:s rekommendation innehåller ett antal typfall där olika säkerhetsåtgärder beskrivs och bedöms. Det kan konstateras att avtalsmässiga eller organisatoriska åtgärder inte i sig utgör tillräckliga åtgärder för att säkerställa en tillräcklig skyddsnivå för personuppgifter.

När det gäller tekniska skyddsåtgärder drar vi följande preliminära och generella slutsatser:

  1. Det finns enligt EDPB inga effektiva tekniska skyddsåtgärder för tjänster som:
    • Medför att leverantören i ett tredjeland har tillgång till okrypterade personuppgifter i klartext vilket gäller oavsett om kryptering tillämpas vid överföring och vid ”data-at-rest”. Detta torde bl.a. omfatta  SaaS-tjänster som innebär överföring av personuppgifter till USA.
    • Medför fjärråtkomst från tredjeland till personuppgifter lagrade i klartext inom EU. Detta torde bl.a. omfatta många IT-supporttjänster (inklusive kundtjänst) som tillhandahålls genom ”globala” leveransorganisationer utanför EU.
  1. Personuppgifter i klartext får generellt inte överföras via internet i okrypterad form, eller annars göras tillgängliga i klartext till ett tredjeland. Typiskt sett krävs kryptering där leverantören/mottagaren inte har eller enkelt kan skaffa tillgång till krypteringsnyckeln.
  2. Pseudonymisering kan vara en effektiv skyddsåtgärd, under vissa förutsättningar. Detsamma gäller för uppdelning av en personuppgiftsbehandling mellan flera biträden, så att ingen av dem får tillräcklig information för att identifiera fysiska personer.

Slutsatserna ovan är preliminära och bör kompletteras av en rättslig bedömning i det enskilda fallet. EDPB:s rekommendation är preliminär och öppen för synpunkter fram till den 30 november 2020. Den slutgiltiga versionen kommer troligen att innehålla ett flertal ändringar och tillägg.

Vänligen kontakta Johan Kahn eller Daniel Lundqvist om du har frågor om EDPB:s vägledning eller om tredjelandsöverföring av personuppgifter.

_____________________________

[1] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Adopted – version for public consultations.

One of Sweden’s foremost cyber risk experts affiliated with Kahn Pedersen

André Catry is now affiliated with Kahn Pedersen as a Senior Advisor within security and cyber risk. André has over 25 years’ experience of cyber risk and security work. Except for several assignments within the Swedish Armed Forces, such as concept development for The Communication Information Systems Command, André has held positions as an operative department director with the Swedish Security Service. André also has extensive experience as a senior cyber risk consultant with companies founded by himself. André was recently technical expert to the major Swedish public authority’s legal investigation regarding their use of cloud computing services in a legal and appropriate way.

As a leading law firm within the areas of Digital and Public, Kahn Pedersen increasingly advises clients in matters that involve assessments and actions with regard to cyber risk. This is especially evident in relation to cloud computing services and data protection, where a very high level of legal as well as cyber risk competence is required in order to make correct and balanced assessments.

We are happy and proud that André has chosen to start working with us. André has a unique competence in Sweden in matters regarding cyber risk and legal information security. We have noted a significantly higher demand for our services relating to cyber risk both from the business sector and from public authorities. These matters are often part of larger projects for digital transformation. Being able to offer our clients our legal advice together with André’s skills and experience will give our clients the very best possibilities to deal with digital transformation in a profitable, controlled and legal way.” says Kristian Pedersen (CEO).

Kahn Pedersen Sweden’s Leading Law Firm for Government Contracts, according to Who’s Who Legal

Kahn Pedersen is once again the only Swedish law firm considered to be a leading firm in Who’s Who Legal’s global ranking in the category Government Contracts (Public Procurement).

Kristian Pedersen is also considered to be a Global Elite Thought Leader, making him part of an exclusive group of only 20 lawyers who, according to Who’s Who Legal, are the world’s most prominent public procurement specialists.

Erik Olsson is described by Who’s Who Legal, as ”a formidable public procurement specialist with a strong track record handling procurement issues in Sweden”, and he is considered to be one of the most prominent Swedish public procurement lawyers.

Read more >>

CJEU notifies what applies when transferring personal data to the USA – Initial Comments

On 16 July, the Court of Justice of the European Union (”CJEU”) issued its judgment in the so-called Schrems II-case (C-311/18).

Summary of the Judgment:

  • ”Privacy Shield” (a mechanism that many data controllers use as a safeguard when transferring personal data to the USA) has been invalidated.
  • The EU Commission’s Standard Contractual Clauses (“SCC”) are still valid as an appropriate safeguard for transferring personal data to a third country.
  • EU’s privacy and data protection requirements cannot be fulfilled under US law.
  • Indirectly, the judgment confirms that US cloud service providers’ processing of personal data may mean that such providers are not able to provide sufficient guarantees for compliance with the GDPR.

Consequences:

  • Transfers of personal data based on Privacy Shield needs to be based on a different safeguard or cease.
  • Transfers of personal data to the USA based on SCC needs to be carefully analysed to ensure that they in practice provide adequate protection for data subjects; alternatively, such transfers should be based on a different safeguard.
  • The use of cloud services provided by US providers will also continue to require thorough analysis and risk assessment as well as correctly drafted contracts. For some types of processing of personal data, these cloud services will not be able to be used in accordance with the GDPR.
  • The CJEU’s clarification that US law means that US companies (and their subsidiaries) cannot process personal data in a sufficiently secure way by allowing unauthorized (US authorities) access to the data ought be taken into account in information security assessments even regarding other data such as government data and data that is subject to bank or insurance secrecy.

What happens now?

  • The first thing a company, organisation or public authority ought to do is to make an inventory of the transfers of personal data (or other confidential information) to the USA that occur and the legal basis for such transfer.
  • In cases where the basis for the transfer is Privacy Shield, another safeguard must be applied or the transfer needs to cease. If SCC is the applied safeguard, these transfers need to be analysed, e.g. there must be a possibility to be able to immediately terminate the processing if the protection of the data subjects is not maintained. It is good to be aware that transfers to the USA can take place via cloud service providers or subcontractors as well as when processing data that is otherwise stored within the EU.
  • If possible, data should to be stored within the EU and any processing outside of the EU should be limited to when absolutely necessary. A common misunderstanding is that the risks in relation to US cloud service providers are completely eliminated through the use of data centres within the EU. In practice, the location of data centers is not crucial as US cloud service providers are in some circumstances required to disclose customer data (and personal data) regardless of the data’s geographical location, consequently transferring the data to the USA.
  • A thorough analysis of alternative safeguards for transfers to the USA needs to be carried out. Contracts with US cloud service providers and other recipients of personal data also ought to be reviewed and assessed in the light of the CJEU’s current ruling. The requirement for sufficient guarantees in data processing agreements is a relative requirement and certain processing may be legal under certain contractual terms, whereas other processing under the same conditions may constitute a violation of the GDPR.

New Article in the Swedish legal journal Ny Juridik

Viktor Robertson and Karolina Kjellberg have written an article for the Swedish legal journal Ny Juridik. The article provides an overview of the Swedish Competition Authority’s proposed extended possibilities to supervise public procurement and the effects of such proposals if they were implemented into Swedish law.

Kahn Pedersen among the best Swedish law firms for public procurement according to the new ranking from Legal500

The ranking institute Legal500 has now published this year’s ranking for law firms in the category Public Procurement. Kahn Pedersen is ranked as one of the best Swedish law firms within the public procurement area. As individuals Kristian Pedersen is ranked as a Leading Individual, Erik Olsson as a Next Generation Partner and Olle Lindberg as a Rising Star by Legal500.

Clients interviewed by Legal500 state that: ”We appreciate the commitment to our goals and interests in all aspects of our cases. We always get quick responses to our questions. The practice has deep knowledge in public procurement and understanding of the conditions we are working in. They are capable of thinking outside the box to create creative solutions to complex situations concerning public procurement law” and that Kahn Pedersen: “Provides answers that can be easily understood by in-house business people. Has insight into a wide range of public procurement areas. You always feel confident as an in-house lawyer that they know what they are talking about.”

Kristian Pedersen comments on Legal500’s ranking: “We are of course happy, proud and grateful to receive such excellent praise by our clients, resulting in a prominent position in Legal500’s ranking. We always aim at providing the best legal advice available, and are grateful for all the positive feedback we receive. Although Legal500 has chosen to highlight some of us, as individuals, I would, however, like to stress that it is a hard and genuine team work involving all our employees that is the basis for our prominent ranking.”

Read more >>

Kahn Pedersen Ranked in Top Tiers for IT and Data Protection

Legal500 ranks Kahn Pedersen’s IT and Data Protection practices in the highest category – Tier 1. Johan Kahn is singled out as a leading individual on the Swedish market within both practice areas and Daniel Lundqvist, Martin Brinnen and Staffan Malmgren are ranked as leading advisors on an individual level. Clients interviewed by Legal500 states i. a. the following: “Kahn Pedersen is clearly the leading firm for IT and data protection in Sweden”, “Young, fast and unpretentious”, and “Extremely professional”. Johan Kahn comments on Legal500’s ranking: “First and foremost, we are very grateful for being given the opportunity to advise our fantastic clients who provide us with challenging and exciting projects. This year’s ranking was especially interesting since it is now clear that we have consolidated our leadership on the Swedish market for digital law. Furthermore, our senior and deep capabilities that distinguish us from many other firms are highlighted. It is nice to see that our unique offering within legal tech is acknowledged.”

Kahn Pedersen’s Digital team is top-ranked by Chambers & Partners

The ranking institute Chambers & Partners has published of ranking of legal advisors within “Information Technology” for 2020. Kahn Pedersen is ranked in the highest category, Band 1. Chambers write ““The firm’s work is excellent. They provide advice which is not only of the highest quality from a strictly legal perspective, but also creative and business-minded”.

Johan Kahn is again ranked on an individual basis in band 1, the highest category, as one of two Swedish lawyers and the editorial, based in interviews with clients of the firm, mentions “without doubt as one of the leading lawyers for IT and outsourcing in Sweden” and “He analyses business risks like I’ve never seen before”. Also Daniel Lundqvist is highly ranked and receives the following praise “[Clients] praise his “combination of excellent legal skills and business-driven advice”.

p n