Hi Martin, Apologies it’s taken a while to respond. If we require technical support from AWS, this would be provided by someone within or outside the EEA depending on the time of day we open our support request and the time zone. Regardless of where the support comes from (i.e. within or outside the EEA), AWS technical support staff will not gain access to our customer content data unless it is authorised by us. Such authorisation to access our content has not been required or provided by us for any of our support requests so far. If a request to access our content is necessary, we will ensure that this is authorised only if there are safeguards to protect our content and access is granted in a legally compliant manner. Although AWS has access to certain layers of the services we use from them (e.g. when needed they can see what accounts we have with them and the RIPE NCC staff appointed as contact persons for the AWS services we use), we employ encryption requirements for all data that is not public and we have strict access controls. Furthermore, we monitor all activities in our AWS accounts, including access to our services in the cloud. We are monitoring developments that are happening in the privacy world following the Schrems II ruling and the EDPB's recommendations. Given the current legal uncertainty that exists in this field, we are definitely not in a position to confirm that by just adopting the current Standard Contractual Clauses, an international transfer becomes lawful. Whenever we evaluate a case that might involve transfers of personal data, we assess the situation against the particular technical safeguards each service provider is offering to understand what supplementary measures are required to protect our information. This review is a constant process, and we will adjust our practices when required in order to meet the changing legal requirements. Kind regards, Maria Stafyla Senior Legal Counsel RIPE NCC On 19/05/2021 23:00, Martin Millnert wrote:
Dear Maria,
Thank you for your valuable response.
Dear Martin,
As part of our cloud first strategy, we have put in place policies mandating that if we decide to migrate to cloud a service that contains personal data, this data will be stored and processed in data storage locations within the EEA. When personal data is not processed outside the EEA, there is no transfer of personal data occurring. This is technically correct, but as you note in your following
On 2021-05-19, at 16:12:33, Maria Stafyla wrote: paragraph, there are always "but"'s.
In the event that for example access to our data is required from outside the EEA (e.g. we request technical support from the cloud provider and this gets provided by technical staff outside the EEA), one of the offered under GDPR transfer mechanisms such as transfers based on an adequacy decision issued by the European Commission, Standard Contractual Clauses etc would serve as the legal basis for this transfer to take place. The most common transfer mechanism that we see being used by our service providers are the Standard Contractual Clauses and valid adequacy decisions. To the best of my knowledge, AWS has not stated in a legally binding way that there are methods that their customers can use to ensure that this cannot occur, in the US-based technical support scenario. It would be valuable if you could share any information to the contrary, if you are aware of any. (MS Azure has recently mentioned they're working to provide a method for this during 2022 - with EEA based technical support, etc, in other words also confirming that it is *not* currently the case.)
With regards to international transfers of personal data based on the Standard Contractual Clauses, we perform an assessment to understand what additional measures are required to be put in place on a case-to-case basis. Examples include technical (e.g. limiting access to the data that is strictly necessary for the particular case) and contractual measures (e.g. verifying the provider's transparency with regards to received orders to disclose their customer's data and how they respond to those requests). Technical support is of course not the only method by which an international transfer could take place of data hosted within the EEA.
Maria, is it the RIPE NCC position that Standard Contractual Clauses, in the case of the USA where an adequacy decision does not exist (and probably won't for a good while), alone can repair the issues brought forward by CJEU in its judgement in C-311/18 when it comes to Section 702 of FISA (or EO 12333)?
If not, what particular supplementary measures is the RIPE NCC seeking to employ to neutralize the use of those collection constructs from its data hosted on AWS within the EEA?
Regarding your last question, we would like to reassure you that before we migrate a service to the cloud various internal stakeholders including technical, security, legal, communications and other colleagues are consulted to advise on the matter. These analysis are meant for internal purposes. Thank you for this reassurement! I think a significant amount of organisations within the EU are wondering how and in what ways it currently can be legally possible to process PII on AWS - even if hosted within the EEA - given the above. It would be very valuable to learn of your findings in this regard going forward, particularly since it is a bit of a moving target, interpretation wise.
Kind regards, -- Martin Millnert