Dear Maria, Thank you for your valuable response. On 2021-05-19, at 16:12:33, Maria Stafyla wrote:
Dear Martin,
As part of our cloud first strategy, we have put in place policies mandating that if we decide to migrate to cloud a service that contains personal data, this data will be stored and processed in data storage locations within the EEA. When personal data is not processed outside the EEA, there is no transfer of personal data occurring.
This is technically correct, but as you note in your following paragraph, there are always "but"'s.
In the event that for example access to our data is required from outside the EEA (e.g. we request technical support from the cloud provider and this gets provided by technical staff outside the EEA), one of the offered under GDPR transfer mechanisms such as transfers based on an adequacy decision issued by the European Commission, Standard Contractual Clauses etc would serve as the legal basis for this transfer to take place. The most common transfer mechanism that we see being used by our service providers are the Standard Contractual Clauses and valid adequacy decisions.
To the best of my knowledge, AWS has not stated in a legally binding way that there are methods that their customers can use to ensure that this cannot occur, in the US-based technical support scenario. It would be valuable if you could share any information to the contrary, if you are aware of any. (MS Azure has recently mentioned they're working to provide a method for this during 2022 - with EEA based technical support, etc, in other words also confirming that it is *not* currently the case.)
With regards to international transfers of personal data based on the Standard Contractual Clauses, we perform an assessment to understand what additional measures are required to be put in place on a case-to-case basis. Examples include technical (e.g. limiting access to the data that is strictly necessary for the particular case) and contractual measures (e.g. verifying the provider's transparency with regards to received orders to disclose their customer's data and how they respond to those requests).
Technical support is of course not the only method by which an international transfer could take place of data hosted within the EEA. Maria, is it the RIPE NCC position that Standard Contractual Clauses, in the case of the USA where an adequacy decision does not exist (and probably won't for a good while), alone can repair the issues brought forward by CJEU in its judgement in C-311/18 when it comes to Section 702 of FISA (or EO 12333)? If not, what particular supplementary measures is the RIPE NCC seeking to employ to neutralize the use of those collection constructs from its data hosted on AWS within the EEA?
Regarding your last question, we would like to reassure you that before we migrate a service to the cloud various internal stakeholders including technical, security, legal, communications and other colleagues are consulted to advise on the matter. These analysis are meant for internal purposes.
Thank you for this reassurement! I think a significant amount of organisations within the EU are wondering how and in what ways it currently can be legally possible to process PII on AWS - even if hosted within the EEA - given the above. It would be very valuable to learn of your findings in this regard going forward, particularly since it is a bit of a moving target, interpretation wise. Kind regards, -- Martin Millnert