International data transfers: mind the difference between hosting and support
The dust may have settled somewhat by now, but market parties still have no clarity about the conditions under which data transfers to organisations in the United States are permitted after Schrems II. Until then, most transfers to the US can be called risky, which was also recently shown by a sanction imposed by the regulator in Bavaria. There, a company that used MailChimp to send newsletters was reprimanded for unlawfully transferring personal data to the US (note: the fact that SCCs had been agreed with MailChimp did not alter this conclusion). It is therefore wise to limit transfers to the US where possible. A common mistake is that arrangements are made about hosting, but not, for example, about support.
The major platforms almost all offer the option to store customer data at rest in data centres in the European Economic Area (EEA). If this option is chosen, the cloud service provider is obliged to store the customer’s data only on servers that are physically located within the EEA. There is a tendency to think that such agreements by themselves are sufficient, but that may not quite be the case.
Many large platforms use a “24/7/365 follow the sun” principle when providing support. In order to be able to offer support at any time of the day, it is useful if customers can call on support departments in other time zones. A customer in the Netherlands who experiences a failure late at night can then be helped by an employee in India who is just starting his working day or by an employee in the US whose working day is nearing the end. It should be kept in mind that when support staff from third countries access customer data hosted in the EEA, there is a transfer of personal data. And therefore of a risk of fines and / or claims for damages.
How do the major platforms deal with this? Microsoft, Google and AWS all base restricted intra-company transfers of personal data on the SCCs. Microsoft recently launched the EU Data Boundary initiative, in which Microsoft stated that it intends to offer customers in the EEA in the near future the possibility to store data not only at rest in the EEA, but also to process such data exclusively within the EEA. Oracle bases transfers to other Oracle affiliates on its BCRs, which have been approved by the Irish regulator. As with transfers based on the SCCs, a case-by-case analysis is prompted when making transfers on the basis of BCRs in order to assess if personal data indeed remain adequately protected after the transfer.
Naturally, there is also an international transfer if end users in a third country connect to the services, for example when employees log in from a holiday address or during a business trip. If an organisation wants to exclude risks in connection with international data transfers as much as possible, it is important to make appropriate arrangements about this, first of all within the organisation itself and possibly also with the relevant service provider. Also from a cybersecurity perspective it may be wise not to allow connections from certain geographic regions.
And last but not least
The challenge for organisations to keep control over their data, to make maximum use of that data and to comply with applicable laws and regulations is increasing. To comply with regulations on international data transfers, making arrangements about data storage alone is not enough. In addition, organisations should, where appropriate, consider making arrangements with staff and about offsite IT-support.
Would you like to know more about international data transfers? Feel free to contact our team.
Jeroen van Helden, attorney-at-law IT, IP & Privacy