In various documents published by the European Data Protection Board (EDPB) following the Schrems II judgement, they state that it should be borne in mind that even if the data is located and operated in Datacenters located in the EEA area, even providing access to data in those datacenters from a third country, for instance for administration purposes, also amounts to a transfer (I.a. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, paragraph 8, footnote 22, Paragraph 13, footnote 27 and FAQ nr. 11 in the EDPB Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, 23 July 2020).
The EDPB frequently asked questions re Schrems II on the concept of “Transfer”
E.g. the EDPB Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, 23 July 2020 (FAQ no 11) the EDPB state that:
The contract you have concluded with your processor in accordance with Article 28.3 GDPR must provide whether transfers are authorized or not (it should be borne in mind that even providing access to data from a third country, for instance for administration purposes, also amounts to a transfer). (Emphasis added).
Datacenters in Europe – Access to Datacenter infrastructure by technicians located outside Europe
Numerous businesses and public bodies (Customers – Data controllers) today use cloud services, either in the form of SaaS, IaaS, or PaaS. They enter agreements where the cloud providers (e.g. AWS, Microsoft, Google or Oracle) agree to store the data in European Datacenters only, and not transfer the Data to any third country (including the US), and the customers rely on this.
The big question in light of the EDPB guidance on the concept of “transfer”, is whether the Data Processors (even if the data is stored in datacenters in Europe), must be considered to transfer data outside the EEA area, with the consequence that the EDPB recommendations should be followed.
The agreements and policies of the vendors are far too complex.
After having analyzed the Agreements and the Data protection documentation of several of the most important cloud vendors, I have found that (even if it is virtually impossible to navigate in the various documents forming the agreement they have with their customers), in most cases there is access to the infrastructure in the datacenters by personnel located outside the EEA area.
This documentation is very fragmented with a lot of cross references between documents and it is very difficult to assess what they actually mean in terms of data location and access by vendor personnel from outside the EEA area.
The crucial question is whether the use of the services of the cloud vendors always must be regarded at a transfer of Data to a third country.
There may be different scenarios for access by technicians. The following scenarios are just a few examples:
- The Data Controller engages someone outside Europe to analyze certain personal data in a database located in a European Data Center, and grants access to the engaged person for the purpose of performing the analysis. I think it is correct to look at this as a transfer of the personal information.
- The Data Controller has some technical problem and grants access to personal information to a support person located outside Europe for the purpose of support and assistance with the problem. In such cases I also think it is correct to look at it as a transfer of the personal information.
- The Data controller has set up his systems on the infrastructure of a Data Processor. The Data Controller is in control of his systems, and has implemented strong encryption for data at rest, and for data in transit, to prevent access to the data by support personnel of the Data Processor, and to protect data in transit against interception by unauthorized third parties (including surveillance authorities or law enforcement entities of a third country). He further has full control of the encryption keys. In this scenario the technicians of the Data Processor from outside the EEA area, however, have access to the technical infrastructure only for operational purposes and to handle faults an operate the infrastructure. They do not in this case have access to any personal information in an intelligible way.
The EDPB FAQs and the EDPB guidance regarding Schrems II do not break down the access scenarios in sufficient granularity to assess whether they are of the opinion that also scenario 3 must be regarded as transfer of personal information.
My personal opinion is that scenario 3 should not be treated as transfer of personal data to a third country.
Given the lack of clarity, however, my advice to clients is that they also in this scenario should follow the Guidelines of the EDPB, they should enter into SCCs with the Data Processor, they should describe the contractual, organizational and technical measures they have implemented in addition to those included in the Standard Contractual Clauses. Further this should be taken account of in their risk assessment and included and documented in their internal control documentation. The risk the Data Controller runs if not – is a penalty of 4 % of gross global turnover or 20 mill Euro – whichever is higher!