Something that comes up in regular discussions with corporates is that of whether transferring data to Amazon Web Services (AWS) or Microsoft Azure counts as a cross-border transfer, and in many cases, the answer is yes!

What is a cross-border transfer?

As the name implies, a cross-border transfer is when data traverses a physical country border, for example, storing data of your South African clients on a server in Ireland. Any form of viewing or accessing this data from South Africa would constitute a cross-border transfer between regions.

Why is a cross-border transfer significant?

In most privacy laws, including GDPR and POPIA, cross-border transfers are regulated and require some form of permission or agreement for doing so. This applies to transfers to cloud services, between branches, outsourcing, and any other form of arrangement that requires data to leave the country.

Some laws, such as those in Australia, have gone as far as regulating VPN access – as many companies were using this as a grey area in order to get around the fact that even viewing data from another region constitutes a cross-border transfer.

What about other cloud services?

While you may have some control with AWS and Azure as to which datacentres you use, other services such as Dropbox or Office365 become a bit blurrier as to where they store data. By virtue of using the services, you are performing cross-border transfers, but where is the data going?

What can you do?

There are a number of things that you can do to bring yourself in line with regulation.

First and foremost, knowing which services you use and in which datacentres they lie will stand you in good stead. In general, transferring data across a border to a country with equivalent privacy laws to your own is acceptable.

Secondly, obtain permission from your data subjects and state clearly in your privacy policy and contracts that a cross-border transfer may take place with their data (assuming it isn’t medical data, that takes on a whole new meaning, more on that in a future article).

Lastly, where possible, spool up services in datacentres where your clients reside and use those to avoid a cross-border transfer. This is difficult in South Africa, where Microsoft and Amazon do not have a datacentre footprint, however both companies are well on their way to providing services in-country, with Microsoft’s offering said to launch later in 2019.

Beyond the above, each company has different requirements and responsibilities when it comes to data, and there is no “one size fits all” approach. As such, it can be worthwhile to get a consultant in to assist in your cross-border transfer technicalities. Additional mitigations such as binding corporate rules can often be put in place, however these would be tailored for each organisation.

Ross G Saunders Consulting is part of a network of partners that can assist in your data privacy needs, reach out today should you wish to meet up for a discussion around your data privacy processes.

Share This

Share this post with your friends!