Something that comes up in regular discussions with corporates is that of whether transferring data to Amazon Web Services (AWS) or Microsoft Azure counts as a cross-border transfer, and in many cases, the answer is yes!
What is a cross-border transfer?
As the name implies, a cross-border transfer is when data traverses a physical country border, for example, storing data of your South African clients on a server in Ireland. Any form of viewing or accessing this data from South Africa would constitute a cross-border transfer between regions.
Why is a cross-border transfer significant?
In most privacy laws, including GDPR and POPIA, cross-border transfers are regulated and require some form of permission or agreement for doing so. This applies to transfers to cloud services, between branches, outsourcing, and any other form of arrangement that requires data to leave the country.
Some laws, such as those in Australia, have gone as far as regulating VPN access – as many companies were using this as a grey area in order to get around the fact that even viewing data from another region constitutes a cross-border transfer.
What about other cloud services?
While you may have some control with AWS and Azure as to which datacentres you use, other services such as Dropbox or Office365 become a bit blurrier as to where they store data. By virtue of using the services, you are performing cross-border transfers, but where is the data going?
What can you do?
There are a number of things that you can do to bring yourself in line with regulation.
First and foremost, knowing which services you use and in which datacentres they lie will stand you in good stead. In general, transferring data across a border to a country with equivalent privacy laws to your own is acceptable.
Secondly, obtain permission from your data subjects and state clearly in your privacy policy and contracts that a cross-border transfer may take place with their data (assuming it isn’t medical data, that takes on a whole new meaning, more on that in a future article).
Lastly, where possible, spool up services in datacentres where your clients reside and use those to avoid a cross-border transfer. This is difficult in South Africa, where Microsoft and Amazon do not have a datacentre footprint, however both companies are well on their way to providing services in-country, with Microsoft’s offering said to launch later in 2019.
Beyond the above, each company has different requirements and responsibilities when it comes to data, and there is no “one size fits all” approach. As such, it can be worthwhile to get a consultant in to assist in your cross-border transfer technicalities. Additional mitigations such as binding corporate rules can often be put in place, however these would be tailored for each organisation.
Ross G Saunders Consulting is part of a network of partners that can assist in your data privacy needs, reach out today should you wish to meet up for a discussion around your data privacy processes.
It’s important to remember with Cross-Border data transactions with regards to POPIA
1) The USA does not in anyway cover any of the requirements from POPIA and no data should be stored on any data center located in USA (dated 20190115)
2) The GDPR Covers most of the requirements and in general storing data in Europe is acceptable if
a) You have notified the user and received acceptance for storing data in the cloud.
b) The terms and conditions of usage adheres to GDPR for basic and non-jargon terms highlight.
AWS and Azure should only be used in countries that have adopted GDPR, and this gives you a wide range of centers to use.
Storage in Asia and Pacific should currently be avoided, this is particular to AWS S3/5
Thanks Marc, indeed good points. Important on the USA as well relating to GDPR is that any provider used should be certified with the Privacy Shield. The list of certified members can be found here: https://www.privacyshield.gov/list. There was a backlog for quite some time for companies wishing to get on the list (particularly around GDPR’s go-live), I’m hoping that’s been resolved.
The Privacyshield is dead!
How so Peter?