One argument we hear from time to time is that storage of personal data at US cloud service providers' European data centers is unlikely to involve a "transfer" of personal data to the United States in the legal sense. A consequence would then be that such services fall outside the scope of Schrems II. In our view, that argument is problematic since the location of physical storage as such is not essential to the assessment of whether there has been a "transfer" to third countries in the legal sense.
The EU's design of a pan-European legal framework for privacy originally came out of the need to address the challenges of increasing cross-border data traffic. One might think then that the central concept of "transfer" is defined in the GDPR - but it is not. Nor was the term defined in the former legal framework. The EU's own data protection authority (EDPS) wrote in a position memo of 14 July 2014 that the term "transfer of personal data" ought to be defined in the (then-upcoming) GDPR. Furthermore, EDPS stated that the term normally consists of the following elements:
"Communication, disclosure or otherwise making available of personal data, conducted with the knowledge or intention of a sender subject to the Regulation that the recipient(s) will have access to it."
The preparatory document of the Norwegian Personal Data Act of 2018 states (Prop. 56 LS) that neither the former Personal Data Act nor the EU Directive provide any definition of "transfer", but in practice the term concerns the movement or access to personal data across national borders.
The quotes demonstrate a central point: Transfer is not just "moving" large amounts of data for storage on a physical server. Transfer can also happen through access to the personal data. Access can mean physical access to the storage location, but it can also mean access over the web, often called remote access, which can be established both domestically and across borders.
Right after the Schrems II decision the European Data Protection Board (EDPB) published a "FAQ"-document about the decision (on 23 July). Section 11 provides further guidance on what constitutes a "transfer":
"11) I am using a processor that processes data for which I am responsible as controller, how can I know if this processor transfers data to the U.S. or to another third country?
- The contract you have concluded with your processor in accordance with Article 28.3 GDPR must provide whether transfers are authorised or not (it should be borne in mind that even providing access to data from a third country, for instance for administration purposes, also amounts to a transfer).
- Authorization has also to be provided concerning processors to entrust sub-processors to transfer data to third countries. You should pay attention and be careful, because a large variety of computing solutions may imply the transfer of personal data to a third country (e.g., for storage or maintenance purposes)."
For cloud services, high availability requirements are normally required, often "24/7/365". In order for this to be practically feasible, technical personnel may have to access the database containing personal data – encrypted or not – through remote access from different time zones. In other words, a "transfer" happens if a consultant/operator in the United States can access personal data on a European server, for example when supporting an ERP system. Many cloud service providers have also explicitly reserved the right to grant such remote access in its standard agreements with the customer. Other providers mention it only vaguely or not at all - and when being asked directly, some providers respond in an elusive manner.
Schrems II may therefore have consequences for service and support on cloud services based on global remote access. The fact that the provider explicitly restricts the storage location to a European location does not automatically result in Schrems II being irrelevant. That said, and while the Schrems II decision imposes stricter requirements on transfers, personal data may in many cases still be transferred to the United States and other third countries based on the EU Standard Contractual Clauses, but necessary safety mechanisms must be added. The EDPB will render guidance on how such safety mechanisms may look later this month, and we will be back with more information shortly thereafter.