<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p class="MsoNormal"><font size="-1" face="monospace"><span
style="font-size: 9pt;" lang="EN-GB">Hi Martin,</span></font></p>
<font size="-1" face="monospace"> </font> <font size="-1"
face="monospace"> </font>
<p class="MsoNormal"><font size="-1" face="monospace"><span
style="font-size: 9pt;" lang="EN-GB">Apologies it�s taken a
while to respond.</span></font></p>
<font size="-1" face="monospace"> </font>
<p class="MsoNormal"><font size="-1" face="monospace"><span
style="font-size: 9pt;" lang="EN-GB">If we require technical
support from AWS, this would be provided by someone within or
outside the EEA depending on the time of day we open our
support request and the time zone.</span></font><font
size="-1" face="monospace"> <br>
</font></p>
<font size="-1" face="monospace"> </font>
<p class="MsoNormal"><font size="-1" face="monospace"><span
style="font-size: 9pt;" lang="EN-GB">Regardless of where the
support comes from (i.e. within or outside the EEA), AWS
technical support staff will not gain access to our customer
content data unless it is authorised by us. Such authorisation
to access our content has not been required or provided by us
for any of our support requests so far. If a request to access
our content�is necessary, we will ensure that this is
authorised only if there are safeguards to protect our content
and access is granted in a legally compliant manner.</span></font><font
size="-1" face="monospace">�</font></p>
<p class="MsoNormal"><font size="-1" face="monospace"><span
style="font-size: 9pt;" lang="EN-GB">Although AWS has access
to certain layers of the services we use from them (e.g. when
needed they can see what accounts we have with them and the
RIPE NCC staff appointed as contact persons for the AWS
services we use), we employ encryption requirements for all
data that is not public and we have strict access controls.
Furthermore, we�monitor all activities in our AWS accounts,
including access to our services in the cloud.</span></font></p>
<font size="-1" face="monospace"> </font> <font size="-1"
face="monospace"> </font>
<p class="MsoNormal"><font size="-1" face="monospace"><span
style="font-size: 9pt;" lang="EN-GB">We are monitoring
developments that are happening in the privacy world following
the Schrems II ruling and the EDPB's recommendations. Given
the current legal uncertainty that exists in this field, we
are definitely not in a position to confirm that by just
adopting the current Standard Contractual Clauses, an
international transfer becomes�lawful.</span></font></p>
<font size="-1" face="monospace"> </font>
<p class="MsoNormal"><font size="-1" face="monospace"><span
style="font-size: 9pt;" lang="EN-GB">Whenever we evaluate a
case that might involve transfers of personal data, we assess
the situation against the particular technical safeguards each
service provider is offering to understand what supplementary
measures are required to protect our information.</span></font>
<font size="-1" face="monospace"> </font> <font size="-1"
face="monospace"><span style="font-size: 9pt;" lang="EN-GB"></span></font><br>
<font size="-1" face="monospace"><span style="font-size: 9pt;"
lang="EN-GB"></span></font></p>
<p><font size="-1" face="monospace"><span style="font-size: 9pt;"
lang="EN-GB"> This review is a constant process, and we will
adjust our practices when required in order to meet the
changing legal requirements.</span></font></p>
<p><font size="-1" face="monospace"><span style="font-size: 9pt;"
lang="EN-GB">Kind regards,�</span></font></p>
<p><font size="-1" face="monospace"><span style="font-size: 9pt;"
lang="EN-GB">Maria Stafyla<br>
Senior Legal Counsel<br>
RIPE NCC<br>
</span></font></p>
<p><font size="-1" face="monospace"><span style="font-size: 9pt;"
lang="EN-GB"><br>
</span></font></p>
<div class="moz-cite-prefix">On 19/05/2021 23:00, Martin Millnert
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:YKV8bPxzUsJsmkW0@7fe6adf169fddd1143463152">
<pre class="moz-quote-pre" wrap="">Dear Maria,
Thank you for your valuable response.
On 2021-05-19, at 16:12:33, Maria Stafyla wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Dear Martin,
As part of our cloud first strategy, we have put in place policies mandating that if we decide to migrate to cloud a service that contains personal data, this data will be stored and processed in data storage locations within the EEA. When personal data is not processed outside the EEA, there is no transfer of personal data occurring.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
This is technically correct, but as you note in your following
paragraph, there are always "but"'s.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">In the event that for example access to our data is required from outside the EEA (e.g. we request technical support from the cloud provider and this gets provided by technical staff outside the EEA), one of the offered under GDPR transfer mechanisms such as transfers based on an adequacy decision issued by the European Commission, Standard Contractual Clauses etc would serve as the legal basis for this transfer to take place. The most common transfer mechanism that we see being used by our service providers are the Standard Contractual Clauses and valid adequacy decisions.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
To the best of my knowledge, AWS has not stated in a legally binding way
that there are methods that their customers can use to ensure that this cannot
occur, in the US-based technical support scenario.
It would be valuable if you could share any information to the contrary,
if you are aware of any.
(MS Azure has recently mentioned they're working to provide a method for
this during 2022 - with EEA based technical support, etc, in other words
also confirming that it is *not* currently the case.)
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">With regards to international transfers of personal data based on the Standard Contractual Clauses, we perform an assessment to understand what additional measures are required to be put in place on a case-to-case basis. Examples include technical (e.g. limiting access to the data that is strictly necessary for the particular case) and contractual measures (e.g. verifying the provider's transparency with regards to received orders to disclose their customer's data and how they respond to those requests).
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Technical support is of course not the only method by which an
international transfer could take place of data hosted within the EEA.
Maria, is it the RIPE NCC position that Standard Contractual Clauses,
in the case of the USA where an adequacy decision does not exist (and
probably won't for a good while), alone can repair the issues brought
forward by CJEU in its judgement in C-311/18 when it comes to Section
702 of FISA (or EO 12333)?
If not, what particular supplementary measures is the RIPE NCC seeking
to employ to neutralize the use of those collection constructs from its data
hosted on AWS within the EEA?
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Regarding your last question, we would like to reassure you that before we migrate a service to the cloud various internal stakeholders including technical, security, legal, communications and other colleagues are consulted to advise on the matter. These analysis are meant for internal purposes.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Thank you for this reassurement! I think a significant amount of
organisations within the EU are wondering how and in what ways it currently
can be legally possible to process PII on AWS - even if hosted within the EEA -
given the above. It would be very valuable to learn of your findings in this
regard going forward, particularly since it is a bit of a moving target,
interpretation wise.
Kind regards,
--
Martin Millnert
</pre>
</blockquote>
</body>
</html>