Hi, looking for some guidance if possible please.
We are considering use of Fly to host a couple of our applications. They are “packaged” into containers and deployed into specific data centers and not moved. We would be using their UK based data centers – should I still consider using SCC’s?
Using SCC’s
Share
DPOandCyber
https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf
The current UK SCCs are likely to have a very short shelf life (it is likely we will see new ones in 2022 based off the ICO consultation carried out). If those draft ones get approved through parliament, then there will be a handy addendum that takes the EU SCCs and makes them compliant with UK GDPR.
DPOandCyber
This is a great example of a grey area! The most important thing is to document your thought processes in an assessment. The source of the data (if there is data relating to EU individuals then it requires EU GDPR) is important when considering how you approach your assessment.
You may wish to take a look at the EDPB guidance and carry out the checklist. Based on the question, data of UK and potentially EU individuals is accessible by a US organisation that could be compelled through the likes of a FISA request to use the data for other than its intended use. This is where your assessment comes in handy. Is the data you process likely to present real or significant harm to the individuals if it is compromised is the main question to ask, then assess the risk of the setup based on your answer.
The EDPB guidance offers what is more commonly known as a Transfer Impact Assessment or TIA.
Caroline
Hi, apologies, I should have mentioned that we are based in the UK and would opt to use the UK data center so technically the data doesn’t leave the UK however the organisation are US based and may well have access to our data – limited though that is. Would a DPA still be sufficient for this?
d9d9d9
Hi Caroline! If you’re referring to Fly Software Ltd – it is a UK company and therefore a DPA would be enough and no transfer tool should be needed if your company is in the UK, too. As far as I know the jury is still out on how US surveillance laws (e.g. Cloud Act and FISA) impact UK/EU companies with US parent companies. Maybe someone else in the community knows more?
If you decide to play it safe and apply a transfer tool, I can only say that the ICO announced that the old SCCs are still valid for third country transfers. You can find the adapted versions and more info about the post-Brexit context here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/
d9d9d9
If your data leaves the UK and gets transferred to a third country that doesn’t enjoy the luxury of an EU Commision Adequacy decision you have to use a transfer tool, e.g. the new SCCs (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). Since Schrems II you’ll also have to assess the standard of data protection of the recipient country (https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf and https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf).
BlueBottle
You’re right, and it’s a good answer, *but* the OP is in the UK so cannot use the new EU SCCs to export data outside the UK to a country not subject to adequacy regulations, and would need to use the ICO’s modified version of the “old” EU SCCs.
The new UK IDTA would be the transfer tool once approved, but they’ve also got an addendum for the new EU SCCs where it’s not possible/practicable to modify terms.
d9d9d9
Hi! If you’re located in the EEA and want to use a processor in the UK you don’t have to enter into SCCs since the EU Commission issued an Adequacy decision for transfers to the UK. So, if the data stays in the UK you don’t have to take any extra steps to render the data transfer lawful beyond entering into a regular Art. 28 GDPR DPA. E.g. you could use the new standard DPA by the EU Commission (https://eur-lex.europa.eu/eli/dec_impl/2021/915/oj).