Webinar FAQ 4: Can I rely on statements by US and other non-EEA/Equivalency Country cloud providers that their Standard Contractual Clauses (SCCs) enable lawful data transfer under Schrems II?

No. Data controllers have an affirmative obligation to ensure that SCCs are augmented with “supplementary measures” that ensure protection equivalent to EU data protection laws. This obligation remains the sole obligation of a data controller under Schrems II unless it is expressly assumed by a cloud provider, in which case it becomes a shared responsibility of the parties.

Cloud providers operate under a “Shared Responsibility Model” under which they assume certain responsibilities and other responsibilities remain the responsibility of the customer. The following chart from the Cloud Security Alliance (CSA)¹ highlights that customers are responsible for securing what’s under their control, including:

“Information and Data: By retaining control over information and data, you maintain how and when your data is used. Your provider has zero visibility into your data, and all data access is yours to control by design.”

For this reason, a “one-size-fits-all” approach to Standard Contractual Clauses (SCCs) with cloud providers is not possible under Schrems II. Different service arrangements will involve different elements for which the cloud provider and the customer assume different responsibilities.² The obligation to provide “supplementary measures” that ensure protection equivalent to EU data protection laws remains the sole obligation of a data controller under Schrems II unless it is expressly assumed by a cloud provider, in which case it becomes a shared responsibility of both parties. Cloud provider SCCs by themselves do not make international data transfers lawful under Schrems II.

GDPR Article 28(1) imposes an affirmative obligation on controllers to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subject.” The CSA Code of Conduct for GDPR Compliance highlights this obligation as follows:

“A pre-condition for relying on cloud computing arrangements is for the controller [cloud client] to perform an adequate risk assessment exercise, including the locations of the servers where the data are processed and the consideration of risks and benefits from a data protection perspective.”³

GDPR Article 82(3) limits the liability of a cloud provider as a data processor or co-controller “if it proves that it is not in any way responsible for the event giving rise to the damage” (emphasis added). Unless a cloud provider expressly assumes responsibility for “supplementary measures” that ensure protection consistent with EU data protection laws, the existence of SCCs will not relieve the data controller of its obligation to ensure compliance with Schrems II.

The cloud provider “Shared Responsibility Model” highlights the importance of additional safeguards that enable an EU data controller to exclusively control the re-linkability of personal data. With appropriate Schrems II compliant additional safeguards, a data controller can retain exclusive control over identity re-linkability to eliminate the risk of surveillance. This benefits the data controller, the cloud provider and all of the data subjects whose fundamental rights are protected.⁴