So far in this course on Data Protection and Cybersecurity in the Cloud, we have been exploring the application to cloud services of EU data protection laws, and in particular the General Data Protection Regulation, or GDPR. This week, we will look at the GDPR's international reach and the impact it has on transfers of personal data across borders. Remote processing of, and remote access to, data are essential features of most cloud services. Cloud computing is built around technologies that utilize servers and other computing resources as efficiently as possible, wherever they may be located. The customers of cloud services, whether these customers are individuals or organizations, may also be located anywhere and customers may process not only their own data, but also information about other individuals such as their employees, customers, or other business contacts. These people, in turn, may be located in different parts of the world. This all means that international data transfers occur on a vast scale in the context of cloud services. What will this week cover? To understand how the relevant GDPR rules apply to cloud computing, we will investigate four main topics. First, the territorial scope of the GDPR. Second, the restriction on transfers to so-called third countries. Third, legal mechanisms that may justify such transfers, and fourth, derogations or exceptions from the third country transfer restriction. So we'll start with the territorial scope of the GDPR. We're going to explore why and how the GDPR has the potential to regulate the processing of personal data anywhere in the world. There are two main ways in which the GDPR may apply in a particular case. One is where a relevant controller or processor, such as a cloud customer or service provider, is established in one of the 27 EU member states, or in Iceland, Liechtenstein, or Norway, the three additional countries that with the EU make up the European Economic Area. As in the previous week of this course, when we refer to EU data protection law, you can assume generally that the same rules will apply in the other EEA countries as well. The other way in which GDPR may apply is where a controller or processor that is outside the EU processes personal data to offer goods or services to, or to monitor the behavior of, individuals who are in the EU. Next, we will look at the regulation of transfers of personal data to countries outside the EU, and what this means for cloud providers and their customers. We will learn that EU data protection law has a general prohibition on transferring personal data to a so-called third country unless certain conditions are met. We will consider the key questions of, what is a transfer, and what is a third country, as well as the reasons for and practical impact of this restriction. Thirdly, we'll look at the main transfer mechanisms, sometimes called transfer instruments or transfer tools, on which cloud providers and their customers might rely when they want to transfer personal data outside the EU. Of particular relevance are adequacy decisions covering countries that the European Commission has determined have an adequate level of protection for personal data, as well as standard contractual clauses, which are the most widely used tool for demonstrating that appropriate safeguards are in place when data are transferred to countries that have not been designated as providing an adequate level of protection. Finally, we will consider the so-called derogations from the transfer restriction. These cover situations in which, even in the absence of an adequacy decision or of appropriate safeguards, the GDPR may nevertheless permit transfers of personal data outside the EU. For example, a transfer might be permitted where the data subject has consented to it, or where the transfer is necessary to establish or perform a contract. At the end of this week, you will know how the GDPR applies to international transfers of personal data in cloud computing. Please remember, when we refer to EU data protection law and EU member states, in most cases the same rules will apply in Iceland, Liechtenstein, and Norway which together with the EU, make up the European Economic Area, or EEA.
