Problem Statement
ABC is a US-based taxi service company with a subsidiary operating in the EU. Through its EU operations, ABC collects personal data of EU residents such as names, addresses, travel history, location data, and payment details when customers pay by card.
While the data is collected in the EU, it is stored and processed on the IaaS of a third-party cloud provider used by the US-based parent company. The cloud provider is American, and its data centers are located in the United States and parts of the APAC region. As a result, EU residents' data ultimately resides in US data centres.
Question
What due diligence should the EU subsidiary have done, and what laws apply to make this work from a legal and compliance perspective?
Key Concepts to Consider
- IaaS — cloud infrastructure and the shared responsibility model
- Data Sovereignty — the legal jurisdiction over data based on where it resides
- Data Localization — requirements to store data within specific geographic boundaries
- Data Residency — where data physically lives
- Privacy Impact Assessment (PIA) — documented assessment of privacy risks
- Binding Corporate Rules (BCR) — intra-group transfer mechanism
- EU–US Data Privacy Framework (DPF) — adequacy mechanism for US transfers
- GDPR Art. 44–49 — rules governing third-country data transfers