Part 1) Storage of files
When you host data with anyone (Microsoft, your Dataroom, file transfer), the files go sit on a bunch of servers, and it’s important to know where those servers are. Most providers are cloud first, and will literally store stuff everywhere.
For your data there will be the storage servers, the OCR servers, the AI Servers and search indexing servers. All these servers will parse each of your files. For the users of the service logging in there’s also the login servers and all the marketing servers. It’s common for a cloud provider to have in excess of 20 Sub Processors, all over the globe.
That doesn’t always play well with a whole raft of compliance legislation – GDPR (EU/UK), HIPAA (USA), CPRA (California), POPIA (South Africa) Privacy Act Australia etc etc etc.
Here’s some example terms from some major providers.
Around the world. To provide you with the Services, we may store, process and transmit data in the United States and locations around the world – including those outside your country. Data may also be stored locally on the devices that you use to access the Services.
Ansarada storage entities – Amazon US, Microsoft US, Oracle, US. Actual locations we couldn’t find.
The Parties acknowledge that Ansarada is located in a territory outside of the EEA and the United Kingdom that is not an Adequate Territory under the GDPR or the UK GDPR. Any personal data transfer from the EEA to a location outside the EEA in a country or territory that is not an Adequate Territory, shall be subject to the Model Clauses (Module I: Controller to Controller when Ansarada is controller, and Module II: Controller to Processor when Ansarada is processor)
So when you upload any file with personal data to many cloud providers, it will almost certainly go to the US, and most likely other locations. This is a problem from a GDPR (or enter your local legislation here!) perspective, and if one staff member or client finds out their data is overseas without all the necessary paperwork in place, there could be trouble (let alone the regulatory bodies).
So no matter what confidentiality terms are in place, un-redacted personal data is most likely being sent overseas, before anyone has even looked at it!
Storage with Projectfusion and safedrop
Projectfusion storage – location of your choice (usually UK, France, Germany or Canada)
When we talk about the content you upload (you’re the Controller, and we’re the Processor) it’s very simple. Everything is hosted in the location you request – UK, France, the US (or 27 other locations). That’s everything. There’s no international transfers required. French data stays in France. End of.
Part 2) File sharing
OK, so that’s storage, Now let’s look at the transaction or file share. With Projectfusion, nothing is going to leave your location choice unless you or the recipient put it there, so….
So this is where it gets harder.
You’re going to need a bunch of stuff in place, the core things:
Legal stuff, at a minimum:
- Documentation of compliance with data protection requirements and weighting of interests, in particular weighting of the legitimate interests of the controller (against the interests or fundamental rights and freedoms of the data subjects which often require protection of personal data).
- Confidentiality agreement with the recipient including rules on processing any data outside UK.
- data processing agreement with the provider/operator of the file sharing service (For GDPR this is Art. 28)
- Have data subjects provided consent to share data (if it’s going overseas)
- Consider view only sharing, so recipient cannot print or save personal data – this greatly reduces chances of information leaks, and makes deletion of personal data much easier.
- Redact the data to remove personal data (typically search and replace for terms on each file you’re sharing)
- Anonymise or pseudo anonymise all data
- Online confidentiality agreements, in case a recipient hasn’t signed something already.
Can I restrict access to say just UK IP addresses?
We can do this with Projectfusion and safedrop, but it’s not bulletproof – recipients may use VPN’s to appear to be in the UK. We try and block the VPN’s, but it can cause issues.
How does Projectfusion and safedrop help me?
- Choice of server locations (27 datacentres worldwide)
- Privacy terms for each login.
- View only privacy option.
- Manual redaction (coming April 2023).
- Pseudo anonymisation
- AI Redaction (batch process files for patterns like IP addresses or addresses – coming Fall 2023)
- IP restriction to country or city on request.
- Self host on your own infrastructure option
CMS publish a great checklist pre M&A transaction here https://cms.law/en/media/local/cms-hs/files/publications/broschueren/checklist-mua-und-gdpr-04-2020