AWS strengthened its commitments to protect customer data

Last month, Amazon Web Services (AWS) strengthened its commitments to protect customer data. This month, France’s highest administrative court ruled that these commitments provide sufficient safeguards with respect to the ‘Schrems II’ ruling.

AWS strengthened its commitment to protect customer data
AWS has strengthened its GDPR commitments

Last month, AWS announced it had strengthened its existing contractual commitments to protect its customers when processing customer data. These commitments go beyond the requirements following the ‘Schrems II’ ruling by the EU Court of Justice. Moreover, they reach beyond the current commitments of other cloud providers.

These new commitments apply to all customer data subject to GDPR. Regardless if the data processing takes place outside the European Economic Area (EEA) or not. Furthermore, these commitments apply automatically to all AWS customers. Customers don’t have to take action: AWS introduced a new supplementary addendum to its existing GDPR Data Processing Addendum.

Three additional commitments

These are the main points to strengthen the existing commitments and obligations:

  • AWS will challenge law enforcement requests for customer data from governmental bodies, whether inside or outside the EEA, if such request conflicts with EU law, is overbroad, or if AWS otherwise has any appropriate grounds to do so.
  • Furthermore, if despite AWS’ challenges, a valid and binding legal request to disclose customer data compels AWS to do so, then AWS will disclose only the minimum amount of customer data necessary to satisfy the request.
  • In addition, AWS will notify the customer of any law enforcement request. However, if law enforcement prohibits AWS to notify its customer from such request, then AWS will use all reasonable and lawful efforts to obtain a waiver of prohibition.
First ruling is in favor of the additional measures

This month a court ruled on these additional commitments. In France, Citizens can search online where to get vaccinated and they can make an appointment. AWS hosts the platform and acts as the data processor.

On March 12, the Conseil d’Etat — France’s highest administrative court — ruled that this platform protects personal data sufficiently. The judges concluded that AWS provides sufficient safeguards, both legal and technical, in case of an access request from the U.S. authorities.

The court thus rejected the claim by professional associations and unions that asked for the suspension of the service. The plaintiffs unsuccessfully argued that because the data processor is a company bound by U.S. law, the risk of access by U.S. authorities is incompatible with the GDPR under the ‘Schrems II’ ruling.

This is an important first ruling in Europe about the measures that the U.S. public cloud providers must take to continue to comply with EU legislation.

When you want to discover how you can take advantage of these strengthened commitments? Get in touch and send us a message.

Share this post with your friends

Do you want to read more articles?

Navigate to the next or previous article by using the arrows below, or click on one of the related posts, or use the search bar to search for a specific keyword.

Subscribe to our newsletter

Newsletter Signup Form
By subscribing you automatically consent to us storing your email.
Related posts
Scroll to Top