Last month, Amazon Web Services (AWS) strengthened its commitments to protect customer data. This month, France’s highest administrative court ruled that these commitments provide sufficient safeguards with respect to the ‘Schrems II’ ruling.
AWS has strengthened its GDPR commitments
Last month, AWS announced it had strengthened its existing contractual commitments to protect its customers when processing customer data. These commitments go beyond the requirements following the ‘Schrems II’ ruling by the EU Court of Justice. Moreover, they reach beyond the current commitments of other cloud providers.
These new commitments apply to all customer data subject to GDPR. Regardless if the data processing takes place outside the European Economic Area (EEA) or not. Furthermore, these commitments apply automatically to all AWS customers. Customers don’t have to take action: AWS introduced a new supplementary addendum to its existing GDPR Data Processing Addendum.
Three additional commitments
These are the main points to strengthen the existing commitments and obligations:
- AWS will challenge law enforcement requests for customer data from governmental bodies, whether inside or outside the EEA, if such request conflicts with EU law, is overbroad, or if AWS otherwise has any appropriate grounds to do so.
- Furthermore, if despite AWS’ challenges, a valid and binding legal request to disclose customer data compels AWS to do so, then AWS will disclose only the minimum amount of customer data necessary to satisfy the request.
- In addition, AWS will notify the customer of any law enforcement request. However, if law enforcement prohibits AWS to notify its customer from such request, then AWS will use all reasonable and lawful efforts to obtain a waiver of prohibition.
First ruling is in favor of the additional measures
This month a court ruled on these additional commitments. In France, Citizens can search online where to get vaccinated and they can make an appointment. AWS hosts the platform and acts as the data processor.
On March 12, the Conseil d’Etat — France’s highest administrative court — ruled that this platform protects personal data sufficiently. The judges concluded that AWS provides sufficient safeguards, both legal and technical, in case of an access request from the U.S. authorities.
The court thus rejected the claim by professional associations and unions that asked for the suspension of the service. The plaintiffs unsuccessfully argued that because the data processor is a company bound by U.S. law, the risk of access by U.S. authorities is incompatible with the GDPR under the ‘Schrems II’ ruling.
This is an important first ruling in Europe about the measures that the U.S. public cloud providers must take to continue to comply with EU legislation.