AWS strengthened its commitments to protect customer data

Last month, Amazon Web Services (AWS) strengthened its commitments to protect customer data. This month, France’s highest administrative court ruled that these commitments provide sufficient safeguards with respect to the ‘Schrems II’ ruling.

AWS strengthened its commitment to protect customer data
AWS has strengthened its GDPR commitments

Last month, AWS announced it had strengthened its existing contractual commitments to protect its customers when processing customer data. These commitments go beyond the requirements following the ‘Schrems II’ ruling by the EU Court of Justice. Moreover, they reach beyond the current commitments of other cloud providers.

These new commitments apply to all customer data subject to GDPR. Regardless if the data processing takes place outside the European Economic Area (EEA) or not. Furthermore, these commitments apply automatically to all AWS customers. Customers don’t have to take action: AWS introduced a new supplementary addendum to its existing GDPR Data Processing Addendum.

Three additional commitments

These are the main points to strengthen the existing commitments and obligations:

  • AWS will challenge law enforcement requests for customer data from governmental bodies, whether inside or outside the EEA, if such request conflicts with EU law, is overbroad, or if AWS otherwise has any appropriate grounds to do so.
  • Furthermore, if despite AWS’ challenges, a valid and binding legal request to disclose customer data compels AWS to do so, then AWS will disclose only the minimum amount of customer data necessary to satisfy the request.
  • In addition, AWS will notify the customer of any law enforcement request. However, if law enforcement prohibits AWS to notify its customer from such request, then AWS will use all reasonable and lawful efforts to obtain a waiver of prohibition.
First ruling is in favor of the additional measures

This month a court ruled on these additional commitments. In France, Citizens can search online where to get vaccinated and they can make an appointment. AWS hosts the platform and acts as the data processor.

On March 12, the Conseil d’Etat — France’s highest administrative court — ruled that this platform protects personal data sufficiently. The judges concluded that AWS provides sufficient safeguards, both legal and technical, in case of an access request from the U.S. authorities.

The court thus rejected the claim by professional associations and unions that asked for the suspension of the service. The plaintiffs unsuccessfully argued that because the data processor is a company bound by U.S. law, the risk of access by U.S. authorities is incompatible with the GDPR under the ‘Schrems II’ ruling.

This is an important first ruling in Europe about the measures that the U.S. public cloud providers must take to continue to comply with EU legislation.

When you want to discover how you can take advantage of these strengthened commitments? Get in touch and send us a message.

Deel deze blog post met anderen

gerelateerde posts

Are you getting the most out of your cloud infrastructure? 

Nowadays, organizations are increasingly migrating their infrastructure to the cloud to harness the benefits of scalability, flexibility, and cost-efficiency. However, configurations are not always optimized. ...
Read More

SaaSification – The Businesscase for ISVs

Many CIO’s summarize their application strategy as “SaaS unless…”. If you are an Independent Software Vendor (ISV)...
Read More

You want to move to the cloud? Here is some advice 

Businesses are constantly seeking ways to enhance their operations and stay competitive. For companies with on-premises IT environments, the adoption of cloud technologies can offer ...
Read More
Scroll naar boven