AWS strengthened its commitments to protect customer data

Last month, Amazon Web Services (AWS) strengthened its commitments to protect customer data. This month, France’s highest administrative court ruled that these commitments provide sufficient safeguards with respect to the ‘Schrems II’ ruling.

AWS strengthened its commitment to protect customer data
AWS has strengthened its GDPR commitments

Last month, AWS announced it had strengthened its existing contractual commitments to protect its customers when processing customer data. These commitments go beyond the requirements following the ‘Schrems II’ ruling by the EU Court of Justice. Moreover, they reach beyond the current commitments of other cloud providers.

These new commitments apply to all customer data subject to GDPR. Regardless if the data processing takes place outside the European Economic Area (EEA) or not. Furthermore, these commitments apply automatically to all AWS customers. Customers don’t have to take action: AWS introduced a new supplementary addendum to its existing GDPR Data Processing Addendum.

Three additional commitments

These are the main points to strengthen the existing commitments and obligations:

  • AWS will challenge law enforcement requests for customer data from governmental bodies, whether inside or outside the EEA, if such request conflicts with EU law, is overbroad, or if AWS otherwise has any appropriate grounds to do so.
  • Furthermore, if despite AWS’ challenges, a valid and binding legal request to disclose customer data compels AWS to do so, then AWS will disclose only the minimum amount of customer data necessary to satisfy the request.
  • In addition, AWS will notify the customer of any law enforcement request. However, if law enforcement prohibits AWS to notify its customer from such request, then AWS will use all reasonable and lawful efforts to obtain a waiver of prohibition.
First ruling is in favor of the additional measures

This month a court ruled on these additional commitments. In France, Citizens can search online where to get vaccinated and they can make an appointment. AWS hosts the platform and acts as the data processor.

On March 12, the Conseil d’Etat — France’s highest administrative court — ruled that this platform protects personal data sufficiently. The judges concluded that AWS provides sufficient safeguards, both legal and technical, in case of an access request from the U.S. authorities.

The court thus rejected the claim by professional associations and unions that asked for the suspension of the service. The plaintiffs unsuccessfully argued that because the data processor is a company bound by U.S. law, the risk of access by U.S. authorities is incompatible with the GDPR under the ‘Schrems II’ ruling.

This is an important first ruling in Europe about the measures that the U.S. public cloud providers must take to continue to comply with EU legislation.

When you want to discover how you can take advantage of these strengthened commitments? Get in touch and send us a message.

Deel deze blog post met anderen

Meer lezen?

Scroll naar beneden en selecteer een andere blog post, of gebruik de zoekfunctie.

Abonneer je op onze nieuwsbrief

Newsletter Signup Form
Door je te abonneren ga je akkoord met onze privacy policy.
gerelateerde posts

Migrating also accelerates compliance

Recently, auditors continued our ISO 27001 and NEN 7510 certifications after the mandatory three-year re-certification audit.  ISO 27001 is the worldwide norm for information security

Scroll naar boven