AWS says customers don’t have to use Privacy Shield
But Amazon’s cloud division commits to the controversial framework
Amazon Web Services (AWS) said customers do not have to rely on the new EU-US data transfer agreement, Privacy Shield, despite committing to supporting it.
The cloud giant’s announcement comes after Europe’s data watchdogs expressed their misgivings over the framework, which was only approved last month by the EU, suggesting it could challenge the legislation in a year.
However, AWS said it welcomed Privacy Shield, and would support it.
Stephen Schmidt, AWS’s CISO, said in a blog post: “The new EU-US Privacy Shield does not impact AWS customers for two reasons. First, customers using AWS have full control of the movement of their data and have always had the choice of the region in which their data is kept. AWS customers choose the AWS region where their data will be stored and can be assured that their data will remain there unless moved by them.”
Second, customers can send personal data outside the EU to US datacentres by relying on AWS’s Model Clauses.
However, the legal status of Model Clauses is subject to a legal challenge from data privacy campaigner Max Schrems, who is questioning whether or not they guarantee EU data’s privacy when transferred to the US.
It was Schrems who ultimately brought down Privacy Shield’s predecessor, Safe Harbour, when he took Facebook to court over allegedly passing EU data to US spy agencies – something Facebook denied. The European Court of Justice eventually declared Safe Harbour invalid.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
Schmidt confirmed Amazon is taking the “necessary steps” to certify under Privacy Shield – other companies like Workday have already certified.
European data authorities are concerned about various aspects of Privacy Shield, which they will challenge in a year, such as the neutrality of a US-appointed Ombudsperson, who is meant to look into EU citizens’ complaints over data misuse. The Article 29 Working Party is also concerned that US assurances it will not perform mass surveillance on EU data is not backed up by legislation.
However, Schmidt said: “At AWS, security is our top priority, and we will continue to work vigilantly to ensure that our customers are able to continue to enjoy the benefits of AWS securely, compliantly, and without disruption in Europe and around the world."