Amazon Web Services (AWS) is pleased to announce our support for the newly established Trans-Atlantic Data Privacy Framework (Data Privacy Framework), which was recently agreed upon between the European Union (EU) and the United States (US). This development highlights a mutual commitment between the two regions to enhance privacy protections for data exchanged across the Atlantic. This framework will complement the existing safeguards provided by AWS and other organizations. We are committed to obtaining certification in line with the Data Privacy Framework as it is enacted, and we are eager for our customers and their end users to reap the benefits of these new protections.
Once finalized, the Data Privacy Framework will create an avenue for certified businesses to facilitate trans-Atlantic data transfers between the US and EU. This new framework aims to address the issues raised by the Court of Justice of the European Union (CJEU) when it annulled the EU-US Privacy Shield in its Schrems II ruling back in July 2020. New measures will be implemented to ensure that US intelligence operations are limited to what is necessary and proportionate for national security, while also establishing a new mechanism for EU citizens to lodge complaints.
As a founding member of the Trusted Cloud Principles initiative, AWS is dedicated to advancing regulations that enhance privacy and security for all organizations utilizing cloud technologies while maintaining control over their data. Although organizations have been able to conduct trans-Atlantic data transfers using AWS technology since the Schrems II decision, the introduction of the Data Privacy Framework will provide greater clarity and flexibility for customers assessing their data transfer needs. This will empower them to unlock value through growth, digital transformation, and global competitive advantage.
Companies aiming to operate with agility between the European Economic Area (EEA) require assurance that their innovative endeavors and investments in cutting-edge technology are backed by international frameworks that promote cross-border privacy. Once finalized, the Data Privacy Framework, alongside our steadfast commitment to privacy at AWS, will simplify the process and instill confidence for customers transferring data to and from Europe while utilizing AWS services. For additional insights, check out another blog post here.
In an increasingly interconnected world, our collective security hinges on mutual trust across the Atlantic and beyond. We look forward to contributing to the finalization of the Data Privacy Framework and support initiatives aimed at finding a balanced approach between privacy and security, including the OECD’s discussions on trusted government access to private-sector data.
AWS Privacy and Security Commitment
AWS is devoted to ensuring the protection of customer data. We continuously assist our customers in complying with evolving European regulations and achieving top-tier security, privacy, and resilience. AWS provides a suite of technical, operational, and contractual measures to safeguard and transfer customer content outside Europe, adhering to the General Data Protection Regulation (GDPR) and the Schrems II ruling. Customers may also opt to store their data in the EU by selecting from our regions in France, Germany, Ireland, Italy, Sweden, and soon, Spain, with the assurance that their data remains within the designated AWS Region.
Currently, AWS customers can transfer data beyond the EEA using the new Standard Contractual Clauses (SCCs) included in the AWS Data Processing Addendum (DPA), which is further supported by our enhanced contractual commitments to protect customer data, including contesting law enforcement requests that conflict with EU law. Our extensive toolset, such as AWS CloudHSM and AWS Key Management Service (AWS KMS), allows customers to encrypt data both in transit and at rest and securely manage encryption keys, enhancing confidentiality and privacy.
AWS has obtained internationally recognized certifications that showcase compliance with stringent international privacy and security standards, including the Cloud Infrastructure Services in Europe (CISPE) Data Protection Code of Conduct, Cloud Computing Compliance Controls Catalog (C5), ISO27018, and the Esquema Nacional de Securidad (ENS, Spain). Our comprehensive online resources aid customers in navigating data transfer assessments and fulfilling GDPR compliance, as per European Data Protection Board (EDPB) recommendations. This includes regular Information Request Reports detailing government data access requests and our responses. For further details, visit here, as they are an authority on this topic.
For more information, our technical paper “Navigating Compliance with EU Data Transfer Requirements” and AWS’s Privacy Features for AWS Services can assist customers in selecting the appropriate services for their specific needs. If you have any questions, please visit our EU Data Protection page. This Reddit thread is also an excellent resource for those seeking information.
Leave a Reply