Out-Law News 3 min. read
01 Apr 2015, 4:24 pm
The National Commission for Data Protection in Luxembourg (CNPD) said that contract terms used by AWS covering the processing of data via its servers around the world "make sufficient contractual commitments to provide a legal framework to its international data flows" to correspond with EU data protection rules.
The CNPD was acting on behalf of the Article 29 Working Party, a committee of national data protection authorities from across the EU. Last year the Working Party reached a similar agreement with Microsoft.
The Luxembourg authority said that the endorsement will reduce the "number of national authorisations" businesses will need to obtain from data protection authorities in the EU for the transfer of personal data outside of the European Economic Area (EEA) if contracting with AWS for the storage of that data.
EU data protection laws only allow personal data to be transferred to third countries outside of the EEA where adequate data protection is in place. There are a number of legal mechanisms in place to help facilitate adequate data protection in the case of such data transfers.
Tine Larsen, chair of the CNPD, said in a letter (2-page / 567KB PDF) that the watchdog's endorsement of the AWS contract terms is qualified.
"The positive outcome of this limited analysis should not be taken as a finding that Amazon's contractual arrangements are compliant as a whole with all EU data protection requirements or as an endorsement that, in practice, AWS complies with EU data protection rules generally," Larsen said. "It merely acknowledges that, by using the 'data processing addendum' together with its annexes, AWS will make sufficient contractual commitments to provide a legal framework to its international data flows, in accordance with [rules on data transfers under the EU Data Protection Directive]."
"Furthermore, the analysis covers the arrangements reflected in the [EU's standard model clauses on the transfer of personal data outside of the EEA] but does not include … [the] appendixes [to the clauses] (i.e the description of the transfers of data and of the technical and organisational security measures implemented by the data importer). According to the usual implementation of the model clauses, these appendixes will need to be completed by AWS and its clients when signing the contract and may be analysed separately by the data protection authorities," she said.
Technology law expert John Salmon of Pinsent Masons, the law firm behind Out-Law.com, said that regulators can play a role in helping to improve the take-up of cloud services by businesses in the EU.
"Initiatives such as the European Cloud Partnership and the FCA's Innovation Hub are encouraging greater collaboration between regulators and business," Salmon said. "As these initiatives progress, the issues will focus more and more on regulatory hurdles that unfairly hold back innovation, such as those that remain concerns in the context of cloud procurement."
"There are of course a number of concerns for businesses operating in the EU in respect of cloud. Compliance with data protection laws remain an issue, whilst financial services firms would also appreciate greater flexibility from regulators on how they can address data audit rights when using cloud storage facilities and clarity as to reporting requirements in the context of cloud," he said.
"Moves to provide greater certainty to businesses on compliance issues relevant to the use of cloud services, such as is the case with this announcement by the CNPD, are to be welcomed," Salmon said.
Werner Vogels, chief technology officer at Amazon, said the company was pleased to have regulators' backing for the AWS' data processing agreement (DPA).
"The security, privacy, and protection of our customer’s data is our number one priority,” Vogels said. "Providing customers a DPA that has been approved by the EU data protection authorities is another way in which we are giving them assurances that they will receive the highest levels of data protection from AWS. We have spent a lot of time building tools, like security controls and encryption, to give customers the ability to protect their infrastructure and content. We will always strive to provide the highest level of data security for AWS customers in the EU and around the world."