Amazon taking 'belts and braces approach' to Privacy Shield certification, says expert

The cloud computing provider said it is "is taking the necessary steps to certify" under the framework, which has been set up to facilitate the transfer of personal data between the EU and US. Microsoft said it would sign up to the Privacy Shield last month.

Since 1 August, US businesses have been able to self-certify their compliance with a set of privacy principles that make up part of the Privacy Shield.

The European Commission has set out its view that businesses that transfer personal data from the EU to the US in line with the Privacy Shield principles and self-certify under the framework will adhere to EU data protection law requirements regarding the transfer of personal data outside the European Economic Area (EEA).

In a blog Amazon said its Amazon Web Services (AWS) customers will retain the ability to choose within which "region" their data is stored. It said that for customers that wish to transfer data between the EEA and other parts of the world, including the US, it has put in place data processing contract clauses that have been approved by EU data protection authorities to help underpin the data transfers they facilitate on behalf of customers.

Last year the National Commission for Data Protection in Luxembourg (CNPD) said that contract terms used by AWS covering the processing of data via its servers around the world "make sufficient contractual commitments to provide a legal framework to its international data flows" to correspond with EU data protection rules. The CNPD was acting on behalf of the Article 29 Working Party, a committee of national data protection authorities from across the EU.

Data protection law expert Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said it is "understandable" that Amazon, like other businesses, has adopted a "belts and braces approach" to EU-US data transfers and is providing for model contract clauses as a basis for those data transfers in addition to signing up to the Privacy Shield.

Late last month the Article 29 Working Party stated that it retains some concern about aspects of the Privacy Shield, including in respect of "mass and indiscriminate collection of personal data" by US authorities as well as on some "commercial aspects" of the framework. It said it "regrets … the lack of specific rules on automated decisions and of a general right to object" and said it "also remains unclear how the Privacy Shield Principles shall apply to processors".

Despite its concerns, however, the Working Party indicated that it they will not challenge the legitimacy of data transfer arrangements under the new EU-US Privacy Shield during the first year of its operation.

Instead it said that national data protection authorities (DPAs) within the EU "commit themselves to proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints" during the first year.

Information law specialist Cerys Wyn Davies of Pinsent Masons recently looked into the practical steps US companies need to take to self-certify under the Privacy Shield.