What do AWS users need to do in regards to the new EU Data Protection Directive?
Here 3 aspects to take care of and 4 important recommendations will be discussed.
AWS has already committed itself to the CISPE Code of Conduct. This CISP is a merger of various cloud infrastructure providers. The CISPE already has included some parts of the new EU data protection legislation, which will be enforced on the 25th of May, 2018. It is interesting to know who and above all who has not yet committed itself to CISPE from the public cloud providers.
The CISPE, however, differing from the new revised EU Data Protection Act, makes an important distinction to non-existing penalties. To threaten a violating member with exclusion is kind of nice, but seriously, which public cloud service provider in spite of obvious misconduct, will be intimidated by exclusion? Once again this is why it is interesting to know who has committed itself to the Code of Conduct and who has not, or who has only committed itself to certain restricted, detailed services. Read more here.
The announcement of AWS in terms of support and compliance with the new EU Data Protection Directive is even more remarkable as it goes beyond the previous CISPE Code of Conduct, accepting sensitive penalties in the case of violation to the EU directive.
The new EU Data Protection Act is primarily aiming at platform providers, which aggregate mass profiling data, especially to those who sell it to third parties. Public cloud infrastructure providers are not even mentioned as such.
The AWS statement on compliance with the new EU data protection rule is a very important step forward, but I must admit, the AWS press release on the German C5 certification of the German Federal Office for Information Security (BSI) was even more important, especially considering being significantly more precise than the new EU-DS law.
So what are the key elements of the new EU Data Protection Directive?
- Have one Directive for Data Protection in place, all over European Union.
- Countries with a lax law on data protection cannot work as a kind of back door to the European market any more.
- Every EU-Citizen has the right to access the data collected about his person and how it is processed and whether data has already been misused by hackers.
- Every EU-Citizen has the right to assure personal data can be deleted („to be forgotten“) with the exception: if the company can prove it is way too difficult to delete this data then they don’t have to.
- Personal Data collected is bound to the purpose the data was given.
- A Data Security Officer need be established as soon as the company has more than 10 employees, dealing with personal data processing, or the company is dealing with sensitive personal data.
But keep in mind, it is not just the infrastructure provider which assumes responsibility here. Every user of public cloud infrastructure services has to be aware: Such duties affect the user of such infrastructure services and therefore the services provider using the public cloud infrastructure has the same responsibility and will be hold liable too.
- Legal Responsibility and Obligations: Analysis and review of existing contractual conditions with the respective infrastructure provider and with the end customer. Check your current terms and conditions.
- Organizational Responsibilities and Duties: The data protection officer in each company will have to undertake far more activities. The so far compulsory 1-day seminar is no longer enough.
- Technical Responsibility and Obligations: Only the detailed service process between “end user activities – AWS users – AWS” will show which changes have to be implemented technologically in order to be safe and “compliant” with the EU Directive.
Regarding Legal Aspects
The ever-present and probably right accusation in case of a support incident includes GB-large log files to analyze the problem still exists. No one can prohibit personal data from not being somehow included in real large log files. But let´s play fair: This counts for every software support, regardless of being made available by public cloud or on-premise. So customers need to check its terms and conditions and may adjust them and may have to inform its end users about this potentially occurring situation and don’t forget for an end user confirmation. On the other side, I guess, you do not need to worry about this, as long as these log files containing personal data will still be considered as an appropriate use of the data, so to not fall under personal data usage restrictions.
The use of AWS services is not a proof for the accurate data processing according to § 11 BDSG. Customers are still required to provide ongoing evidence data processing is done on an „appropriate level of data protection“, such as in Germany BDSG (§§ 4b, 4c BDSG). As AWS user you should sign the latest AWS’s data processing addendum and make sure it is the latest version expressing compliance with the GDPR, including compliance with the other EU standard contract clauses. All of this is seen as evidence of compliance on an “adequate level of data protection” in Europe.
Be aware local law is and will remain applicable. i.e. in Germany, the EU-GDPR (covered in DSGVO) and existing BDSG and BDSG-E.
Topics such as Privacy Shield and Freedom Act in the US are not far fetched and will surely culminate as a part of EU Data Protection Directive in the near future.
Regarding Organizational Aspects
Every company, including freelancers (and just think about how many IT freelancers are currently working for so many companies), must at all times be able to prove that if personal data can be accessed or used or processed, it must be in accordance with the EU regulations.
An effort which cannot be underestimated. i.e. there are penalties in Germany with a maximum amount of € 300,000 per claim, so the new EU Directive is asking for penalties of 4% of the worldwide group turnover or up to € 20 million. This means, in particular, for all websites that work with cookies and sell this data for profile targeting to 3rd parties, will go out of business or risk the penality.
The data protection officer in a company, whether internally or externally, is experiencing a significant increase of responsibilities (§ 35 ff. DSGVO). While certain “qualifications”, “knowledge in the field of data protection” have been kind of vague, EU law now requires a lot more legal knowledge and experience. Furthermore, the data protection officer reports directly to the highest management level. And last but not least, the data protection officer is personally liable for data breaches occurring in his areas of responsibility.
Regarding Technical Aspects
The AWS future compliance with the new EU-GPDR takes a huge burden from its users, but in the end you are still responsible for becoming compliant on your side as well. You will do well in the light of the new EU directive if you review your AWS architecture and your own solution set up running on public cloud, especially in relationship to other 3rd party tools. Possible safety deficiencies may lead to sensitive penalties and should be identified and solved beforehand. This review does not cover the no-brainer, such as save data backup in another EU Region. It goes far beyond.
We are talking about adequate encryption methods. This also applies to encryption within AWS infrastructure usage, because AWS can be obliged to disclose data due to the “Freedom Act” based upon an American judge.
Another aspect that is underestimated – many EU companies have outsourced their development activities to non-EU countries. Therefore, the separation between the development and the production environment must be ensured. This also applies to development work in EU countries, which have not yet anchored the new legislation or able to execute in time.
- Have a data protection consultant in place helping you with the legal and organizational implications regarding your company and the business you are in.
- Verify your existing AWS architecture with an external consultant who has the technical knowledge and, above all, demonstrable experience when it comes to implementing the new EU Directive for your specific needs. It should be a consultant who has the appropriate “AWS Professional Certification” and has the know-how in SOX, SOC, ISO 27001 etc.
- What AWS offers as an infrastructure provider in relation to the new EU Directive which is a big step forward compared to many other public cloud providers. Notwithstanding, each AWS user must be aware AWS alone does not replace your responsibility to your end users, including external tools and services. So the consultant must have experience and knowledge that goes far beyond the AWS service portfolio, including the best practices in several other tools and deployments.
- Software and service developments in non-EU countries or EU countries that do not make an effort to adapt the new EU Data Protection Act into local law require a different AWS architectural set-up. Therefore the consultant should be aware of the separation between the development and production environment and what it means to Continuous Integration & Continuous Delivery Policy in relationship to GDPR, being enforced by May 25th 2018, so very soon.