AWS has already committed itself to the CISPE Code of Conduct. This CISP is a merger of various cloud infrastructure providers. The CISPE already has included some parts of the new EU data protection legislation, which will be enforced on the 25th of May, 2018. It is interesting to know who and above all who has not yet committed itself to CISPE from the public cloud providers.
The CISPE, however, differing from the new revised EU Data Protection Act, makes an important distinction to non-existing penalties. To threaten a violating member with exclusion is kind of nice, but seriously, which public cloud service provider in spite of obvious misconduct, will be intimidated by exclusion? Once again this is why it is interesting to know who has committed itself to the Code of Conduct and who has not, or who has only committed itself to certain restricted, detailed services. Read more here.
The announcement of AWS in terms of support and compliance with the new EU Data Protection Directive is even more remarkable as it goes beyond the previous CISPE Code of Conduct, accepting sensitive penalties in the case of violation to the EU directive.
The new EU Data Protection Act is primarily aiming at platform providers, which aggregate mass profiling data, especially to those who sell it to third parties. Public cloud infrastructure providers are not even mentioned as such.
The AWS statement on compliance with the new EU data protection rule is a very important step forward, but I must admit, the AWS press release on the German C5 certification of the German Federal Office for Information Security (BSI) was even more important, especially considering being significantly more precise than the new EU-DS law.
So what are the key elements of the new EU Data Protection Directive?
But keep in mind, it is not just the infrastructure provider which assumes responsibility here. Every user of public cloud infrastructure services has to be aware: Such duties affect the user of such infrastructure services and therefore the services provider using the public cloud infrastructure has the same responsibility and will be hold liable too.
The ever-present and probably right accusation in case of a support incident includes GB-large log files to analyze the problem still exists. No one can prohibit personal data from not being somehow included in real large log files. But let´s play fair: This counts for every software support, regardless of being made available by public cloud or on-premise. So customers need to check its terms and conditions and may adjust them and may have to inform its end users about this potentially occurring situation and don’t forget for an end user confirmation. On the other side, I guess, you do not need to worry about this, as long as these log files containing personal data will still be considered as an appropriate use of the data, so to not fall under personal data usage restrictions.
The use of AWS services is not a proof for the accurate data processing according to § 11 BDSG. Customers are still required to provide ongoing evidence data processing is done on an „appropriate level of data protection“, such as in Germany BDSG (§§ 4b, 4c BDSG). As AWS user you should sign the latest AWS’s data processing addendum and make sure it is the latest version expressing compliance with the GDPR, including compliance with the other EU standard contract clauses. All of this is seen as evidence of compliance on an “adequate level of data protection” in Europe.
Be aware local law is and will remain applicable. i.e. in Germany, the EU-GDPR (covered in DSGVO) and existing BDSG and BDSG-E.
Topics such as Privacy Shield and Freedom Act in the US are not far fetched and will surely culminate as a part of EU Data Protection Directive in the near future.
Every company, including freelancers (and just think about how many IT freelancers are currently working for so many companies), must at all times be able to prove that if personal data can be accessed or used or processed, it must be in accordance with the EU regulations.
An effort which cannot be underestimated. i.e. there are penalties in Germany with a maximum amount of € 300,000 per claim, so the new EU Directive is asking for penalties of 4% of the worldwide group turnover or up to € 20 million. This means, in particular, for all websites that work with cookies and sell this data for profile targeting to 3rd parties, will go out of business or risk the penality.
The data protection officer in a company, whether internally or externally, is experiencing a significant increase of responsibilities (§ 35 ff. DSGVO). While certain “qualifications”, “knowledge in the field of data protection” have been kind of vague, EU law now requires a lot more legal knowledge and experience. Furthermore, the data protection officer reports directly to the highest management level. And last but not least, the data protection officer is personally liable for data breaches occurring in his areas of responsibility.
The AWS future compliance with the new EU-GPDR takes a huge burden from its users, but in the end you are still responsible for becoming compliant on your side as well. You will do well in the light of the new EU directive if you review your AWS architecture and your own solution set up running on public cloud, especially in relationship to other 3rd party tools. Possible safety deficiencies may lead to sensitive penalties and should be identified and solved beforehand. This review does not cover the no-brainer, such as save data backup in another EU Region. It goes far beyond.
We are talking about adequate encryption methods. This also applies to encryption within AWS infrastructure usage, because AWS can be obliged to disclose data due to the “Freedom Act” based upon an American judge.
Another aspect that is underestimated – many EU companies have outsourced their development activities to non-EU countries. Therefore, the separation between the development and the production environment must be ensured. This also applies to development work in EU countries, which have not yet anchored the new legislation or able to execute in time.