Data protection at AWS

Cloud computing is becoming increasingly popular. The dominant providers in this market are all based in the USA, including Amazon Web Services (AWS). Become personal data by German and European companies to the USA, a legal basis is always required for this. After the European Court of Justice ruled on July 16, 2020 that the so-called Privacy Shield has declared invalid, the data transfer is usually Standard contractual clauses are used. However, these alone are not sufficient.

In its ruling, the ECJ emphasized the controller's responsibility to assess whether the rights of data subjects in the USA (or other third countries) are protected with the conclusion of the Standard contractual clauses would actually enjoy an equivalent level of protection as in the EU. In fact, the European supervisory authorities expect additional measures such as a Anonymization or Encryption of the data to be transferred. Whether and how AWS Data protection seriously and supports its customers in the implementation process is highlighted in this blog post.

AWS

Amazon Web Services (AWS) is an American cloud computing provider. It was founded in 2006 as a subsidiary of the online mail order company Amazon.com. Since then, AWS has been growing rapidly. In 2017, Gartner named AWS as the leading international provider in the Cloud Computing. A few years ago, AWS had a turnover of 46 billion dollars.

AWS and data protection

As a US company, Amazon Web Services, like comparable services, has been criticized for years with regard to data protection. To compensate for this problem, AWS offers so-called regions, which in turn are divided into availability zones and correspond to physical locations for the storage of data. For example, the regions Ireland (eu-west-1) and Frankfurt am Main (eu-central-1) can be selected so that instances are only executed there. The problem with this is that data located in the EU Server do not protect against access by US authorities in the context of the Cloud Acts. This is a problem for AWS and data protection in Germany.

Amazon offers its customers preconfigured Standard contractual clauses and also refers to a Data Processing Addendum. However, both documents are designed according to a "high-level approach". They support the customer in the implementation of the Standard contractual clauses required transfer impact assessments. For example, the following description of the processed data categories from the addendum: "Customer Data uploaded to the Services under Customer's AWS accounts." is of course far too superficial to provide an adequate Transfer Impact Assessment to be carried out.

To improve data protection, Amazon offers developers the option of encrypting data stored on AWS themselves - even when using an official software development kit. Large customers are offered the use of hardware encryption with individual components.

Conclusion
According to AWS's self-presentation, requests from US authorities are always carefully checked and, if necessary, rejected. With regard to data protection, Amazon AWS also emphasizes that data encrypted by the customer will only be released to US authorities in encrypted form.

For AWS services with Encryption AWS's own KMS service is used, which ensures that AWS itself has no way of decrypting the plaintext.

This means that AWS can be used in compliance with data protection regulations, but only if encryption is actually used and possible residual risks have been assessed as acceptable as part of the transfer impact assessment.

Do you need support with the professional implementation of a transfer impact assessment? Please contact us. We look forward to supporting you with our many years of data protection expertise.