The EU requires that data processors (like AWS) comply with certain privacy practices in order to transfer data between the EU and non-EU countries.
Much like HIPAA, the mechanism the EU uses is the requirement of a private contract. Here, it's called a Data Processing Addendum. In HIPAA, it's called a Business Associate Agreement.
Source: CEO of a private HIPAA PaaS on AWS, running EU customers w/ this Data Processing Agreement in place
Perhaps with your level of familiarity with HIPAA, this is layman's terms, but for people who might not even know what HIPAA is about, this is far out from layman's terms.
The first sentence kinda made sense, but the second one just made it far less clear in my opinion. Why should a layman care what it's called (or what the equivalent name might be in another form of regulation?). They're trying to understand what it's about. No?
For the record, I do know what HIPAA is (broadly), but unfortunately still don't think this explanation makes it easier for me to understand. If I was being cynical, I would say that the entire reason you posted the comment was to self-promote your HIPAA PaaS on AWS. I didn't downvote it to give you the benefit of the doubt.
> Haha that seems harsh. He didn't name the service after all.
It's only a click away to find out, and I'm not against self-promotion and plugging your service when it makes sense (although I find it better when it's acknowledged as such).
As I also said, I do want to give the benefit of the doubt, but I felt that the comment can easily be interpreted as empty self-promotion without much substance.
If the point of the law and recent court decisions is that data must not be available to US intelligence, then obviously the AWS US datacenters should not be a suitable choice, and the non-US ones probably shouldn't be either (since there is no way to prevent the US employees from covertly accessing them).
A big part of the decision was actually a bit more mundane - the fact that EU citizens couldn't access the same legal recourse for a breach with foreign operators under safe harbor as they could for EU ones.
And so the safe harbor agreement was found not to provide equivalent protections as required by the charter.
I don't have a concrete answer to that, but my experience in the online advertising industry and the associated laws tells me that it is the end-user facing company that is going to get the blame in case something goes wrong. They might get away with it in case they really, really did their due diligence and were unable to be aware of any wrongdoing, but that's going to be hard to prove.
For example, if a publisher decides to make money using some shady ad network, and that ad network distributes malware / violates privacy rules / whatever, the publisher is the one that's going to hang for it, not the ad network. This will mean that publishers are naturally incentived to get really good guarantees that the ad network (or, more relevant to this point, the hosting company) isn't violating any laws. I suppose there will be some standardized compliancy test that these hosting companies will be doing to give their clients some assurance that it's safe to host their data with them.
In the end, I think this is good for EU citizens, and sucks for the people who have to deal with the laws.
The agreement that was in place allowed US businesses to self certify and then sign a voluntary list at the US Dept. of Commerce which made them untouchable in the EU.
Why? Well, because the agreement says so and because any legal proceedings would be in the US according to the agreement and enforced "primarily by the private sector". Because that makes sense right? Courts, lawyers and laws are so boring anyways...
This change means that EU countries can now question the claim and act if it's a lie. Since EU is moving to harmonize data storage laws among it's member countries there won't be any bureaucratic mess only a return of citizen rights.
[EDIT]
Ah, yes, the data storage location thing. That's mainly a consequence of the NSA thingy. Thanks to that no US company can any longer fully claim that any data stored in the US can be kept private. It's kind of silly since everybody spies on everybody else but the US got caught.
If intent and actual effects of EU cookie law are anything to go by, EU Safe Harbor is going to create:
- a "value-add" or middleman opportunity on service provider side (think hosting companies differentiating themselves as compliant, like in discussed piece, or offers of "one stop EU compliance", and similar check-box ticking);
- more annoying popups for users ("this service is not available in your country", "click here to acknowledge you are outside EU", etc).
is it really just that? I don't think so.
Safe harbor has always been a joke to begin with. A promise of good conducts with no checks whatsoever, that's not how humans work.
Forcing the data to be in the EU makes it much harder for the US govt to look at the data in bulk and non-obvious ways, as they now have to either backdoor remote systems or transmit data back, instead of just having their little machine in the datacenter.
Of course, EU will have their own little machine in the EU datacenter, but at least the intelligence gathering is then split (which helps protect EU companies from US companies - in case you did not notice and you're born yesterday, companies govern the world, not the government per se.)
Now to implement user-side and end to end crypto in everything regardless..
Have you forgot about the GHCQ and their "illegal" data exchange to overcome legal hurdles? And I wouldn't vouch for other friends of the USA who exchanges data >10%
(the self-imposed german limit) en bulk. Denmark, Sweden and the Neitherlands would come to my mind. In almost every european country are huge US listening posts.
So even inside the EU there's not a safe harbor as you don't know the percentage and the filters in place, the secret interpretation of laws, and cooperation, infiltration and hacking into the main exchanges and cables.
I think focusing on the intelligence aspects is a bit of a distraction. The court in question was asked whether there was a case to be heard at all ("does this safe harbor thing really do what it says on the tin?") and the outcome as we know was "no", but not (only) due to vague undocumented (by court standards) foreign intelligence activities, but because rather simply the plain fact that unlike an EU operator, EU citizens have no legal recourse against companies in the US in the event of disputes such as the one in question.
It's this lack of legal process which means that the safe harbor agreement did not provide equivalent protections required by the charter, without even considering the spying angle.
That's the key take-away. This is a massive advantage for entrenched, larger companies. They're getting a special political protection order, which is unlikely to be available to everyone. It's a big lose for pretty much everyone else until a better framework is found, which could take years. The EU is handing AWS a leg up.
Model Clauses/Contracts (https://www.dataprotection.ie/docs/Model-Contracts/38.htm) are an alternative method of satisfying EU data protection requirements in dealing with overseas data transfers. Amazon, like Google and many other multinational technology companies, have adopted these in years past.
What it doesn't mean is that customers of Amazon are also compliant, because Amazon has no clue what types of data they are processing, what they are doing with it, and where they are putting it. They are wisely advised to consult counsel to ascertain this fact.
But does amazon have a reasonable claim of being able to fulfill those requirements considering secret court orders that can't be challanged by european citizens, NSLs and the microsoft case[1]?
> A company in the UK uses a centralised human resources system in the United States belonging to its parent company to store information about its employees.
or
> A travel agent sends a customer’s details to a hotel in Australia where they will be staying while on holiday.
> If you intend information on the website to be accessed outside the EEA, then this is a transfer.
This means if your data can be accessed outside the EEA e.g. you access your on-premise CRM on your African holiday, you are likely to void the Principle 8.
The ICO is a member of the Article 29 Working Party (the WP is made up of a representative from each of the 28 EU Member States + the European Commission and EU bodies dealing with data protection, as detailed in Article 29 of the Data Protection Directive).
The WP is designed to make sure that Member States' Data Protection Authorities apply the DPD in a roughly uniform manner.
Of course, if the ICO deviates from the DPD then any party is able to appeal to the First-Tier Tribunal, the Upper Tribunal and the Court of Appeal who may then refer any questions of EU law to the ECJ in a similar way to Schrems' case.
>my understanding is that AWS itself does not migrate, replicate, or otherwise transfer data out of its EU regions.
Not at all correct, the article is quite explicit that transfer out of EU regions is allowed:
"This is possible because AWS has already obtained approval from EU data protection authorities (known as the Article 29 Working Party) of the AWS Data Processing Addendum and Model Clauses to enable transfer of personal data outside Europe, including to the US with our EU-approved Data Processing Addendum and Model Clauses. AWS customers can continue to run their global operations using AWS in full compliance with the EU Data Protection Directive (Directive 95/46/EC). The AWS Data Processing Addendum is available to all AWS customers who are processing personal data."
Does this mean that Amazon can transfer customer data (their AWS customer) outside the EU (like address and email ets.), but it does not mean that AWS customers can move their customers data outside the EU?
I'm not sure I understand the announcement, my head is spinning a bit from the bureaucrat-speak but...does it in essence read
1) Amazon is compliant because they have a special (political!) deal in place
"""AWS has already obtained approval from EU data protection authorities (known as the Article 29 Working Party)"""
2) Amazon (or AWS customers) can still transfer EU data to the US
""" [...] can continue to use AWS to transfer their customer content from the EEA to the US, without altering workloads, and in compliance with EU law.?"""
+
"""[...] to enable transfer of personal data outside Europe, including to the US with our EU-approved Data Processing Addendum and Model Clauses."""
I bet (EU citizen here) that agreement is some oind of official "certification" which a storage firm can acquire via a (probably long and winding) bureucratic process.
The EU requires that data processors (like AWS) comply with certain privacy practices in order to transfer data between the EU and non-EU countries.
Much like HIPAA, the mechanism the EU uses is the requirement of a private contract. Here, it's called a Data Processing Addendum. In HIPAA, it's called a Business Associate Agreement.
Source: CEO of a private HIPAA PaaS on AWS, running EU customers w/ this Data Processing Agreement in place