AWS and EU Safe Harbor(blogs.aws.amazon.com) |
AWS and EU Safe Harbor(blogs.aws.amazon.com) |
The EU requires that data processors (like AWS) comply with certain privacy practices in order to transfer data between the EU and non-EU countries.
Much like HIPAA, the mechanism the EU uses is the requirement of a private contract. Here, it's called a Data Processing Addendum. In HIPAA, it's called a Business Associate Agreement.
Source: CEO of a private HIPAA PaaS on AWS, running EU customers w/ this Data Processing Agreement in place
The first sentence kinda made sense, but the second one just made it far less clear in my opinion. Why should a layman care what it's called (or what the equivalent name might be in another form of regulation?). They're trying to understand what it's about. No?
For the record, I do know what HIPAA is (broadly), but unfortunately still don't think this explanation makes it easier for me to understand. If I was being cynical, I would say that the entire reason you posted the comment was to self-promote your HIPAA PaaS on AWS. I didn't downvote it to give you the benefit of the doubt.
Haha that seems harsh. He didn't name the service after all.
If the point of the law and recent court decisions is that data must not be available to US intelligence, then obviously the AWS US datacenters should not be a suitable choice, and the non-US ones probably shouldn't be either (since there is no way to prevent the US employees from covertly accessing them).
Are there loopholes in the law/court decisions?
And so the safe harbor agreement was found not to provide equivalent protections as required by the charter.
Amazon has approval from EU data protection authorities, but "company X" apparently doesn't need approval?
For example, if a publisher decides to make money using some shady ad network, and that ad network distributes malware / violates privacy rules / whatever, the publisher is the one that's going to hang for it, not the ad network. This will mean that publishers are naturally incentived to get really good guarantees that the ad network (or, more relevant to this point, the hosting company) isn't violating any laws. I suppose there will be some standardized compliancy test that these hosting companies will be doing to give their clients some assurance that it's safe to host their data with them.
In the end, I think this is good for EU citizens, and sucks for the people who have to deal with the laws.
What this posting means is that * from Amazon's perspective * they are compliant with Directive 95/46/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...), which established (for the EU) these regulations.
What it doesn't mean is that customers of Amazon are also compliant, because Amazon has no clue what types of data they are processing, what they are doing with it, and where they are putting it. They are wisely advised to consult counsel to ascertain this fact.
[1] http://www.theguardian.com/technology/2015/sep/09/microsoft-...
> A company in the UK uses a centralised human resources system in the United States belonging to its parent company to store information about its employees.
or
> A travel agent sends a customer’s details to a hotel in Australia where they will be staying while on holiday.
> If you intend information on the website to be accessed outside the EEA, then this is a transfer.
This means if your data can be accessed outside the EEA e.g. you access your on-premise CRM on your African holiday, you are likely to void the Principle 8.
salesforce.com posted the same.
Comments here seem to mixed things up.
1) Amazon is compliant because they have a special (political!) deal in place
"""AWS has already obtained approval from EU data protection authorities (known as the Article 29 Working Party)"""
2) Amazon (or AWS customers) can still transfer EU data to the US
""" [...] can continue to use AWS to transfer their customer content from the EEA to the US, without altering workloads, and in compliance with EU law.?"""
+
"""[...] to enable transfer of personal data outside Europe, including to the US with our EU-approved Data Processing Addendum and Model Clauses."""
If so I'm worried.
Lots of those here.
Kind of "civil blessing".
Why? Well, because the agreement says so and because any legal proceedings would be in the US according to the agreement and enforced "primarily by the private sector". Because that makes sense right? Courts, lawyers and laws are so boring anyways...
This change means that EU countries can now question the claim and act if it's a lie. Since EU is moving to harmonize data storage laws among it's member countries there won't be any bureaucratic mess only a return of citizen rights.
[0] http://www.export.gov/safeharbor/eu/eg_main_018476.asp
[EDIT] Ah, yes, the data storage location thing. That's mainly a consequence of the NSA thingy. Thanks to that no US company can any longer fully claim that any data stored in the US can be kept private. It's kind of silly since everybody spies on everybody else but the US got caught.
It's a defensive force in this case.
Have people suddenly forgotten what happens with data in the US?
- a "value-add" or middleman opportunity on service provider side (think hosting companies differentiating themselves as compliant, like in discussed piece, or offers of "one stop EU compliance", and similar check-box ticking);
- more annoying popups for users ("this service is not available in your country", "click here to acknowledge you are outside EU", etc).
I am afraid that this EU law will not protect your data against those who made the laws.
Forcing the data to be in the EU makes it much harder for the US govt to look at the data in bulk and non-obvious ways, as they now have to either backdoor remote systems or transmit data back, instead of just having their little machine in the datacenter.
Of course, EU will have their own little machine in the EU datacenter, but at least the intelligence gathering is then split (which helps protect EU companies from US companies - in case you did not notice and you're born yesterday, companies govern the world, not the government per se.)
Now to implement user-side and end to end crypto in everything regardless..
So even inside the EU there's not a safe harbor as you don't know the percentage and the filters in place, the secret interpretation of laws, and cooperation, infiltration and hacking into the main exchanges and cables.
The WP is designed to make sure that Member States' Data Protection Authorities apply the DPD in a roughly uniform manner.
Of course, if the ICO deviates from the DPD then any party is able to appeal to the First-Tier Tribunal, the Upper Tribunal and the Court of Appeal who may then refer any questions of EU law to the ECJ in a similar way to Schrems' case.
It's only a click away to find out, and I'm not against self-promotion and plugging your service when it makes sense (although I find it better when it's acknowledged as such).
As I also said, I do want to give the benefit of the doubt, but I felt that the comment can easily be interpreted as empty self-promotion without much substance.
US companies act fast a loose with personal data even when the US government is nowhere to be seen.
It's this lack of legal process which means that the safe harbor agreement did not provide equivalent protections required by the charter, without even considering the spying angle.