
AWS and EU Safe Harbor - breadtk
http://blogs.aws.amazon.com/security/post/Tx3QAALRNBIK9K1/Customer-Update-AWS-and-EU-Safe-Harbor
======
chasb
Attempt at layman's terms:

The EU requires that data processors (like AWS) comply with certain privacy
practices in order to transfer data between the EU and non-EU countries.

Much like HIPAA, the mechanism the EU uses is the requirement of a private
contract. Here, it's called a Data Processing Addendum. In HIPAA, it's called
a Business Associate Agreement.

Source: CEO of a private HIPAA PaaS on AWS, running EU customers w/ this Data
Processing Agreement in place

~~~
gingerlime
Perhaps with your level of familiarity with HIPAA, this is layman's terms, but
for people who might not even know what HIPAA is about, this is far out from
layman's terms.

The first sentence kinda made sense, but the second one just made it far less
clear in my opinion. Why should a layman care what it's _called_ (or what the
equivalent name might be in another form of regulation?). They're trying to
understand what it's _about_. No?

For the record, I do know what HIPAA is (broadly), but unfortunately still
don't think this explanation makes it easier for me to understand. If I was
being cynical, I would say that the entire reason you posted the comment was
to self-promote your HIPAA PaaS on AWS. I didn't downvote it to give you the
benefit of the doubt.

~~~
cdubzzz
> If I was being cynical, I would say that the entire reason you posted the
> comment was to self-promote your HIPAA PaaS on AWS.

Haha that seems harsh. He didn't name the service after all.

~~~
gingerlime
> Haha that seems harsh. He didn't name the service after all.

It's only a click away to find out, and I'm not against self-promotion and
plugging your service when it makes sense (although I find it better when it's
acknowledged as such).

As I also said, I do want to give the benefit of the doubt, but I felt that
the comment can easily be interpreted as empty self-promotion without much
substance.

------
devit
How can this work?

If the point of the law and recent court decisions is that data must not be
available to US intelligence, then obviously the AWS US datacenters should not
be a suitable choice, and the non-US ones probably shouldn't be either (since
there is no way to prevent the US employees from covertly accessing them).

Are there loopholes in the law/court decisions?

~~~
DavideNL
If "company X" (a customer of Amazon) is sharing EU citizens data through
amazon AWS to the US, who is sharing the data? Amazon or "company x" ?

Amazon has approval from EU data protection authorities, but "company X"
apparently doesn't need approval?

~~~
stingraycharles
I don't have a concrete answer to that, but my experience in the online
advertising industry and the associated laws tells me that it is the end-user
facing company that is going to get the blame in case something goes wrong.
They might get away with it in case they really, really did their due
diligence and were unable to be aware of any wrongdoing, but that's going to
be hard to prove.

For example, if a publisher decides to make money using some shady ad network,
and that ad network distributes malware / violates privacy rules / whatever,
the publisher is the one that's going to hang for it, not the ad network. This
will mean that publishers are naturally incentived to get really good
guarantees that the ad network (or, more relevant to this point, the hosting
company) isn't violating any laws. I suppose there will be some standardized
compliancy test that these hosting companies will be doing to give their
clients some assurance that it's safe to host their data with them.

In the end, I think this is good for EU citizens, and sucks for the people who
have to deal with the laws.

------
lucio
...and now the advantage is political, not technical. This is a bad road to
follow, EU bureaucracy is a destructive force.

~~~
korisnik
_> EU bureaucracy is a destructive force._

It's a defensive force in this case.

Have people suddenly forgotten what happens with data in the US?

~~~
fasteo
> Have people suddenly forgotten what happens with data in the US?

I am afraid that this EU law will not protect your data against those who made
the laws.

~~~
M2Ys4U
It's not all about the US government, though.

US companies act fast a loose with personal data even when the US government
is nowhere to be seen.

------
anonymousDan
Can anyone explain in layman's terms how Amazon have managed to exempt
themselves from this regulation?

~~~
eitally
Model Clauses/Contracts ([https://www.dataprotection.ie/docs/Model-
Contracts/38.htm](https://www.dataprotection.ie/docs/Model-Contracts/38.htm))
are an alternative method of satisfying EU data protection requirements in
dealing with overseas data transfers. Amazon, like Google and many other
multinational technology companies, have adopted these in years past.

What this posting means is that __* from Amazon 's perspective __* they are
compliant with Directive 95 /46/EC ([http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML)), which
established (for the EU) these regulations.

What it doesn't mean is that customers of Amazon are also compliant, because
Amazon has no clue what types of data they are processing, what they are doing
with it, and where they are putting it. They are wisely advised to consult
counsel to ascertain this fact.

~~~
aries1980
I'm not sure they still comply for the UK Data Protection Act. According to
the Information Commisioner Office [https://ico.org.uk/for-
organisations/guide-to-data-protectio...](https://ico.org.uk/for-
organisations/guide-to-data-protection/principle-8-international/) :

> A company in the UK uses a centralised human resources system in the United
> States belonging to its parent company to store information about its
> employees.

or

> A travel agent sends a customer’s details to a hotel in Australia where they
> will be staying while on holiday.

> If you intend information on the website to be accessed outside the EEA,
> then this is a transfer.

This means if your data can be accessed outside the EEA e.g. you access your
on-premise CRM on your African holiday, you are likely to void the Principle
8.

~~~
M2Ys4U
The ICO is a member of the Article 29 Working Party (the WP is made up of a
representative from each of the 28 EU Member States + the European Commission
and EU bodies dealing with data protection, as detailed in Article 29 of the
Data Protection Directive).

The WP is designed to make sure that Member States' Data Protection
Authorities apply the DPD in a roughly uniform manner.

Of course, if the ICO deviates from the DPD then any party is able to appeal
to the First-Tier Tribunal, the Upper Tribunal and the Court of Appeal who may
then refer any questions of EU law to the ECJ in a similar way to Schrems'
case.

------
BogusIKnow
Does this mean that Amazon can transfer customer data (their AWS customer)
outside the EU (like address and email ets.), but it does not mean that AWS
customers can move their customers data outside the EU?

Comments here seem to mixed things up.

------
kriro
I'm not sure I understand the announcement, my head is spinning a bit from the
bureaucrat-speak but...does it in essence read

1) Amazon is compliant because they have a special (political!) deal in place

"""AWS has already obtained approval from EU data protection authorities
(known as the Article 29 Working Party)"""

2) Amazon (or AWS customers) can still transfer EU data to the US

""" [...] can continue to use AWS to transfer their customer content from the
EEA to the US, without altering workloads, and in compliance with EU law.?"""

+

"""[...] to enable transfer of personal data outside Europe, including to the
US with our EU-approved Data Processing Addendum and Model Clauses."""

If so I'm worried.

~~~
pfortuny
I bet (EU citizen here) that agreement is some oind of official
"certification" which a storage firm can acquire via a (probably long and
winding) bureucratic process.

Lots of those here.

Kind of "civil blessing".

