AWS Security Blog

Customer update: AWS and the EU-US Privacy Shield

Recently, the Court of Justice of the European Union (CJEU) issued a ruling regarding the EU-US Privacy Shield and Standard Contractual Clauses (SCCs), also known as model clauses. The CJEU ruled that the EU-US Privacy Shield is no longer valid for the transfer of personal data from the European Union (EU) to the United States (US). However, in the same ruling, the CJEU confirmed that companies can continue to use SCCs as a valid mechanism for transferring data outside of the EU.

Following this ruling, we wanted to inform you that AWS customers and partners can continue to use AWS to transfer their content from Europe to the US and other countries, in compliance with EU data protection laws – including the General Data Protection Regulation (GDPR). AWS customers can rely on the SCCs included in the AWS Data Processing Addendum (DPA). As the regulatory and legislative landscape evolves, we will always work to ensure that our customers and partners can continue to enjoy the benefits of AWS everywhere they operate.

The AWS DPA is part of our Service Terms, which means all AWS customers and partners globally can rely on the terms of the AWS DPA (which includes SCCs) because they apply automatically, whenever they use AWS. AWS customers and partners wishing to transfer personal data from the EU to other countries can do so with the knowledge that AWS provides the same high level of protection in other countries as it does in the EU.

At AWS, our highest priority is ensuring the security and privacy of our customers’ data. We implement rigorous technical and organizational measures to protect its confidentiality, integrity, and availability, regardless of which AWS infrastructure region is selected.

AWS gives customers and partners ownership and control over their content at all times through simple, yet powerful, tools that enable them to determine where their content will be stored, secure their content in transit and at rest, and manage user access to their AWS resources. We implement responsible and sophisticated technical and physical controls designed to prevent unauthorized access or disclosure of customer and partner content, and provide a number of advanced encryption and key management services that customers and partners can use to protect their content both in transit and at rest—encrypted content is rendered useless without the applicable decryption keys. Regardless of whether data is encrypted or unencrypted, we will always work vigilantly to protect customer and partner data from any unauthorized access. When we receive a request for content from law enforcement, we carefully examine it to authenticate accuracy and to verify that it is appropriate and complies with all applicable laws. Where we need to act to protect customers and partners, we will continue to do so.

We are committed to empowering our customers to run their businesses with the most flexible and secure cloud computing environment available today.

For further information on AWS and data privacy go to: https://aws.amazon.com/compliance/data-privacy-faq/

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Steve Schmidt

Steve is Vice President and Chief Information Security Officer for AWS. His duties include leading product design, management, and engineering development efforts focused on bringing the competitive, economic, and security benefits of cloud computing to business and government customers. Prior to AWS, he had an extensive career at the Federal Bureau of Investigation, where he served as a senior executive and section chief. He currently holds 11 patents in the field of cloud security architecture. Follow Steve on Twitter