eMarketeer is it as that the Schrems 2 ruling does not prohibit storing data with US-based providers like AWS, Microsoft, and Google. If it did, it would severely impact our ability to use essential services such as mobile services, Office 365, Outlook, and others. The primary concern arises from the US Cloud Act, which was enacted on March 23, 2018. This legislation stipulates that any US IT company must provide personal data to US authorities if required in connection with a criminal investigation.
However, it’s essential to note that such requests are not made lightly and require strong suspicion of criminal activity, a standard that also applies within the European Union.
At eMarketeer, we prioritize data security. All data is encrypted both in transit and at rest using our proprietary encryption keys. This ensures that AWS or any other service provider cannot access our data without our authorization, which can only be granted through a ruling by an EU court. Additionally, we strictly adhere to our Data Protection Agreement (DPA), which prohibits the transfer of data outside the European Union. This commitment reinforces our dedication to safeguarding data privacy and complying with relevant regulations.
For more information on the impact of the US Cloud Act, you can refer to this link: https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-edps-joint-response-libe-committee-impact-us-cloud-act_en.
Below is the view from AWS if you can use thier service after the Schreems ruling:
-
Yes, AWS customers can continue to use AWS services to transfer customer data from Europe to countries outside the EEA who have not received an adequacy decision from the European Commission. The Schrems II ruling validated the use of Standard Contractual Clauses (SCCs) as a mechanism for transferring customer data outside the EEA and AWS customers can continue to rely on the SCCs for any transfer of customer data outside the EEA in compliance with GDPR.
- Processing location. Customers select the AWS Region in which their customer data will be stored. An overview of available AWS Regions can be found under Regions and Availability Zones. AWS will not process customer data outside the customer’s selected AWS Region unless it is necessary for the purpose of providing the AWS services initiated by the customer, or as necessary to comply with the law or a binding order of a governmental body. Please see our Privacy Features webpage to find out more on data transfers as part of AWS services.
- Sub-processors. AWS may use sub-processors, i.e. AWS affiliates or third parties to assist with the processing of customer data, to fulfil our obligations to customers under the AWS DPA, or to provide services on our behalf. See FAQ “Does AWS use sub-processors to process customer data?” below for details.
- Transfer tools. Since the Schrems II ruling has validated the use of SCCs as a mechanism for transferring data to countries outside the EEA who have not received an adequacy decision from the European Commission, our customers can continue to rely on the SCCs included in the AWS DPA if they choose to transfer their data outside the EEA in compliance with the GDPR.
- Supplementary measures.
- Customer control. Customers have ownership and control over their customer data at all times through simple, yet powerful, tools that enable them to determine where their customer data will be stored, secure their customer data in transit and at rest, and manage user access to their AWS resources and modify, delete and retrieve customer data.
- Technical and organizational measures. AWS implements responsible and sophisticated technical and physical controls and processes designed to prevent unauthorized access to or disclosure of customer data (visit the AWS Compliance webpage for more information). We also provide a number of advanced encryption and key management services (including services which allow customers to manager their own keys) that customers can use to protect their customer data both in transit and at rest – encrypted customer data is rendered inaccessible without the applicable decryption keys. Regardless of whether customer data is encrypted or unencrypted, we will always work vigilantly to protect customer data from any unauthorized access.
- Law enforcement requests. AWS has internal processes to deal with requests that we receive from law enforcement. When we receive a request for customer data from law enforcement, we carefully examine it to authenticate accuracy and to verify that it is appropriate and complies with all applicable laws. Unless legally prohibited from doing so, AWS notifies customers before disclosing customer data so that customers can take further steps to seek protection from disclosure. In the Supplementary Addendum to the AWS DPA (Supplementary Addendum), AWS makes strengthened contractual commitments in relation to dealing with government requests for customer data, including by committing to (i) use every reasonable effort to redirect any governmental body requesting customer data to the relevant customer, (ii) promptly notify the request to the customer if legally permitted to do so (including by using all reasonable and lawful efforts to obtain a waiver of prohibition if necessary), (iii) challenge any overbroad or inappropriate request, including where the request conflicts with EU law, and (iv) if, after exhausting the steps described above, AWS still remains compelled to disclose customer data in response to a governmental request, to disclose only the minimum amount of customer data necessary to satisfy the request.
- Contractual measures. AWS makes several contractual commitments to the measures described above that are reflected in the AWS DPA and the Supplementary Addendum. The AWS DPA and the Supplementary Addendum include contractual commitments from AWS concerning (1) customer’s selection of AWS Regions in which customer data is stored and processed, (2) both the technical and organizational measures that AWS has implemented to protect the AWS infrastructure and the technical organizational measures that customers may choose to apply to protect their customer data, (3) AWS’s measures to protect customer data and inform the customer in case of a data disclosure request from a governmental body, and (4) AWS’s ability to fulfil its obligations set forth in the AWS DPA in compliance with legislation applicable in a third country in which customer data is processed. The Supplementary Addendum also addresses (5) the statutory rights of individuals to claim for compensation in case of a violation of their rights granted by the GDPR.