1) The EU Data Protection Directive of 1995 requires EU member states to enact data protection laws and establish authorities to enforce these laws. It applies to any personal data. 2) Under the Directive, data controllers are responsible for protecting personal data and ensuring any processors also protect the data. Data cannot be transferred outside the EEA without adequate protections. 3) To comply when using AWS, customers are responsible for their own data and must implement appropriate security, access controls, and encryption. AWS provides security tools and follows best practices.

1. Enabling Compliance
with EU Privacy Laws
Liz Bauzá
AWS Senior Corporate
Counsel

2. Legislative Framework
• Data Protection Directive (1995)
• Applies to “personal data” (i.e. any information relating to an identified or
identifiable natural person).
• Required each EU member state to…
– enact local laws to satisfy minimum standard for data protection
– establish its own data protection authority
– monitor and enforce these laws (e.g. penalties)

3. Key Concepts
• Data controller is responsible for:
ü protecting personal data from unlawful processing
ü compliance but must seek contractual assurances from processors
• Defined Terms:
– “Controller” determines purposes and means of processing (e.g.
customers)
– “processor” anyone who processes personal data for the controller
– “Processing” includes many activities (e.g. storage, making available,
blocking, erasure or destruction)

4. Key Principles
• Data controllers must ensure data processing
complies with these principles:
• Fairness and specific purpose
• Adequacy and relevance
• Accuracy
• Data is destroyed when obsolete
• Adequate security
• Adequate transfers
Key for AWS
Customers

5. Data Transfers Outside the EU
Data cannot be transferred outside EEA without “adequate”
protection
Currently, the safe countries are:
• All 28 EU Member States:
(Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland,
France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden & UK*)
• Members of EFTA:
Iceland, Lichtenstein & Norway
(together the EEA)
• And countries which the European Commission has recognized as
providing adequate data protection:
Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New
Zealand, Switzerland and Uruguay
*for now

6. Data Transfers outside the EU
What constitutes “transfer”?
• Using Regions outside the EU
• Depending on the EU member state, potential access to personal data in the course of
service operations from outside of the EU
Data controller must satisfy itself that there are ”adequate” safeguards to protect the
transferred data
How..?
• Due Diligence (e.g. audit reports, certifications, industry standards)
• For transfers to countries without adequate protection: contractual terms (e.g. “EU
Model Clauses”/”Standard Contractual Clauses”/”SCCs”) and EU-US Privacy Shield*
*for now?

7. So what does compliance
look like on AWS?

8. Nature of the AWS Services
ü IT infrastructure services
ü Self-service, automated, on-demand, flexible
ü AWS data centres, but provisioned and
controlled by customers
ü Customers build solutions of their choice
virtual server instances
cloud-based storage
API calls
Management Console

9. Nature of the AWS Services
• Customers empowered to:
§ Design and architect the apps/solutions they run on AWS
§ Configure access controls or firewall settings
§ Implement encryption
§ Set up archiving frequency
§ Manage and protect their own content
§ Maintain appropriate security & back-up of their content

10. Security – A Shared Responsibility

11. Focus on Security & Enabling Compliance
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”
– Tom Soderstrom, CTO, NASA JPL
AWS provides the same, familiar approaches to security that companies have been using
for decades with increased visibility, control, and auditability.
Visibility
View your entire
infrastructure with one
click
Deep insight with
AWS CloudTrail
Control
You have sole
authority on where
data is stored
Shared responsibility
model
Auditability
3rd Party Validation – Certifications for Workloads that Matter

12. Content vs. Personal Data
Content
= anything that a customer
(or any end user) stores, or
processes using AWS
services, including:
Software ǀ Data ǀ Text ǀ Audio ǀ Video
Personal Data
= information from which a
living individual may be
identified or identifiable
(under EU data protection
law)
••Customer’s “content” might
include “personal data”

13. Security of Content and Data Breaches
ProcessorData Subject Controller
x
X
Must implement appropriate
technical and organizational
measures (“TOMs”)
Must monitor own environment
Must notify regulators and data
subjects
Content agnostic
Own TOMs

14. Transferring Content
Region and number
of availability zones
New region
(coming soon)
ü Customers decide where their data will be stored
ü Customers may choose to transfer content that
includes personal data
ü From EEA to a country outside the EEA: Data Processing
Addendum includes the Standard Contractual Clauses/Model
Clauses
ü From EU to US: EU-US Privacy Shield Framework

15. General Data Protection Regulation
• Applies from 25 May 2018
• Introduces obligations on processors
• Has extra-territorial effect:
Applies to controllers and processors in the EU, and to non-EU
controllers and processors providing products or services to data
subject in the EU
• Revenue-based fines of up to 4% of annual worldwide turnover for
undertakings
• We have a GDPR DPA which can be made available to customers
for signature in advance of the May 2018 deadline

16. How can we prepare for the
GDPR?

17. Getting ready for GDPR
AWS
ü All AWS services will comply with
the GDPR when it becomes
enforceable in May of 2018
ü AWS will also be compliant with
the CISPE Code of Conduct
(https://cispe.cloud/)
ü New Data Processing Agreement
(GDPR DPA) that will meet the
requirements of the GDPR
AWS Customers
Start with:
ü Data Subject Rights
ü Data Protection Impact
Assessment (DPIA)
More information available at:
https://aws.amazon.com/complianc
e/eu-data-protection/