AWS Security Blog

Customer Update: Amazon Web Services and the EU-US Privacy Shield

Recently, the European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, the European Commission formally adopted it. Amazon Web Services (AWS) welcomes this new framework for transatlantic data flow.

As the EU-US Privacy Shield replaces Safe Harbor, we understand many of our customers have questions about what this means for them. The security of our customers’ data is our number one priority, so I wanted to take a few moments to explain what this all means.

The new EU-US Privacy Shield does not impact AWS customers for two reasons. First, customers using AWS have full control of the movement of their data and have always had the choice of the region in which their data is kept. AWS customers choose the AWS region where their data will be stored and can be assured that their data will remain there unless moved by them. Second, for customers who wish to transfer personal data from an AWS region in the European Economic Area (EEA) to one in another part of the world, including the US, AWS customers can do this in compliance with EU data protection law under the terms of the AWS Data Processing Addendum with Model Clauses, which was approved in 2015 by the EU data protection authorities (called the Article 29 Working Party). These options are available to all AWS customers who are processing personal data, whether they are established in, or a global company operating in, the EEA.

Additionally, Amazon.com, Inc. is taking the necessary steps to certify under the EU-US Privacy Shield (as of August 1, companies can begin the process of certifying themselves against it). Upon completion of this process, AWS will be covered under this certification.

For customers not looking to transfer data out of the EEA, we continue to give them all of the security, privacy, and control they have always had with AWS:

  • Customers maintain ownership of their content and select which AWS services process, store, and host their data.
  • Customers concerned about security can encrypt their content in transit or at rest, and we also provide customers with the option to manage their own encryption keys—or we can do this for them.
  • Customers determine the location in which their data is stored and completely control any movement of that data. This allows customers to deploy AWS services in the locations of their choice, in accordance with their specific geographic requirements, including in established AWS regions in Dublin and Frankfurt—meaning customers can keep their content in the EU.
  • Customers will soon have the option to store their content in the UK when the AWS UK Region becomes available by the beginning of next year. This region will provide the same high levels of control, security, and data privacy customers receive in AWS’s other global regions.

European customers were among the first to adopt AWS services when we launched in 2006 and they have continued to move their mission-critical workloads to AWS at a rapid pace. Customers of every size, from every European country, and every industry, running all imaginable workloads, have been moving to AWS. We will continue to work closely with our customers across the EEA to help them move to the AWS Cloud, and we look forward to seeing the continued innovation and growth of all European businesses.

At AWS, security is our top priority, and we will continue to work vigilantly to ensure that our customers are able to continue to enjoy the benefits of AWS securely, compliantly, and without disruption in Europe and around the world.

– Steve