The German “Europäische Gesellschaft für Datenschutz mbH” (EuGD) on October 9th 2020 filed a GDPR violation complaint against Amazon, the world’s largest online retailer and owner of the largest cloud service. The basis for this is that Amazon transfers data to the US to process data about customers that happen to be EU citizens. The press release (in German) states that even though several months have passed between the July 2020 Schrems 2 ruling that ended the EU/US Privacy Shield data transfer and processing agreement and today, such transfers have not ceased. So what does all this mean for your business?
When to take the end of Privacy Shield seriously? Apparently yesterday.
With large parts of the tech world asking when to start taking the end of Privacy Shield seriously, and companies trying to “wait and see” what the impact will be, the answer is now clear. Indecision is a decision, and even an industry giant like Amazon cannot afford the luxury of inaction.
While it is true that it is as of yet untested exactly what impact the end of the EU/US Privacy Shield agreement will have, large companies are scrambling to formulate a response. Facebook, the company originally targeted by the Schrems 2 lawsuit, has responded with different messages. Their responses range from willfully ignoring it all the way to threatening to cease operations in the EU region. If you think this looks like responses powered by the stages of grief as exhibited by a large organization, you would perhaps not be wrong.
So if you have not started thinking about the consequences of the Schrems 2 ruling yet, and your army of lawyers is smaller than that of Facebook, it is perhaps time to prioritize the issue.
What will happen to Amazon and AWS in the EU?
This is, of course, a very good question. On a technical level, many of AWS’ services need to operate across multiple regions to offer their functionality. One such would be DynamoDB with global tables. The whole point of that service is to offer a globally accessible service. Users depend on this to offer a unified data model for their entire application, while serving customers globally. So if data transfers as a whole would be banned between EU and US, some very careful re-architecting decisions have to be made by AWS.
Update October 13: This article originally referenced S3 as an example of a global service that AWS offers. A reader commented that “[…] Technically S3’s durability comes from cross-AZ replication, not cross-region. The bucket namespacing is global, but bounding customer data to a single region isn’t a rearchitecture constraint for AWS.” This is correct and we are grateful for the correction. A better example is therefore DynamoDB with global tables, so the text has been updated accordingly.
These decisions may or may not wind up affecting your business, if you use AWS as your cloud infrastructure provider.
As for the immediate effects on Amazon’s and AWS’ business, we shall have to wait and see. Even with its head start of having to think about the ramifications, Facebook can offer very little guidance to Amazon. We will track how this case makes it through court.
Multi-cloud strategy: more important and feasible than ever
Regardless of what happens to AWS, the writing has been on the wall for quite some time now. Businesses cannot put all their eggs in the AWS basket any longer. A multi-cloud strategy is more important than ever. Processing data about EU customers in EU-based clouds is the only surefire and future-proof way of proceeding from here.
Thankfully, a multi-cloud strategy is also more feasible than ever. With cloud-native technology from the CNCF landscape, supported by the Kubernetes container orchestrator and platform, it is easier than ever to build a cloud-agnostic service.
Businesses in regulated industries have perhaps the most concerns over the Schrems 2 ruling, as the public places larger trust in their hands to operate according to all applicable laws and regulations. For such businesses, Elastisys has created Compliant Kubernetes, an open source and fully Certified Kubernetes Platform. We make it available both as open source to run in your own data center or compatible cloud of choice and as a managed service with enterprise-grade SLAs and 24/7 on-call support. Also check out our managed platform services offering (Managed Services in the menu of this site), which provides you with managed databases, log storage, monitoring and message queues to simplify your operations.
Contact us if you have any questions or need assistance in setting up a multi-cloud strategy to manage your risk of running afoul of GDPR. We have long experience in these matters, and would love to help you.