AWS gets a new CEO and wants to invest €7.8 billion in the European cloud – IT Pro – News

You have a good point. It is already difficult to be 100% sure that stored data is completely secure, even with this new architecture. In recent years, the European Court of Justice (CJEU) has declared invalid two key legal frameworks that facilitated data exchange between the European Union (EU) and the United States (US) due to privacy and data protection concerns. In addition, there is several US legislation that must first be amended before it can be made 100% legal under the agreements between the EU and the US.

safe haven (Repealed in 2015): Established in 2000, the Safe Harbor Agreement was the first framework allowing US companies to transfer personal data from the EU to the US. However, it was declared invalid in 2015 after Edward Snowden revealed the extent of US surveillance practices, which were found to violate EU privacy standards.

Privacy Shield between the European Union and the United States (Declared invalid in 2020): The European Court of Justice also declared invalid the EU-US Privacy Shield, which replaced Safe Harbor, in July 2020. The court ruled that the Privacy Shield did not adequately protect EU citizens’ data from surveillance activities American. The European Court of Justice found that US laws, such as Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, allow US intelligence services broad access to the personal data of EU citizens without adequate safeguards.

EU-US data privacy framework: Following the revocation of the Privacy Shield, the European Union and the United States entered into negotiations to create a new data protection framework known as the EU-US Data Privacy Framework. This new framework is designed to address the shortcomings of its predecessors and should provide stronger guarantees to protect the personal data of EU citizens. The framework includes stricter obligations for US companies regarding data processing and more transparency about US authorities’ access to this data. Moreover, it provides better enforcement mechanisms and legal redress for EU citizens. However, despite these improvements, concerns remain about the actual effectiveness of this framework in light of the expanded powers of US surveillance systems.

As of 10 July 2023, the EU-US Data Privacy Framework became active1 and allows personal data to flow between the EU and the US without the need for separate contractual arrangements (such as Standard Contractual Clauses (“SCC”)). However, with years of Challenges and Invalidation of (1) the EU-US Safe Harbor Framework and (2) the EU-US Privacy Shield It remains to be seen whether this new mechanism will encounter the same data privacy challenges as those mechanisms.

source: https://kluwerlawonline.c…w+Review/44.5/BULA2023024

The invalidation of these frameworks has created a great deal of legal uncertainty for companies that rely on transatlantic data transfers. Currently, companies have to use alternative mechanisms such as Standard contractual terms (Standard Contractual Clauses) or Binding corporate rules (BCRs) to comply with EU data protection standards. However, these mechanisms are also under pressure and companies need to conduct comprehensive assessments to ensure data protection meets EU requirements, and there are still loopholes on the US side due to current US legislation.

In addition to The Cloud Act and the Foreign Intelligence Surveillance Act (FISA), there are some other US laws and legal mechanisms that the US government can use to access data from US companies operating in Europe. This gives the US government significant access to data no matter where it is located:

USA Patriot Act: After the attacks of September 11, 2001, the Patriot Act was introduced, which greatly expanded the US government’s data collection capabilities. Section 215 of the Patriot Act provides that the government can broadly access data of companies deemed relevant to counterterrorism.

National security messages (NSLs): National Security Letters are administrative subpoenas that the FBI can issue without court intervention to access corporate clients’ information, such as communications and financial data. These may also include an obligation of confidentiality, meaning that companies cannot disclose that they have received a national security letter.

Electronic Communications Privacy Act (ECPA): ECPA regulates government surveillance of electronic communications. It stipulates, among other things, that the government can access electronic communications data stored by service providers by court order.

Stored Communications Act (SCA): Part of the ECPA, the SCA provides government access to stored communications such as emails and files maintained by providers of electronic communications or remote computing services. The government can request this data by court order.

Executive Order No. 12333: This executive order gives intelligence agencies broad authority to collect foreign intelligence, including communications data located outside the United States. Although this is primarily intended to collect intelligence abroad, it can indirectly affect the data of non-US citizens. To a lesser extent it is important here, but can still be taken into account to some extent.

The law of all writingsThis law grants the federal courts the power to issue all orders necessary to exercise their powers. This includes forcing individuals or companies to cooperate in investigations, including providing technical assistance to law enforcement agencies.

Although AWS promises that its European sovereign cloud will comply with strict EU regulations and that data will remain within the EU, there is a fundamental problem that remains as long as the parent company is based in the United States. In theory, US laws, such as the Cloud Act, may require US companies to provide data, even if that data is stored in Europe.

The new AWS European Sovereign Cloud is a step in the right direction. However, there always remains a degree of uncertainty about the actual security and sovereignty of data. The only step that really needs to be taken is one that Amazon cannot take on its own, but that must come from the US government. Even then, our data in the EU will not be 100% secure with these companies. Although you can say that 100% security is never possible as long as there are intelligence services that are hacking, eavesdropping or spying, even if the legal gap that currently exists is closed.

[Reactie gewijzigd door jdh009 op 15 mei 2024 14:50]