Recently, the Spanish Data Protection Authority (AEPD) has enormously boosted the Amazon IaaS services in Europe, declaring “adequate” the guarantees provided by Mr. Bezos’s company for international personal data transfers from Europe to USA, using the Seattle-based company services.
Up to this day, under the European Data Protection legislation, United States are not considered as a country with an adequate level of privacy protection. This situation implies for European companies a need for a long and tedious (not to mention anfractuous) bureaucratic process to obtain permission to storage personal data in a cloud-based service in USA.
But things seem to start changing with the AEPD Resolution TI/00429/2016 (available in Spanish here: https://d0.awsstatic.com/certifications/SpanishDPAAuthorization.pdf).
First of all, the Spanish Authority recognizes that is the first time that it approves an authorization for personal data international transfer to USA, presented not by a personal data exporter, but presented by an importer (Amazon Web Services, Inc. – AWS). Actually, the Spanish legislation don’t say anything about who’s entitled to present a request for authorization for this kind of international data transfer (see art. 33, Ley Orgánica de Protección de Datos – LOPD). It just happened that, until this very day, only (very few) data exporters asked for authorizations. AWS did it first and did it right. Good for them.
The second and maybe more interesting news is that, from now on, if you (or your company) want to store personal data with the AWS services, you don’t need a previous authorization from the local Data Protection Agency anymore. You just need to inform authorities that you use AWS services and that you have already signed the contracts included in the so called Data Protection Addendum. End of story.
What all this implies
In my opinion, the first lesson learnt is that a strict data protection regulation is NOT an obstacle for personal data movements. The AWS’s effort proves that, if you care about the privacy, you will have a better product to sell and, probably, a better position in the market.
Second: European citizens will enjoy the same level of privacy protection as if their (our) personal data would have been stored in Europe. This is another proof that we don’t need to lose our rights to have a better service.
Third: it seems reasonable to argue that the AWS competitors will follow the path and we will see, in a near future, more companies offering better and privacy-friendly services.
So, who said that more (fair) regulations mean less free market?