Data protection in Amazon Web Services Is the data of European data subjects sufficiently protected in Amazon Web Services?
Master Thesis
Leonie Christina Sophia Peters LLM Law & Technology SNR: 2047526 ANR: 384253 Date: 18 June 2020
Tilburg University (2019-2020 Academic session) Supervisor: Bo Zhao - LTMS department Second reader: Colette Cuijpers - LTMS department
Table of Contents
List of abbreviations ...... 3
Chapter one: Introduction ...... 4 1.1 Introduction – ‘Cloud Computing’ ...... 4 1.2 Existing literature and gaps in the literature ...... 6 1.3 Research questions ...... 7 1.4 Methodology and method ...... 9 1.5 Outline of the thesis ...... 9
Chapter two: cloud computing and security ...... 10 2.1 What is ‘cloud computing’? ...... 10 2.1.1 How is data handled and transferred in the cloud? ...... 12 2.2 Structure of Amazon Web Services ...... 13 2.3 Privacy and data protection challenges of ‘cloud computing’ ...... 15 2.3.1 Privacy and data protection challenges of cloud computing in general ...... 17 2.3.2 Privacy and data protection challenges in Amazons Web Services ...... 23 2.4 End remarks ...... 33
Chapter three: Cloud regulation ...... 34 3.1 Data protection regulation in the United States and the European Union ...... 34 3.2 Data protection regulation on data transfers in the European Union ...... 37 3.2.1 The EU-US Privacy Shield ...... 39 3.3 Data protection regulation in the United States ...... 42 3.3.1 The CLOUD Act ...... 43 3.3.2 Disclosure of data to law enforcement by Amazon ...... 45 3.4 End remarks ...... 48
Chapter four: Amazon Web Services contract and legal remedies ...... 50 4.1 Data protection clauses in an AWS contract ...... 50 4.2 Liability, consequences, safeguards and remedies of a data breach in Amazon’s cloud for European data subjects ...... 57 4.2.1 Consequences of a data breach in Amazon’s cloud ...... 58 4.2.2 Remedies and liability in the European Union ...... 59 4.2.3 Remedies and liability in the United States ...... 62 4.2.4 Arrangements for legal remedies in the EU-US Privacy Shield ...... 69 4.3 Closing remarks ...... 71
Chapter five: Conclusion ...... 73
2 Reference list ...... 77
List of abbreviations
AWS Amazon Web Services AWS DPA Amazon Web Services Data Protection Addendum B2B Business-to-Business CCPA California Consumer Privacy Act CLOUD Act Clarifying Lawful Overseas Use of Data Act DPA Data Protection Authority EEA (European Economic Area) EU European Union EUCJ European Court of Justice GDPR General Data Protection Regulation FTC Federal Trade Commission IaaS Infrastructure as a Service IAM Identity and Access Management NIST National Institute of Standards and Technology PaaS Platform as a Service PII Personally identifiable information SaaS Software as a Service SSRF Server-side request forgery US United States VPC Virtual Private Cloud
3
Chapter one: Introduction
1.1 Introduction – ‘Cloud Computing’
The ability to store data online is an arising appearance. The majority of people think of Apple’s iCloud when they think of cloud computing, but it was actually Amazon who developed the first cloud.1 Amazon is still one of the biggest players in offering ‘cloud computing’ services.2 Amazon Web Services (hereafter AWS) is nowadays a new technology specifically used by a large number of international companies to store data on an on-demand resource. A web service mostly provides an object-oriented Web-based interface to a database server which provides a user interface to an end-user.3 Amazon Web Services offers cloud computing platforms and APIs to its customers.4 APIs are usually implemented with Web Services.5 People consider cloud computing as an abstract term and as one of the greatest intangible things. It appears to be so abstract that it is hardly imaginable that the majority of people and companies use it. The cloud is regarded as an innovative change of computing paradigm.6 After all, it is considered to be a one all-embracing concept, while in fact it encompasses many different things.7 Cloud technology is evolving rapidly.8 Policies in the areas of data protection and free flow of data struggle to keep pace.9 It is commonly recognized in the literature that cloud computing needs specific regulation and strict political oversight. Cloud computing has been recognized by the European Commission as an important part of the economic market.10 The
1 Vladimir O. Safonov, Trustworthy Cloud Computing (1st edn, John Wiley & Sons, Incorporated 2016), p. 5. 2 Timane, Rajesh, ‘Analysis of Cloud Computing Market Players. International Journal of Research in IT & Management’ [2011] Vol. 1, no. 5, ISSN 2231-4334 96, p. 96. 3 Wikipedia, ‘Web service’
4 main role of cloud computing in Europe is established by the European Cloud Initiative and the Initiative on Building an European Data Economy.11 The European Commission states that their Digital Single Market Strategy includes a call for cooperation on digital matters at international level.12 The cooperation between the European Union and the United States on cloud computing is progressive. The dialogues between these two continents focus on exchange in best practices, common contractual aspects, SMEs13, cloud standards mapping and interoperability.14 Although, this new technology comes with a large number of advantages, it also establishes plenty of complications. Cloud computing is one of the present-day technologies which challenge the protection of our fundamental rights under the current legal systems in the world. Companies are creating gigantic databases of psychological profiles to collect data such as an individual’s name, race, gender, residence, income and purchases.15 The majority of cloud customers use cloud computing to construct these databases and a large number of companies in Europe therefore enter into a contract with Amazon on cloud computing. In these situations, it could possibly constitute a cross-border flow of data, if data of European citizens is stored on a data center which is established outside the European Union. In fact, Amazon has a wide global infrastructure which means that it has several data centers across the world. More specifically, Amazon has 69 availability zones in 22 geographic regions.16 At this moment, Amazon has fifteen data centers vested in European countries.17 Certain recent data breaches in de United States lead to a domino effect where cloud computing is considered as a risk for the protection of personal data. On the 19th of July 2019 a data breach occurred at the bank holding company CapitalOne.18 This has led to a wide discussion on the question if Amazon offers enough data protection on their web services,
11 Shaping Europe’s digital future policy – ‘Cloud computing’
5 because CapitalOne’s data was stored on AWS.19 Consequently, it caused concerns by data subjects of the AWS cloud customers in the European Union if their data is enough protected on AWS. The aim of this thesis is to find out to what extent AWS protects the data of European data subjects. This thesis will only focus on B2B (Business-to-Business) contracts, since generally only big companies enter into a contract with Amazon for AWS.20 Furthermore, it questions the data protection in cross-border cloud computing. To make clear, the cloud customer is the company, in the B2B context, who enters into a contract with Amazon to use its cloud services and to store their data which contains personal data of European data subjects. A European data subject is any person whose personal information (i.e. data) is being collected, processed or held.21 According to Article 4 (1) of the GDPR a data subject is an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data and other specific factors.22 The personal data is being collected by the cloud customer and is being processed by Amazon.
1.2 Existing literature and gaps in the literature
In the literature the cloud is considered as a new platform for malice, which contains a range of threats to cloud systems and to its users (i.e. cloud customers).23 Cloud service providers have access to an enormous amount of data and processes.24 This creates a certain imbalance between the providers of cloud services and its cloud customers, because most of the times this is not desirable. Nonetheless, the ones who are extremely affected by this imbalance are the data subjects of the cloud customers. Unfortunately, it takes time to implement legal mechanisms to repair this imbalance, because cloud computing is relatively new, very complex and the development is an ongoing certainty.25
19 Business Insider, ‘Elizabeth Warran is urging the FTC to investigate Amazon over concerns that it played a role in the massive Capital One data breach that affected 100 million people’ (Business Insider, 2019)
6 European and American legislators and also certain organizations have not been idle this past decade with regard to data protection regulation. First of all, the National Institute of Standards and Technology (U.S. Department of Commerce) developed the NIST Cloud Computing Standards Roadmap.26 This document aims to help federal agencies and stakeholders with the acceleration of a secure adoption of cloud computing.27 Secondly, the European Commission has a special European Cloud Strategy (2012) and developing standards was one of the aims of this strategy.28 The European Commission is working on the set up of the European Data Flow Monitoring initiative which will map data flows across the European territory.29 The CLOUD Act of the United States has led to a lot of comments worldwide. Critics on cloud computing and European data subjects are afraid that European data stored in an American cloud has to be shared with American enforcement agencies (e.g. Department of Justice (DOJ) and the Federal Bureau of investigations (FBI)) on their request. A lot of cloud services which European companies use, are established in the United States. Consequently, this could mean that the data of European citizens are exposed to American legislation. The data of European citizens may be less protected under the jurisdiction of the United States than under the jurisdiction of the European Union. Since the United States, unlike the European Union, do not have an adequate or general data protection legislation. Superficially, cloud computing technology is rising very fast and data protection is trying to develop with it, but it seems to be not enough.
1.3 Research questions
The main question of this thesis is: ‘To what extent is the data of European data subjects protected within Amazon Web Services?’. The following sub-questions will be answered:
2.1 What is cloud computing and what is the structure of Amazon’s cloud computing? 2.2 Why does cloud computing challenge privacy and data protection?
26 U.S. Department of Commerce - NIST Cloud Computing Standards Roadmap (Special publication 500-291, version 2)
7 3.1 Does Amazon comply with cross-border data transfer regulation in the United States and the European Union? 4.1 What do the data protection clauses encompass in an Amazon cloud computing contract? 4.2 What are the consequences of a data breach in Amazon’s cloud and what are the remedies for the victims?
A lot of persons can imagine what cloud computing is and they can understand the main idea behind it, but it still remains a very abstract construction. To understand cloud computing better, it is important to have a short overview of what cloud computing entails and how AWS is structured. Also, an answer to the question ‘why cloud computing challenges privacy and data protection’ is important in this thesis. Sub-question 3.1 embodies which laws regulate the protection of data when it is transferred between the Unites States and the European Union. In Europe data protection is regulated by the General Data Protection Regulation (hereafter GDPR).30 On the other hand, the United States made less effort to establish general regulation on data protection. Nevertheless, the United States and the European Union have constituted a framework where data transfer between companies of both continents is being regulated, known as the EU-U.S. Privacy Shield Framework.31 To understand the scope of data protection of European data subjects in the situation that their data is shared between the European Union and the United States, this thesis examines the question what the data protection clauses in an Amazon cloud computing contract encompass. Furthermore, what the consequences are of a data breach in Amazon’s cloud and what remedies are available for the victims will be explained. This will all be elaborated on since the remedies, safeguards and technical measures which are available in AWS can provide insight into the answer to the main question ‘To what extent is the data of European data subjects protected within Amazon Web Services?’.
30 Regulation (EC) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016) OJ L119/1. 31 Commission Implementing Decisions (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the council on the adequacy of the protection provided by the EU-US Privacy Shield C (2016)4176), annex III.
8 1.4 Methodology and method
The research for this thesis consists of two methods and it contains a mixed method approach. First of all, as a methodology, this thesis offers a dogmatic/doctrinal legal research. In order to demonstrate what the framework entails in which cloud computing in an EU-US context is developing and evolving, a thorough analysis of rules, case law and doctrines in the European Union and in the United States is required. The necessary information will be obtained by a black letter analysis and a literature review. The focus with black letter analysis will be on primary resources. Furthermore, the legal rules around cloud computing in the jurisdiction of the United States and the European Union will be analyzed. Besides this, the literature review is also an important part of the legal research. This thesis aims to find a gap in the literature regarding data protection in cloud computing. The literature review will mainly focus on secondary resources such as articles, journals and websites. The second methodology consist of a comparative legal research. This encompasses a short comparison of the United States data protection law with European data protection law. This contributes to the answer to the main question, because in order to be able to say ‘to what extent’ a closer look is required at the differences in data protection regulation between the European Union and the United States.
1.5 Outline of the thesis
First of all, this thesis starts off with chapter two. This chapter answers sub-question 2.1 and 2.2 and captures the essence of cloud computing. Chapter three sums up which laws regulate the transfer of cross-border data between the European Union and the United States and answers sub-question 3.1. This part will give an overview of the cross-border data transfer regulation of the European Union and the United States. Chapter four contains the answer to sub-question 4.1 and 4.2. It provides a complete overview of all the privacy and data protection clauses in an Amazon cloud computing agreement. Furthermore, it encompasses an overview of the legal remedies in the European Union and the United States. The fourth chapter is the complete analysis of Amazon’s response to privacy and data protection, law implementation in its privacy policy plus customer agreements and compliance. The last chapter is a summary of what has been discussed in this thesis and underlines the findings of the author. This final chapter contains the answer to the main research question.
9 Chapter two: cloud computing and security
2.1 What is ‘cloud computing’?
Most people use cloud computing with or without even knowing it. Nevertheless, cloud computing is a complex technology. This paragraph is devoted to the explanation of what cloud computing actually is. The NIST (National Institute of Standards and Technology) developed several standards on cloud computing. It defines cloud computing in the following way: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”.32 This specific cloud model consist of five vital characteristics, three service models, and four deployment models.33 Cloud computing is the delivery of computing power, storage, collaboration infrastructure, business processes and applications as utility which is a collection of services of what customers want.34 The computing resources of a cloud are delivered via a network, usually the internet.35 The cloud customer only pays for what he or she uses.36 It means that customers can rent IT resources from the cloud providers when they need it instead of buying it themselves.37 The definition that is most helpful to understand cloud computing is provided by Roger Clarke: “Cloud computing refers to a service that satisfies all of the following conditions: the service is delivered over a telecommunications network; users rely on the service for access to and/or processing of data; the data is under the legal control of the user; some of the resources on which the service depends are ‘virtualized’, by which is meant that the user has no technical need to be aware which server running on
32 Peter Mell and Timothy Grance, The NIST Definition of Cloud Computing, Recommendations of The National Institute of Standards and Technology, p. 2 (NIST, National Institute of Standards and Technology, US, Department of Commerce 2011)
10 which host is delivering the service, nor where the hosting service is located; and the service is acquired under relatively flexible contractual arrangement, at least as regards the quantum used”.38 Cloud computing provides basically two functions; computing and data storage.39 With a computing environment, the customers of the cloud do not need anything else.40 Cloud customers can easily access their data and finish their computing tasks through the internet connectivity without even knowing where their data is stored and which machines execute the tasks.41 The basic idea of cloud computing is supporting cloud customers to avoid extra installations on their computer and to consume a ready-to-use structured set of virtualized computing web services.42 The only thing that is required to use the power of cloud computing is a computer with an operating system, a web browser and access to the internet.43 Generally, cloud computing is considered as a popular groundbreaking technology. The cloud is a new approach to virtualization of computing resources, platforms and infrastructures which are based on a set of powerful computers using the web, and a huge amount of software plus databases which are stored on the computers of the cloud provider’s datacenter.44 To clarify the involved parties, this thesis will use the terms cloud service provider, cloud customer and data subject. The cloud service is delivered by the cloud provider. The cloud customer is the involved party who pays the cloud service provider to use its services. Data subjects are the customers of which the cloud customer collects the data. Within cloud computing, there are different categories of service models. This paragraph only discusses the three most important ones. The first category is infrastructure as a Service (hereafter IaaS). The service in this model provides controlled access to virtual infrastructure upon which operating systems and application software can be deployed.45 Computing resources for data processing, networking, storage and other connectivity services are offered to the cloud user.46 IaaS has the
38 Roger Clarke, ‘User Requirements for Cloud Computing Architecture’ (2010) IEEE/ACM
11 highest level of flexibility plus it contains basic building blocks for cloud IT and it is most comparable to existing IT resources.47 The software applications and databases in this model are owned by the customer. The second category is Platform as a Service (PaaS) where users are spared the need to manage storage resources actively so they can focus on programming applications to be hosted via the service.48 The provider in this model offers an integrated computing infrastructure and hosting platform. The infrastructure usually includes web server services and databases. So, here the platform is given to cloud customers to develop and deploy software applications.49 These software applications are owned by the cloud customer. Finally, the third category is Software as a Service (SaaS) which concentrates upon the application level and so it abstracts the cloud customer away from any infrastructure or platform level detail.50 So, in this case all aspects are delivered by the cloud provider.
2.1.1 How is data handled and transferred in the cloud?
In the cloud it is all about data. Data are constantly processed and stored in the cloud due to the main idea of the cloud that users have the ability to access their data anytime and anywhere they want. The internet era has made it possible to transfer data all around the world. The same applies to data in the cloud, it can also be transferred and handled throughout the world. An international transfer refers to the situation where a user uploads his data on a foreign web service where it can be processed.51 This happens with the expectation that the users data, while it is stored on the cloud, stays private.52 Users assume that their data is being transferred between the data centers of their cloud service provider, but in fact this is not the case. This will be further explained in the following paragraph of this chapter. It is one of the best-selling points of the cloud that data can be flexed on a global scale between a cloud provider’s resources.53 Transfer can refer to the transit between the cloud customer and the cloud provider
47 Amazon Web Services, ‘What is cloud computing’
12 or within the provider’s own infrastructure.54 If the cloud provider has several data centers, then the transfer of data between data centers can occur over the cloud provider’s own secure network, but it can also be transferred over internet connections.55 Nevertheless, both ways can result in numerous risks if there are not enough security and counter-measures against privacy- and cyberattacks. This problem will be further explained in paragraph 2.3.
2.2 Structure of Amazon Web Services
Amazon offers AWS (Amazon Web Services) which is the world’s most wide-ranging and adopted cloud platform.56 Amazon is one of the leading cloud service providers in the cloud sector. Amazon’s definition of cloud computing is as follows: “Cloud computing is the on- demand delivery of IT resources over the internet with a pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like Amazon Web Services (AWS)”.57 This paragraph goes deeper into the question what the structure of Amazon’s cloud computing is. AWS comprehends infrastructure as a service (IaaS). This means that Amazon provides core services such as storage, computing power, network and operating systems.58 IaaS contains low-level functionality for users, requiring greater use sophistication and expertise.59 Amazon defines IaaS which contains the basic building blocks for cloud IT and which provides access to networking features, computers and data storage space.60 Amazon Elastic Compute Cloud (EC2) is one of Amazon’s most used web services. It is a IaaS whereby computer resources are offered as a service.61 The service makes web-scale
54 Simon Bradshaw, Christopher Millard and Ian Walden, ‘Standard Contracts for Cloud Services’ in Christopher Millard (ed), Cloud Computing Law, (Chapter 3, 1st edn, Oxford University Press 2013), p. 55. 55 Ibid, p. 56. 56Amazon Web Services, ‘Cloud computing with AWS’< https://aws.amazon.com/what-is-aws/?nc1=f_cc> accessed on 18 January 2020. 57 Amazon Web Services, ‘What is cloud computing’
13 cloud computing easier for developers.62 It gives the cloud customer complete control over his computing resources and it lets them run on Amazon’s computing environment.63 The customer may install its operating systems and applications of their own choice on the cloud provider’s infrastructure instead of investing in its own data centers or servers.64 IaaS customers control the applications, runtimes, mechanisms of security, integration and the databases while the rest is controlled by the cloud provider.65 With Amazon’s infrastructure as a service the cloud customer can log in to the cloud which is provided by a full-fledged cloud platform, infrastructure which “supports ways of creating and using Web sites, virtual machines, cloud services, cloud databases, cloud mobile services, cloud multimedia services and many other kinds of interesting cloud objects”.66 AWS offers a number of features to its customers and it allows its customers to complete a lot of tasks.67 For example, creating and using cloud virtual machines, storing public and private data in the cloud storage, host static plus dynamic websites, develop and launch applications running on some platforms, processing business and scientific data in the cloud.68 The computing resources in IaaS are most of the time used for compute capabilities, storage and networking.69 First of all, for ‘compute’ (i.e. data processing) the main important factors are virtualization technologies.70 Within IaaS a lot of virtual machines (VMs) are used and hosted on a physical server via virtualization technology.71 Amazon uses its own virtualization software, namely Amazon’s modified version of Xen.72 Secondly, storage is an significant element, because it makes it possible for the cloud customer to access documents when the data is stored on different pieces of hardware.73 The advantage of this is that the cloud customers do not have to be involved and to be concerned with how they should physically
62 Amazon Web Services, ‘Amazon EC2’
14 store their data.74 In fact, Amazon offers a wide range of storage systems.75 Thirdly, networking virtualization is often used to combine hardware and software resources into a single unit to increase the network capacity.76 There is a difference between a public and private cloud. A public cloud means that the infrastructure is shared among multiple cloud customers who use the same hardware and software.77 AWS is a public cloud, because it is offered to a large number of customers. A cloud is considered as private when the infrastructure is owned by or operated for a single large customer or group of related entities.78 The structure of Amazon is also determined by its Global Cloud Infrastructure. AWS has 69 availability zones within 22 geographic regions around the world.79 Thus, the customers can deploy their applications in multiple physical locations.80 They can expand to new geographic regions very easily and deploy globally in just a small period of time.81 It should be noted here that this can create several data protection problems, as will be further explained in the next paragraph.
2.3 Privacy and data protection challenges of ‘cloud computing’
Cloud computing is well-known for its large number of advantages. The use of cloud computing can lead to efficiency in developing and deployment of a company plus it is cost saving in infrastructure.82 Nevertheless, it is not a secret that cloud computing comes with as many (or even more) disadvantages as with advantages for its users. A large discussion is going on in the literature about the risks that cloud computing entails. Cloud computing is associated with a number of privacy and data protection risks.83 Data security is an important factor which is associated with privacy and data protection issues. So, privacy and data protection fall under the scope of security problems. Security is the greatest risk when it is possible for data to be transferred to different jurisdictions for economic purposes. Storing and processing of data are
74 W. Kuan Hon and Christopher Millard, ‘Cloud Technologies and Services’ in Christopher Millard (ed), Cloud Computing Law (Chapter 1, 1st edn, Oxford University Press 2013), p. 8. 75 Amazon Web Services
15 possible in different jurisdictions. If the security of the cloud is lacking on several vital points then the risk of leakage of data, and thus the protection of data is threatened. Cloud services challenge the privacy and protection of data, because data is often exposed in an unencrypted form on a machine which is owned and operated by another organization from the data owner.84 It is clear that the openness and multi-tenant characteristics of the cloud bring tremendous impact on the security of ‘our’ data.85 As said before, under security risks, privacy and data protection are experienced as the greatest risks. What do privacy and data protection actually entail? The right to privacy and the right to personal data protection should not be mixed up. Yet, this happens a lot in the literature since the United States and the European Union use different terms to define the protection of personal information or data. Privacy regarding to data in the United States is related to the disclosure, storage, use, collection and destruction of personal data.86 Privacy is important to take into account when the cloud handles personal information (i.e. data).87 The United States statutes use a lot of terms to identify personal data, of which the most common is ‘personally- identifiable information’ (hereafter PII).88 On the other hand the European Union use another term to define ‘informational privacy’. In the European Union the term that is used is the ‘the right to personal data protection’.89 This right comes into play whenever personal data is processed.90 According to Article 4 (1) of the GDPR personal data means any information relating to an identified or identifiable natural person (a data subject).91 Processing of personal data may also infringe on the right to private life (i.e. right to privacy).92 The right to privacy comprehends the situations where a private interest of an individual has been compromised.93 In this thesis the terms privacy and data protection are used side by side to avoid confusion. Only when this thesis talks about European data protection law, the term ‘data protection’ will
84 S. Pearson and G. Yee, Privacy, Security and Trust in Cloud Computing (Springer-Verlag London, 1st edn, 2013), p. 7. 85 Deyan Cheng and Hong Zhao, ‘Data Security and Privacy Protection Issues in Cloud Computing’ [2012] ICCSEE 647, p. 648. 86 Ibid, p. 649. 87 S. Pearson and G. Yee, Privacy, Security and Trust in Cloud Computing (Springer-Verlag London, 1st edn, 2013), p. 5. 88 W. Gregory Voss and Kimberly A. Houser, ‘Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies’ [2019] Vol. 56 Issue 2, American Business Law Journal, p. 4. 89 FRA/ECtHR/EDPS, Handbook on European data protection law (2018 edn, Publications Office of the European Union), p. 20. 90 Ibid, p. 20. 91 Regulation (EC) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016) OJ L119/1, art 4(1). 92 FRA/ECtHR/EDPS, Handbook on European data protection law (2018 edn, Publications Office of the European Union), p. 20. 93 Ibid, p. 20.
16 be used. When it only involves data protection in the United States the term ‘privacy’ will be used. Inefficient privacy and data protection settings can lead to the unwanted exposure of data.94 The result could be that the data leaks into public spaces from an intimate online communication.95 Privacy and data protection issues concern a few important elements. The first important element is ‘when’, which involves that the data subject could be worried about the revelation of their information from the past or in the future.96 The second important element is ‘how’, which means that the data subject is not comfortable with the automatic requests of companies to receive their personal information.97 The third important element is the ‘extent’ of privacy and data protection, which includes that a data subject could prefer that his or her data is reported as an unclear region rather than an exact fact.98 Within cloud computing the customers and their data subjects could be concerned about all these privacy and data protection issues. This will be further explained in this chapter. It is important to distinguish the difference between a low privacy threat and a high privacy threat. A low privacy threat occurs if the cloud service processes public information.99 A high privacy risk arises for cloud services that are personalized, based on the preferences of people and their behaviors.100 So, depending on the kind of information cloud customers put into Amazon’s cloud, there is a low or high privacy risk. In most cases it will always contain some personal information of their data subjects (i.e. data) which cloud customers transfer into the cloud, so consequently a high privacy and data protection risk arises.
2.3.1 Privacy and data protection challenges of cloud computing in general
This paragraph encompasses an explanation on why cloud computing challenges privacy and data protection. First of all, the technological and expertise issues of cloud computing will be discussed. Subsequently common privacy and data protection issues will be explained. This
94 San Murugesan and Irena Bojanova, Encyclopedia of Cloud Computing (John Wiley & Sons, 2016), p. 258. 95 Ibid, p. 258. 96 Yunchuan Sun, Junsheng Zhang, Yongping Xiong, and Guangyu Zhu, ‘Data security and privacy in Cloud Computing’ (2014) 190903 IJDSN
17 paragraph also covers cross-border data transfer concerns. At last security problems in the cloud will be discussed.
2.3.1.1 Technological and expertise issues
First of all, users of the cloud face many privacy and data protection issues like data leaks or data breaches, because of undeveloped technological structures.101 This is the most basic and obvious problem when customers deal with the cloud. Cloud computing is in fact a very abstract and complex construction which results in recurring problems. Cloud computing as a new technology brings ‘teething diseases’ with it. In general, the cloud allows services to react and make decisions on their own because of automatic and self-regulating technologies.102 If technology issues are detected the cloud customer or the cloud provider can try to fix the problems. Nonetheless, there is no guarantee that they will succeed, because they are always surrendered to the complexity of technology. The functioning cloud is not always dependent on manpower but also on the performance of technology factors like the internet, hardware, software and electricity. However, a big problem in the cloud environment is the difficulty to recruit educated people who can handle and work with complex cloud technology.103 Also employees may not be aware of the privacy and data protection impacts their decisions can have.104
2.3.1.2 Common privacy and data protection issues
Cloud computing customers face a lot of common daily privacy and data protection issues in the cloud which could affect their European data subjects. A few examples of common privacy issues are: 105 Is the collection and processing of data carried out in a correct way? Is the data used properly? Is the data disclosed only when appropriate? Is the collection of data based on a legitimate ground?
101 Dan Svantesson and Roger Clarke, ‘Privacy and consumer risks in cloud computing’ [2010] CLSR 391, p. 392. 102 S. Pearson and G. Yee, Privacy, Security and Trust in Cloud Computing (Springer-Verlag London, 1st edn, 2013), p. 7. 103 Ibid, p. 16. 104 Ibid, p. 16. 105 Dan Svantesson and Roger Clarke, ‘Privacy and consumer risks in cloud computing’ [2010] 26 (4) CLSR 391, p. 392.
18 Is the data stored and transmitted safely? For how long will the data be retained? In what circumstances can the data subject access and correct the data? Is the data subject adequately informed about these matters? Likewise, trust is a large issue within the cloud environment and it is related to privacy and data protection.106 Cloud users are afraid that their content (i.e. data) which contains others personal data are being accessed by unauthorized organizations.107 There is a significant risk that stored data may be exposed to unauthorized usage, because common practice is that a cloud service provider may profit from authorized secondary uses of its cloud customers’ data to gain profit.108 In some situations, sub-contractors are largely involved in processing, but it remains uncertain to what extent they can be properly identified, checked and ascertained.109 The main problem is the guarantee of data protection, which include confidentiality, integrity and availability.110 Privacy and data protection threats differ in each situation and depend on the cloud scenario and the data sensitivity of the data that are involved.111
2.3.1.3 Cross-border data issues
The cloud is known as a phenomenon which is not restricted to one or more jurisdictions, since it can work as a seamless and borderless entity.112 Nowadays, this is rather seen as a disadvantage than an advantage of cloud computing due to the fact that the cloud deals with personal data of cloud customers and their data subjects.113 Technological applications may transcend national borders, but privacy and data protection laws do not.114 However, the GDPR does to some extent, but this will be further explained in chapter three. Consequently, a lot of companies whose business network extends beyond the borders of one state consider to store
106 S. Pearson and G. Yee, Privacy, Security and Trust in Cloud Computing (Springer-Verlag London, 1st edn, 2013), p. 14. 107 Ibid, p. 14. 108 Ibid, p. 16. 109 Yunchuan Sun, Junsheng Zhang, Yongping Xiong, and Guangyu Zhu, ‘Data security and privacy in Cloud Computing’ (2014) 190903 IJDSN
19 their data on cross-border servers.115 They often decide to do this to profit from transcontinental markets.116 Cross-border data flows in the cloud can indirectly expose data to cyber-attacks by individuals, organized criminal networks or governments.117 A transborder dataflow is created when the data of the cloud customer leaves its country of origin for storing and processing elsewhere.118 The different cross-border problems with cloud computing will be further discussed in this paragraph. First of all, cross-border data transfer constitutes a problem to the localization of data. A key issue is the difficulty to ensure that cloud customers have control over their data (which includes the data of their data subjects) when it is stored and processed in the cloud.119 Frequently cloud customers do not know where their data is actually stored and where it is going to be processed. This can be a problem for the privacy and data protection of the cloud customers’ data. As said before, it is common practice in cloud computing that data can be transferred to different jurisdictions for economic purposes. Big companies in the United States depend on access to and use of personal data of European citizens to provide data-driven services on their continent.120 Cloud providers often offer decentralized mobile access to computing power throughout the world and they access and use the personal data of European citizens.121 The cloud services presented nowadays store data in an unencrypted form on a machine which is owned and operated by a different organization from the data owner.122 This all makes it even harder for cloud customers to keep control over their data. Number of threats arise in these situations like unauthorized uses, theft of data, leakage of sensitive data, loss of privacy.123 The lack of information about the localization of the data also creates problems when due to a security breach the recovery of the data is dependent on the localization of the data.124
115 Ibid. 116 San Murugesan and Irena Bojanova, Encyclopedia of Cloud Computing (John Wiley & Sons, 2016), p. 470. 117 Pardis Moslemzadeh Tehrani, Johan Shamsuddin Bin HJ Sabaruddin, Dhiviya A.P. Ramanathan, ‘Cross border data transfer: complexity of adequate protection and its exceptions’ [2018] CLSR 582, p. 583. 118 San Murugesan and Irena Bojanova, Encyclopedia of Cloud Computing (John Wiley & Sons, 2016), p. 470. 119 Yunchuan Sun, Junsheng Zhang, Yongping Xiong, and Guangyu Zhu, ‘Data security and privacy in Cloud Computing’ (2014) 190903 IJDSN
20 Secondly, a big issue for privacy and data protection in the transborder cloud is that it is particularly difficult for victims of privacy and data protection violations to obtain redress where the violation has occurred outside the victim’s home country.125 Furthermore, it is difficult to determine which party is responsible for ensuring legal requirements for personal data and therefore it is hard to find redress.126 Data subjects often do not know who they should sue. This issue will be further explained in chapter four. Thirdly, there are concerns about extra-territorial claims of jurisdiction with privacy and data protection laws.127 Cloud providers are exposing themselves to the laws of many countries and this can end up in a lot of legal issues.128 The fact that data might be in different places at the same time, makes it difficult to know where it exactly is or to know that it even may be in transit.129 On top of this, several copies of data located in the cloud may roam around.130 Lastly, in the situations where a cloud customer customs a transborder cloud in relation to customer services, which could be the case with AWS, the cloud customer has to make sure that they abide to the regulations regarding transborder data flows.131 Data is frequently transferred in the cloud, but the level of protection differs between countries and between cloud providers who offer a higher or lower level of privacy and data protection.132 Cloud providers as well as its customers are subject to transborder data flow restrictions. Furthermore, for state governments it is difficult to protect the data of their citizens, because every country has another understanding of privacy and data protection. The question which transborder data restrictions the United States and the European Union apply will be further discussed in chapter three.
125 Dan Svantesson and Roger Clarke, ‘Privacy and consumer risks in cloud computing’ [2010] CLSR 391, p. 393. 126 Yunchuan Sun, Junsheng Zhang, Yongping Xiong, and Guangyu Zhu, ‘Data security and privacy in Cloud Computing’ (2014) 190903 IJDSN
21 2.3.1.4 Security issues
Security is one of the core privacy and data protection principles and a necessary condition to safeguard these two rights.133 Computer security comprehends the data properties of confidentiality, integrity and availability.134 These are guaranteed by functionalities like authentication, access control, data retention, storage and back-up.135 Thus security is a process that requires constant and simultaneous compliance with these data properties.136 These properties are also known under the acronym CIA; confidentiality, integrity and availability.137 Data security is a serious problem in cloud computing, because data are distributed on different machines and storage devices which includes servers, PCs and various mobile devices.138 Traditional security such as firewalls and host-based anti-virus software are not sufficient for security in virtualized systems due to rapid threats via virtualized environments.139 For data storage, the security and protection of data in the cloud is very important.140 Besides this, trusting the cloud system is very significant, because the real advantage of any organization is using data which they share in the cloud for the needed services by putting it directly or through an application in the relational database.141 Data protection is relevant for creating the trust of cloud customers in the cloud system.142 In general a number of security concerns exist in the cloud computing environment.143 Cloud service providers must implement reasonable security measures when they handle personal data.144 Therefore, security mechanism should be included in the cloud services to protect the data of its customers against risks. Example of such security mechanisms are access controls, availability, integrity, confidentiality, storage, back-up and
133 S. Pearson and G. Yee, Privacy, Security and Trust in Cloud Computing (Springer-Verlag London, 1st edn, 2013), p. 12. 134 San Murugesan and Irena Bojanova, Encyclopedia of Cloud Computing (John Wiley & Sons, 2016), p. 258. 135 Ibid. 136 Maria Lillà and Mirta Antonella Cavallo, ‘Cybersecurity and Liability in a Big Data World’ [2018] Vol. 11, no. 2, Market and Competition Law Review 71, p. 80. 137 Ibid. 138 Yunchuan Sun, Junsheng Zhang, Yongping Xiong, and Guangyu Zhu, ‘Data security and privacy in Cloud Computing’ (2014) 190903 IJDSN
22 recovery.145 Nevertheless, the level of risks depends on the cloud service model and consequently the implementation of security issues.146 It differs between public and private clouds, but it also depends whether the chosen service model is IaaS, PaaS or SaaS. Customers of IaaS are responsible to build in security themselves.147 Cloud providers need to clarify what kind of security they expect from customers to imply.148 What could make it difficult is that in a lot of cases there are more parties involved in the cloud chain, this makes it hard to ensure the security throughout the whole cloud chain.149 Also, a security issue cannot only affect the access to cloud customers’ data, but it can also have significant effect on the hardware and network. So, it is far more devastating.
2.3.2 Privacy and data protection challenges in Amazons Web Services
Now the previous paragraph has shown the general and most common privacy and data protection issues in cloud computing. This paragraph will continue with the analysis of how Amazon establishes sufficient privacy and data protection. First, the cross-border data issues of AWS will be discussed. The common security issues in AWS will also be addressed in this paragraph. Furthermore, this paragraph explains how Amazon helps its customers with their security responsibilities.
2.3.2.1 Cross-border data issues
This thesis concerns the particular situation of a European cloud customer that enters into a contract with Amazon for the use of AWS. The cloud customer transfers its data onto AWS. It is important to notice that in these situations it encompasses a ‘transborder’ cloud. The data is placed via the internet from a European based computer onto a computer based in the United States or another foreign data center. In commerce it is commonly known that the data of cloud customers need to be protected and used in a proper way.150 The location of data is a frequent issue that causes privacy and data protection risks. Cloud customers are generally not aware of
145 Ibid. 146 Ibid, p. 22. 147 S. Pearson and G. Yee, Privacy, Security and Trust in Cloud Computing (Springer-Verlag London, 1st edn, 2013), p. 22. 148 Ibid, p. 23. 149 Ibid. 150 Yunchuan Sun, Junsheng Zhang, Yongping Xiong, and Guangyu Zhu, ‘Data security and privacy in Cloud Computing’ (2014) 190903 IJDSN
23 the exact location of their own data.151 They also do not have control over the physical access mechanism to their data.152 It is possible that data of cloud customers temporary reside in a jurisdiction outside of both the customer and the cloud service provider, on a third party’s computer system.153 This might happen if cloud service providers lease processing and storage capacity to meet the requirements of their own service.154 First of all, AWS as a transborder cloud constitutes several problems for cloud customers and its data subjects to find redress. This is mainly very difficult if claims occur when a cloud provider has multiple data centers across the world. This is a huge issue with amazon’s cloud regarding the fact that it has 22 worldwide datacenters where the data is being processed. For compliance to data protection laws it is important to know where the data is located.155 Secondly, regulatory challenges can constitute a major issue for Amazon. It is essential for Amazon to take transborder data flow restrictions into account when they operate their service. “Cloud computing involves environments with data proliferation and global, dynamic data flows that create compliance challenges when meeting complex regulatory requirements and upholding privacy rights”.156 Amazon has established multiple data centers around the world in different jurisdictional regions which means that they are bound to every law of each of those regions. It actually seems that Amazon is completely aware of this, because they provide a complete overview of data privacy laws for every region on their website.157 Also, Amazon offers ‘regional zones’ to its customers and assures that their data remains located there.158 Amazon mentions this possibility on their website, but they do not include this in their Terms of Service.159 Besides this, for data protection reasons, cloud customers may want to ensure that their data remains within the European Union.160 Amazon has fifteen cloud data centers in
151 Rabi Prasad Padhy, Manas Ranjan Patra, Suresh Chandra Satapathy, ‘Cloud Computing: Security Issues and Research Challenges’ [2011] Vol. 1, no. 2, IRACST 136, p. 141. 152 Ibid. 153 S. Pearson and G. Yee, Privacy, Security and Trust in Cloud Computing (Springer-Verlag London, 1st edn, 2013), p. 8. 154 Ibid. 155 Rabi Prasad Padhy, Manas Ranjan Patra, Suresh Chandra Satapathy, ‘Cloud Computing: Security Issues and Research Challenges’ [2011] Vol. 1, no. 2, IRACST 136, p. 141. 156 San Murugesan and Irena Bojanova, Encyclopedia of Cloud Computing, (John Wiley & Sons, 2016), p. 261 157 Amazon Web Services, ‘Data Privacy’
24 Europe.161 However in most cases the fact that a provider has several regions in Europe does not ensure that the data remains in Europe. Nonetheless, Amazon does emphasize that cloud customers can be assured that their data will remain in their chosen AWS region unless they move it themselves.162
2.3.2.2 Common security issues in AWS
Data security is an important issue in establishing and securing privacy and data protection for cloud customers. Essential elements for ensuring privacy and data protection are the encryption of data and adopting appropriate policies for data sharing.163 Securing data is important to protect the integrity of data, because within cloud storage there is a risk of data corruption.164 Amazon claims in their security whitepapers of 2020 that “The AWS global infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards”.165 They claim that “as an AWS customer, you can be assured that you’re building web architecture on top of some of the most secure computing infrastructure in the world”.166 A small side note here is that these documents do not have a legal status. They do not create any warranties, representations or contractual commitments from AWS or its customers.167 The most used service set is running server instances within Amazon’s Elastic Compute Cloud (EC2) and storing data with Amazon’s Elastic Block Store (EBS).168 This paragraph looks at how AWS deals with common security issues. First of all, Amazon offers a shared responsibility model.169 As said before Amazon provides infrastructure-as-a-service and therefore security in the cloud is the customers
161Amazon Web Services, ‘AWS Global Infrastructure’
25 responsibility which includes the security of their own data.170 However Amazon still has the responsibility over the security of the cloud environment.171 Therefore, Amazon must ensure that the infrastructure is secure. Nevertheless, AWS allows her customers to have great independence to operate their own systems.172 This could be problematic, because a single security issue can lead to the devastation of the complete infrastructure.173 It appears that AWS only offers technical support to users with a premium membership, this makes Amazon not very reliable if a security incident occurs.174 However, criticisms state that in almost every case, it is the cloud customer and not the cloud provider who fails to manage controls to protect data.175 Critics think that the challenge is not the security of the cloud but the policies and technologies for security and control of the cloud technology.176 Secondly, security of AWS network should be assessed properly. Cloud services, including AWS, are provided over the internet which exposes the application and data of the cloud customers to network threats.177. Network security entails the protection of public network (the internet), system and the data against attacks.178 It should encompass the use and the access to the network. Amazon states in its AWS security whitepaper that: “AWS has implemented a world-class network that is carefully monitored and managed”.179 One of Amazon’s network security measures is controlling the access to servers and applications.180 Usually access to cloud computing is provided via the internet which automatically means an increased exposure to risks.181 Luckily, Amazon provides secure access points. This contributes to the requirement of availability of data property because it secures a customer’s possibility to access and use its
170 Amazon Web Services, ‘ Using AWS in Context of Common Privacy and Data Protection Considerations’ (2018), p. 16
26 own data.182 These secure access points (called API) mean that AWS provides limited access points to assure proper monitoring of communication and they help with the access of secure HTTP.183 However, this security might not be enough since Amazon cloud customers may also be potentially exposed to attackers who may break into the network of Amazon, sub-contractors or co-hosted customers.184 Thirdly, virtual machine (VMs) security is another considerable security element for AWS. Virtualization is seen as the main component of the cloud.185 AWS is based on virtualization technology and has a multi-tenant environment.186 “Virtualization is the creation of a set of logical resources (whether it is a hardware platform, operating system, network resource or other resource) usually implemented by software components that act like physical resources”.187 Virtualization modifies the relationship between the operating system and the underlying hardware (storage, computing and networking).188 This leads to a layer of virtualization that must be properly secured.189 VMs are difficult to secure because they have a dynamic nature, which means that they can be easily copied and moved between physical servers.190 This could cause several privacy and data protection risks, since a malicious customer which uses the same physical computer could possibly also access another customers data.191 For this reason, it should be the main priority to secure VM operating systems in AWS. In IaaS security threats could affect “traditional physical servers, such as malware and viruses,
182 Maria Lillà and Mirta Antonella Cavallo, ‘Cybersecurity and Liability in a Big Data World’ [2018] Vol. 11, no. 2, Market and Competition Law Review 71, p. 80. 183 Saakshi Narula, Arushi Jain, Ms. Prachi, ‘Cloud computing security: Amazon Web Services’ [2015] IEEE 501, p. 504. 184 S. Pearson and G. Yee, Privacy, Security and Trust in Cloud Computing (Springer-Verlag London, 1st edn, 2013), p. 23. 185 Rabi Prasad Padhy, Manas Ranjan Patra, Suresh Chandra Satapathy, ‘Cloud Computing: Security Issues and Research Challenges’ [2011] Vol. 1, no. 2, IRACST 136, p. 140. 186 Multi-tenancy means that different users can use and run their own VMs on one physical server. W. Kuan Hon and Christopher Millard, ‘Cloud Technologies and Services’ in Christopher Millard (ed), Cloud Computing Law, (Chapter 1, 1st edn, Oxford University Press 2013), p. 6. AWS whitepaper, ‘Amazon Web Services: Risk and Compliance’ (2015)
27 using traditional or cloud-oriented security solutions”.192 It should be noted here that the security of VMs is the responsibility of the cloud customers.193 Customers retain control over what resources they use and where they reside.194 Amazon EC2 offers a customized version of Xen hypervisor.195 This hypervisor comprehends a service which makes it possible for multiple computer operating systems to concurrently perform on the same computer hardware.196 According to Amazon this hypervisor is well suited to maintain strong isolation between guests, because it is under control by independent auditors.197 “Amazon’s customized Xen hypervisor isolates instances within the network, a hardened host management plane provides administration, multi-factor cloud administrator authentication is available, management actions are logged and audited and a mandatory inbound network firewall protects hosted systems”.198 Fourthly, the infrastructure of AWS has to be adequately secured. The infrastructure of it covers hardware, operational software, security standards, network and other important facilities.199 The data centers of Amazon belong to this infrastructure. Thus, it is very important that the data centers are adequately secured. Luckily, Amazon’s data centers have a highly secured environment for physical access.200 The data centers are controlled with automatic fire detection and suppression equipment to reduce risk.201 Besides this, they provide a 24/7 uninterrupted power supply and climate control.202 Furthermore, Amazon makes sure that all the equipment is managed and that issues can be identified.203 Other important measures are taken for example video surveillance, CCTV cameras, intrusion detections system.204 Amazon provides reports to inform its customers, to make sure that they deliver all the information its
192 Al Morsy, M., Grundy, J. & Mueller, I. ‘An analysis of the cloud computing security problem’ [2010] APSEC, p. 6. 193 Ibid. 194 AWS whitepaper, ‘Amazon Web Services: Risk and Compliance’ (2015), p. 16
28 customers need about the protection of the data centers, because they cannot visit the data centers themselves.205 Lastly, Amazon suggests tools to its customers to secure unauthorized access to their data. For instance, unwanted access can happen within Amazon itself at the employee level. The example mentioned in the introduction is the recent largest data breach case of Amazon Web Services. In CapitalOne’s data breach a former Amazon employee is being accused of exposing the data.206 Also data could be exposed to foreign government surveillance.207 Amazon offers AWS Identity and Access Management (IAM) to manage access to the AWS services.208 The mechanisms give customers the opportunity to only allow authorized administrators, users and applications to gain access to AWS and their data.209 IAM policies provide a strong security framework to control data access to users and applications. IAM can be considered as the first layer of defense against unwanted access.210 Additionally, encryption is a second layer of defense which Amazon offers to secure a customer’s data.211 Encryption of data is a substantial part of data security. It is vital for the two data properties, confidentiality and integrity of the data. Encryption is a commonly used mechanism in the cloud to prevent unauthorized access. Article 32 of the GDPR requires organizations to implement appropriate technical and organizational measures to ensure an appropriate level of security, this includes encryption of personal data.212 Encryption can be used to parts of the data set, to the whole data set or database before customers store it in the cloud.213 Encryption is often mentioned as one of the best ways to protect a customer’s data. It can reduce the risks which are associated with storage of personal
205 AWS security whitepapers, ‘Amazon Web Services: Overview of security processes’ (2020), p. 2-3
29 data, because the data is not readable without the correct key.214 There is a difference in encryption of data at rest and encryption of data in transit. Encryption of data at rest helps to safeguard that sensitive data which are saved on disks and are not readable by any user or application without the correct key.215 A lot of cloud providers offer encryption of files in addition to storage and back up.216 This is a crucial point, since this could also lead to privacy and data protection problems if the providers have full responsibility for it. In order to encrypt the data, the provider desires to have full access to data.217 Amazon has multiple options for the encryption of data at rest, such as AWS encryption SDK, Amazon EBS, Amazon S3 and built- in Linux libraries.218 In Amazon S3 storage service, Amazon offers two options to encrypt data. The clients can choose between server-side encryption and client-side encryption. The client can request the service to encrypt their data before they save it on the disk and in the data center with server-side encryption.219 Client-side encryption gives the opportunity to clients to encrypt the data at their side which means that they can upload encrypted data to Amazon S3.220 In this case the client manages the encryption process, keys and tools.221 A critical question should be asked here: ‘Does it mean that Amazon has access to the encrypted data with server-side encryption?’ It seems logical that Amazon has to obtain full access to the data to encrypt it. However, it turns out that AWS does not retain access to key material plus it does provide the option to bring your own key (BYOK).222 Furthermore, Amazon recommends the encryption of data in transit.223 When an AWS account is created, customers can launch AWS resources in a virtual network which they can define on Amazon Virtual Private Cloud (hereafter VPC).224
214 Amazon Web Services , ‘Navigating GDPR Compliance on AWS’ (2019), p. 19
30 Amazon mentions that the cloud customer has complete control over the virtual networking environment and they can select their own IP address.225 The VPC can be used as connection of the customers corporate data center and their Amazon VPC.226 For the communication between those two they can choose several VPN connectivity options and they can use these to provide secure access to their AWS resources.227 Although the above analysis shows that Amazon has made real effort to improve and safeguard the security of a cloud customers data, there are still some critics on AWS security approach. Some criticism on AWS is that it did not recently invest in new security tools to push AWS security to a higher level, but instead it did only invest in new security tools in 2019 to fix existing issues.228 Also the Capitol One data breach has led to criticism who wondered why AWS had not addressed the SSRF (server-side request forgery) vulnerability that lead to the breach.229 There was a lack of security around metadata services and this concerns AWS experts.230 Luckily AWS recently addressed this issue.231 Critics state that this is an important step because it shows that AWS is willing to acknowledge that there was a problem in its service.232 Some state that the biggest advantage of AWS is that it has a lot of knowledge and tooling to deal with security issues.233 It is very easy to find help, answers and supported tools at AWS.234 Also, Amazon does a good job of defaulting to secure configurations.235 Rich Mogull, an expert on cloud computing, says AWS is usually the best place to start with cloud computing, because customers run into the fewest security issues.236
225 Ibid. 226 Amazon Web Services, ‘Navigating GDPR Compliance on AWS’ (2019), p. 20
31 2.3.2.3 Amazon helps its customers with security responsibilities
As is apparent from the previous part, a lot of security responsibilities are laid down at the side of the cloud customers. This paragraph explains how Amazon helps its customers with their security responsibilities. Amazon provides several standards and guidelines to help its customers with their responsibilities regarding the security their cloud. Amazon comments in its security whitepaper of 2020: “By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS Compliance enablers build on traditional programs; helping customers to establish and operate in an AWS security control environment”.237 They add to this that “AWS provides a wide range of information regarding its IT control environment to customers through whitepapers, reports, certifications, accreditations, and other third-party attestations”.238 Related to the encryption of the customers content, Amazon offers scalable data encryption services tools and mechanisms to protect the data that is stored and processed on AWS.239 Actually, cloud providers give the responsibility of privacy, data protection and security control to their customers to protect this.240 Nonetheless, cloud providers always have the need to enable their customers to follow their set of security standards to achieve optimum transparency.241 This can be a critical point, because in fact the responsibility of privacy, data protection and security is still controlled by the cloud provider. This can give rise to privacy and data protection issues, because the cloud providers may have insight in the way the cloud customer protects and secures his or her data. The measures Amazon takes to secure its offered service, allows them to access data of their customers with no restriction.242 Take for example Amazon S3 which supports access-control policy, but the enforcement of this access is delegated to Amazon.243 So, in that case it seems that Amazon always has access. If the data is sensitive then it might be inconvenient to give the provider access to the data, and it could possibly compromise the protection which is achieved by encryption.244
237 AWS security whitepapers, ‘Amazon Web Services: Overview of security processes’ (2020), p. 3
32 2.4 End remarks
Cloud computing is a hyperscale and automated computer business which is driven by a cloud provider who is better at automation and security. The cloud is a storage mechanism which means that customers do not have to store data on their own computer but instead they can store it on other servers which are owned and hosted by a big company. Therefore, the data of cloud customers is in the ‘fictional hands’ of the cloud service providers. The reason that a cloud provider can offer this service cheaper to its customers is that they buy the network and service in bulk. This chapter highlighted a few concerns about AWS. Firstly, security risks and the significant risk that the data may be exposed to unauthorized usage to gain profit may require strict legally binding provisions in a cloud agreement. So, this is an important part in the protection of data. The question how Amazon deals with this in its AWS agreement will be answered in chapter four. Secondly, cloud customers are in control of the applications, database and security mechanisms in the IaaS model. However, certain questions arise such as: ‘Does this control also lead to responsibility of the cloud user in cases of data breaches?’ How Amazon deals with this responsibility will also be reviewed in chapter four. Thirdly, the fact that Amazon still has a lot of control over how cloud users manage their clouds is critical. An important issue is that privileged users such as system administrators need to have access to file metadata and they need to have the capability to perform back-ups and other system management functions.245 On the other hand, they should not be able to access sensitive information.246 Hence, these two conflicting interests should be kept in mind. Furthermore, the security of AWS may not be sufficient because of several loopholes like unwanted access that can happen within cloud computing. Notable is the fact that several other countries may arrange that law enforcement can review the data stored in the cloud. Amazon obviously has to deal with this and is obliged to comply with such regulations. Especially, the growing surveillance of the government in the United States is a big concern due to the Stored Communications Act and the CLOUD Act. This problem will be explained and discussed in the next chapter.
245 CJ Radford, ‘Challenges and solutions protecting data within Amazon Web Services’ [2014] Vol. 14, issue 6, ISSN 1353-4858 5, p. 6. 246 Ibid.
33 Chapter three: Cloud regulation
The previous chapter discussed what cloud computing is and what the AWS structure is. Furthermore, chapter two also discussed why cloud computing challenges privacy and data protection. This chapter focuses on the question if Amazon complies with cross-border data transfer regulation in the European Union and the United States. The data transfer regulation of the European Union and the United States will be discussed in a separate paragraph. This chapter first starts off with some general information on data protection regulation in the United States and the European Union.
3.1 Data protection regulation in the United States and the European Union
It is not easy to manage data transfer, because every country has different data protection rules to govern personal data handling.247 A fundamental pillar for securing and protecting data is compliance with industry- and government regulations.248 The regulation for consumer privacy, security and data protection is a big concern and challenges the enforcement of data protection.249 This is due to the fact that these laws were made with national borders in mind.250 The fastest growing component of trade of the European Union and the Unites States are cross- border information flows.251 Therefore cross-border data transfer requires strict regulation. European privacy and data protection laws are much stricter than laws in the United States.252 European Union laws give priority to data protection and ensure the protection of data before it permits transfer to third countries.253 On the contrary the laws in the United States do not have a similar all-embracing data protection framework.254 These different legal approaches result in the ‘transatlantic data war’ between the United States and the European
247 Pardis Moslemzadeh Tehrani, Johan Shamsuddin Nin Hj Sabaruddin, Dhiviya A.P. Ramanathan, ‘Cross border data transfer: Complexity of adequate protection and its exceptions’ [2018] 34 CLSR 582, p. 583. 248 CJ Radford, ‘Challenges and solutions protecting data within Amazon Web Services’ [2014] Vol. 14, issue 6, ISSN 1353-4858 5, p. 5. 249 Nancy J. King and V.T. Raja, ‘Protecting privacy and security of sensitive consumer data in the cloud’ [2012] 28 CLSR 308, p. 308. 250 Ibid. 251 Paul M. Schwarz and Karl-Nikolaus Peifer, ‘Transatlantic Data Privacy Law’ [2017] 106 Geo. L.J. 115, p. 117. 252 San Murugesan and Irena Bojanova, Encyclopedia of Cloud Computing (John Wiley & Sons, 2016), p. 250. 253 Pardis Moslemzadeh Tehrani, Johan Shamsuddin Nin Hj Sabaruddin, Dhiviya A.P. Ramanathan, ‘Cross border data transfer: Complexity of adequate protection and its exceptions’ [2018] 34 CLSR 582, p. 587. 254 Ibid.
34 Union around transfers of personal data.255 The European Union acknowledges data protection as a fundamental right of their citizens, while the United States protects U.S. citizens as privacy consumers.256 The difference is that the European Union has created a privacy culture of ‘rights talk’ for data subjects.257 The United States on the other hand focus on ‘marketplace discourse’ of personal information in which an individual person is the trader of his or her own personal data.258 As said before, an important distinction between the regulation on privacy and data protection is the difference in how both of them define personal information or data.259 United States statutes use ‘personally-identifiable information’ (hereafter PII) to define personal data.260 On the other hand, in the European Union the term ‘personal data’ is used and this means any information relating to an identified or identifiable natural person (i.e. data subject).261 The determination of personal data is essential because PII can lead to the application of United States sectoral privacy statutes and state breach notification laws.262 However, when it falls under personal data and the material and territorial requirements of the GDPR are met than this law will also apply.263 The term ‘personal data’ is broader than ‘PII’ because it refers to the information that can relate to an identifiable person while PII only refers to information that helps to distinguish individuals from one another.264 In relation to privacy and data protection laws it is important to identify first who the processor and controller are in a cloud ‘construction’. This is especially important because the GDPR happens to designate a company as a controller or processor. Notably, it is the controller who has the primary responsibility for complying with the legal obligations under the GDPR and the controller who faces primarily the liability for all data protection law breaches.265 The cloud provider will usually be the processor and the customer will be the controller in most
255 Paul M. Schwarz and Karl-Nikolaus Peifer, ‘Transatlantic Data Privacy Law’ [2017] 106 Geo. L.J. 115, p. 117. 256 Ibid, p. 121. 257 Ibid, p. 119. 258 Ibid, p. 119-121. 259 W. Gregory Voss and Kimberly A. Houser, ‘Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies’ [2019] Vol. 56 Issue 2, American Business Law Journal, p. 4. 260 Ibid. 261 Ibid. Regulation (EC) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016) OJ L119/1, art 4 (1). 262 W. Gregory Voss and Kimberly A. Houser, ‘Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies’ [2019] Vol. 56, Issue 2, American Business Law Journal, p. 4. 263 Ibid. 264 Malia Thuret-Benoit, ‘What is the difference between personally identifiable information (PII) and personal data?’ (TechGDPR 2019)
35 cases.266 Actually, this is concludable due to the fact that the cloud provider is restricted in his duties by the commercial contract. Furthermore, only the cloud customer is empowered by the data subject (i.e. individual persons) to process the data and the cloud provider only receives the information to be processed in the interest of the cloud customer.267 A IaaS provider usually does not know who the cloud customers are or what services are being offered to them, while the design and infrastructure of the cloud are not transparent to the data controllers.268 Still data controllers are mainly responsible for the purposes for which the data is used.269 In this thesis Amazon (i.e. the cloud provider) is assumed to be the data processor in the relationship of cloud provider with its cloud customers and their data subjects. The European cloud customers are the controllers, they are the cloud users. A short side note here is that it is arguable that a cloud provider can shade into the role of a controller in cases where there are cloud customers and data subjects. This mainly happens in a SaaS where the provider usually offers software services to process data and where it has the ability to conduct and exercise control over the processed data and establishes how that data is processed.270 Also, Amazon is in fact a controller in the relationship cloud provider and cloud customer since it obtains personal information for the performance of the contract between them.271 Amazon can also fulfill the role of joint controller in situations where it processes personal data jointly with its cloud customers.272 In the case that amazon is a joint controller, the contract between the cloud customer and Amazon should determine the responsibilities following from the GDPR.273 This includes determining the responsibility between the joint controllers for complying with the obligations under article 33 and 34 GDPR.274
266 Mantelero, A, ‘Cloud computing, trans-border data flows and the European Directive 95/46/EC: applicable law and task distribution’ [2012] Vol. 3, issue 2, EJLT, p. 3. 267 Ibid. 268 San Murugesan and Irena Bojanova, Encyclopedia of Cloud Computing (John Wiley & Sons, 2016), p. 256. 269 Ibid. 270 Miroslav Chlipala and Stefan Pilar, ‘Cloud service provider – processor, controller or both?’ (INPLP 2017)
36 3.2 Data protection regulation on data transfers in the European Union
In the European Union, data transfer is governed by the General Data Protection Regulation (GDPR).275 This regulation puts more focus on governing the protection of data in cross-border situations. The transfer of ‘personal data’ from European countries outside the EEA (European Economic Area) is prohibited by the GDPR.276 According to Article 45 of the GDPR, this is not prohibited if an adequate level of privacy and data protection controls are assured.277 Consistent with Article 46 of the GDPR the transfer of data can also be assured if the controller or processor provides appropriate safeguards. The controller or processor has to provide enforceable rights to their data subjects and it must make effective legal remedies available to the data subjects.278 Following from Article 46 GDPR there are five ways to assure appropriate safeguards, namely binding corporate rules, standard data protection clauses, codes of conduct, certification mechanism or a legally binding enforceable instrument between public authorities or bodies.279 Article 47 GDPR establishes contractual clauses as another way to assure appropriate safeguards.280 Owing to the extra-territorial scope of the GDPR, Amazon has to comply with specific requirements of the GDPR. For the reasons that the GDPR also applies to companies outside the European Union which process personal data of European data subjects when they offer goods or services to them.281 As in AWS the European cloud customer (i.e. controller) puts content which contains personal data of European data subjects on AWS. Amazon is the processor in this situation and therefore the GDPR is also applicable to Amazon. Amazon must demonstrate that they secure the data they process, and they must implement regularly reviewing technical and organizational measures.282 If they do not comply with this then European Supervisory Authorities can issue fines up to 20 million EUR or 4% of the annual
275 Regulation (EC) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016) OJ L119/1. 276 Guidance Software, ‘Cross-border data privacy in focus’, p. 3
37 worldwide turnover.283 Fortunately, Amazon expressed that all AWS services can be used in compliance with the GDPR.284 Amazon has added the AWS GDPR-compliant Data Processing Addendum (hereafter AWS DPA) to their online service terms.285 This AWS DPA incorporates the commitments of AWS in the role of data processor.286 All AWS cloud customers can now rely on the terms of the AWS GDPR DPA which applies when they use AWS services to process personal data under the GDPR.287 The AWS DPA contains European Model Clauses, approved by Article 29 Working Party. This means that AWS customers can transfer personal data from the EEA to other countries with the knowledge that their personal data on AWS will have the same high level protection as in the EEA.288 Also, Amazon did its very best to notify its customers that it complies with the specific regulation in advance. The GDPR allows both cloud providers as processors to demonstrate their compliance with many of its requirements by adopting approved ‘Codes of Conduct’ and by participating in certification or seal programs which are approved by Supervisory Authorities.289 Amazon states that it complies with all the needed standards like ISO 27001 for technical measures, ISO 27017 for cloud security and ISO 27018 for cloud privacy.290 Furthermore, Amazon states that it adheres to the CISPE code of conduct, which provides additional assurance to customers regarding their ability to fully control their data in a safe and secure environment when they use service providers.291 Therefore it is concludable that on paper Amazon complies with the obligation under the GDPR to make all information available which is necessary to demonstrate compliance with the obligations of Article 28 GDPR available. However, this is hard to check in practice. In this regard, the obligations of Amazon under the GDPR if it uses a sub-processor should not be forgotten. Article 28 (2) of the GDPR says that a processor cannot engage another
283 Ibid. 284 Chad Woolf, ‘All AWS Services GDPR ready’ (AWS Security Blog 2018)
38 processor without the prior specific or general written authorization of the controller. Amazon provides a list of sub-processors and the cloud customers will be informed if something changes on that list.292 Amazon expressed that they proactively inform their customers of any sub- contractors who have access to customer-owned content.293 Sub-contractors are not authorized by AWS to have access to customer content which they uploaded onto AWS.294
3.2.1 The EU-US Privacy Shield
The previous part has described when a cross-border data transfer is allowed under the GDPR. Data transfer from a European company into Amazon’s cloud may also be lawful under the Privacy Shield program in case the prescribed conditions are met. The European Commission declared with the Privacy Shield that the United States ensures an adequate level of data protection for personal data that is being transferred from the European Union to the United States.295 The Privacy Shield protects the rights of data subjects in the European Union whose data is being transferred to the United States and it brings legal clarity to businesses that are involved in a transatlantic data transfer.296 The Privacy Shield has the same construction as its older version the Safe Harbor agreement. Both agreements are based on principles derived from European data protection law.297 Companies can voluntary self-certify to the agreement and compliance is controlled by the Federal Trade Commission and the Department of Commerce.298 The Privacy Shield now includes commitments of U.S. national security officials and other U.S. government officials on the protection of data of European citizens.299 The Privacy Shield is based on a few core principles. These principles are more detailed than in the Safe Harbor agreement.300 The first one is the strong obligation for companies who handle data. This means that the U.S Department of Commerce ensures compliance by conducting
292 Amazon Web Services, ‘Compliance FAQ’
39 regular updates and reviews on the Privacy Shield participants.301 The US Department of Commerce is responsible for guaranteeing that companies in the United States meet the data protection requirements.302 The second principle constitutes the protection of individuals’ rights by guaranteeing several accessible and affordable dispute resolutions to European citizens.303 Thirdly, it constitutes clear safeguards and transparency requirements on U.S. government access, which means that they are subject to limitations, safeguards and oversight mechanisms.304 Also, indiscriminate mass surveillance of personal data which are transferred from the European Union to the United States are ruled out.305 The last core principle is the annual joint review mechanism by the European Commission and the U.S. Department of Commerce.306 Amazon is an active participant of the EU-US Privacy Shield.307 In Amazon’s case the EU-US Privacy Shield gives cloud customers additional compliance mechanisms, besides the AWS DPA, to rely on in case of transfers of personal data from the European Union to the United States.308 The EU-US Privacy Shield gives, just like the AWS DPA, the assurance that AWS gives a customer’s content the same high level security, privacy control and data protection as in the European Union.309 The past few years a number of cases have been brought before the European Court of Justice (EUCJ) against the Privacy Shield program. La Quadrature du Net, a French advocacy group, filed a complaint at the General Court of the European Union against the European Commission on the Privacy Shield and argues that the mechanisms of the Privacy Shield breaches fundamental European rights and does not provide an adequate level of protection for European citizens’ data.310 The Commission received support in the process by several countries and companies, including Amazon.311 This case was
301 Guidance Software, ‘Cross-border data privacy in focus’, p. 7
40 supposed to be held on July 1 and 2 in 2019 however it is postponed until after the hearing of the Schrems II case which is supposed to be held on July 16 in 2020.312 The validity of standard contractual clauses (hereafter SCCs) and the EU-US Privacy Shield will be assessed in this court case. The Schrems II case can therefore have tremendous impact on the outcome of La Quadrature du Net v. Commission if they consider the EU-US Privacy Shield as invalid. Though, European companies and Amazon can anticipate on this by forehand. Amazon does not only rely on the Privacy Shield for their data transfers. As mentioned before, Amazon provides an AWS DPA. Nevertheless, this is a SCC, so for companies in an EU-US relationship it is smart to start thinking about binding corporate rules (BCRs) or acquiring authorized certifications. Not surprisingly, there are certain criticisms on the EU-US Privacy Shield. The question arises if the Privacy Shield program sufficiently protects European citizens’ data in a transborder context. First of all, after the introduction of the EU-US Privacy Shield European citizens became increasingly dependent on an American institution, the FTC, to protect their data.313 Besides this, there is a great doubt if the Privacy Shield offers effective remedies to European data subjects. However, the Privacy Shield also has several advantages. In contrast to the Safe Harbor agreement, the Privacy Shield does not only concentrate on commercial transfers of personal data but also on the access by public authorities for national security, law enforcement and intelligence.314 So, it can provide more effective protection against access by law enforcement and intelligence agencies by the annual joint review of the Privacy Shield by the European Commission, Data Protection Authorities and U.S. government agencies.315 Also the establishment of a Privacy Shield ombudsman that deals with questions relating to oversight of national security authorities can help to protect a data subject’s data.316
312 Jennifer Baker, ‘EU High Court hearings to determine future of Privacy Shield, SCCs’ (IAPP 2019)
41 3.3 Data protection regulation in the United States
The data protection regulation in the United States is not quite similar to the GDPR. In the United States not one single legislation exists that overarches all the data protection rules.317 As already has been made clear, the United States focus on the protection of privacy of their citizens as being consumers. This is reflected in the fact that the Federal Trade Commission Act grants enforcement powers to the U.S. Federal Trade Commission (FTC) to protect the privacy and data of U.S. consumers against unfair or deceptive practices.318 Other federal statutes only regulate the collection and use of personal data of specific sensitive sectors like, healthcare and the financial sector.319 These laws may require businesses to meet minimum security standards.320 There is no federal law that defines general categories of personal data and defines what ‘sensitive’ data is.321 In the United States it is very difficult to determine what legislation applies, because it largely differs from federal-level to state-level. State-level statutes in the United States all protect a different and wide range of privacy rights.322 Individual states may impose restrictions and obligations in laws on businesses relating to the collection, use, disclosure, security or retention of special categories of information.323 They can restrict on categories such as medical records, social security numbers, driver’s license information, email addresses, financial records, insurance information and phone records.324 There are, in contrast to the GDPR, no restrictions on geographic transfers in the laws of the Unites States.325 California has established the most advanced privacy regulation of the United States, namely the California Consumer Privacy Act (hereafter CCPA). The CCPA is the first law in the United States that gives strong privacy rights to consumers.326 The fact that the United States has less data protection law is also due to the fact that they have a common law system which means that the system relies
317 Steven Chabinsky, F. Paul Pittman, ‘USA: Data Protection 2019’ (ICLG 2019)
42 more on case law than on written law.327 Courts follow decisions of higher level courts within the same jurisdiction.328 Consequently, courts have an important role in defining and reshaping the framework of privacy rights and remedies for damages.329
3.3.1 The CLOUD Act
The Lawful Overseas Use of Data Act (hereafter the CLOUD Act) of the United States is most controversial in the cloud environment. This Act was passed in 2018 by the U.S. Congress.330 The Act amends the Stored Communications Act (SCA).331 The Stored Communications Act applies to data which is transmitted or held by a third party service provider.332 Law enforcement agencies found it necessary to access data stored in other countries, because data breaches and criminal activities became more cross-border in nature.333 The Stored Communications Act operates as a “blocking statute”.334 It prohibits U.S.-based service providers from disclosing communications content to a foreign government and the U.S. government if a statutory exception applies, unless there is a CLOUD agreement in place.335 The CLOUD Act makes it possible for United States law enforcement agencies to request the disclosure of data from European citizens from a cloud provider with a warrant.336 Though, the CLOUD Act does not merely address American warrants for overseas data.337 The Act also reorganizes the process by which foreign law enforcement agencies can access data stored in the United States.338 The Act allows American service providers to disclose information to
327 Toni M. Fine, ‘Excerpt reproduced from American Legal Systems’ (LexisNexis)
43 foreign governments who have an ‘executive agreement’ with the United States.339 The Act applies to all electronic communication services or remote computing service providers that are subject to U.S. jurisdiction and it does not matter whether they are established in the United States or in another country.340 This includes email providers, telecom companies, social media sites and cloud providers.341 Thus, Amazon is subject to this regulation regardless if the data is stored on their foreign service providers or on the service providers established in the United States. The Act makes it possible that a warrant issued by the United States, which is served on an United States company, can order disclosure of data no matter where the data is held.342 The CLOUD Act only applies to criminal investigations and it cannot be used for U.S. civil, commercial or administrative litigation.343 A lot of cloud providers store data worldwide for their cloud customers and these big digital service providers are mostly located in the United States. Therefore, it is difficult for foreign law enforcement officials to investigate and prosecute crimes using digital evidence.344 To enable both the inbound and outbound data access, nations have developed the Mutual Legal Assistance Treaties (MLAT) framework.345 This framework is established to make it easier for law enforcement to gain access to criminal evidence.346 The CLOUD Act is an alternative to the MLAT. The CLOUD Act provides the option of a process by which companies can challenge outbound demands, but the grounds for this are very narrow.347 Inbound demands from foreign governments to gain access to data stored in the United States can be handled in a different way. The CLOUD Act allows companies to comply with demands requested by pre- approved foreign governments without going to the Department of Justice.348 There is a preapproval process for this, the ‘executive agreement’, for which the Act established detailed
339 Miranda Rutherford, ‘The Cloud Act: Creating Executive Branch Monopoly Over Cross-Border Access’ [2019] Vol. 34, no. 4, BTLJ, p. 3. 340 Michael Punke, AWS and the CLOUD Act’ ( AWS Security blog 2019)
44 standards.349 These direct requests provide an alternative to the MLAT process which is very time-consuming.350 In order to establish an executive agreement with the United States, the country has to meet certain liberties and has to meet certain procedural standards under which the first one is ‘privacy and civil liberties protection’.351 So here could be said that the privacy and data protection is established in this part. The executive agreements can only be concluded with qualified foreign governments which ensure strong data protection.352 Also the European Union, that has an executive agreement with the United states, is still subject to the requirements of the GDPR and the terms of the agreement cannot overrule these requirements.353 A CLOUD Act executive agreement would qualify as an international agreement under Article 48 of the GDPR, which provides a lawful basis for transfers.354 How is this related to the requests from U.S. law enforcement and foreign law enforcement agencies requesting the disclosure of data from Amazon? It is important to note here that the possibility of the U.S. Department of Justice to access evidence about persons from non-US country would depend on the terms in the executive agreement with the qualified foreign government.355 Especially, the United States must have personal jurisdiction over a service provider in order to compel production of data within that service provider’s possession, custody or control.356 Additionally, forced disclosure orders are subject to specified substantive and procedural requirements.357 These requirements vary based on the kind of information that is being requested and the CLOUD ACT does not change any of these requirements.358
3.3.2 Disclosure of data to law enforcement by Amazon
After discussing what the CLOUD Act regulates, the following question should be further examined. How is the CLOUD Act related to the circumstance that law enforcement in the
349 Miranda Rutherford, ‘The Cloud Act: Creating Executive Branch Monopoly Over Cross-Border Access’ [2019] Vol. 34, no. 4, BTLJ, p. 22. 350 Peter Swire and Jennifer Daskal, ‘Frequently Asked Questions about the U.S. Cloud Act’ (2019) CBDF, p. 3
45 United States requests Amazon to disclose data from European citizens which are stored on AWS? First of all, important is that the CLOUD Act does not give the U.S. law enforcement agencies free access to stored data in the cloud.359 Service providers as Amazon can only be compelled to give access to data to law enforcement agencies if these agencies meet the legal standards for a warrant issued by a U.S. court.360 Furthermore, it does not introduce something new, because governments all over the world already had the ability to obtain evidence of crimes which were located outside their jurisdiction.361 Amazon’s procedure is that each request of a law enforcement agency is reviewed by legal professionals.362 Amazon expressed that: “As part of that review, we assess whether the request would violate the laws of the United States or of the foreign country in which the data is located, or would violate the customer’s rights under the relevant law”.363 Thus, Amazon assesses whether a request of U.S. law enforcement violates the GDPR. This means that they try to protect their customers as much as possible. Also, the CLOUD Act provides the possibility to challenge requests that conflict with other country’s laws or interests to cloud providers.364 Therefore the conclusion can be drawn that the Act can possibly protect data and privacy. Amazon is very transparent in the information they provide to its customers, indicating how many requests based on the CLOUD Act they receive from law enforcement agencies.365 Between July 2019 and December 2019 Amazon received 192 subpoenas. They fully responded and provided the information in 56 cases and partially responded to 88 cases.366 Amazon only received nineteen search warrants during that time and responded fully to only one of these requests and partially responded to four requests.367 Non-US requests happened eighteen times and Amazon only responded fully to one request.368 Amazon expressed at an online blog which is published on its website that in the event it cannot resolve a dispute, they will not hesitate to go to court.369 Speaking of court
359 Michael Punke, AWS and the CLOUD Act’ ( AWS Security blog 2019)
46 cases, Amazon has a history of challenging government requests for customer information when it believes those requests are overbroad or otherwise inappropriate.370 They say: “We will continue to resist requests, including those that conflict with local law such as GDPR in the European Union, to do everything we can to protect customer data”.371 To put it in another way, Amazon’s cloud customers may fully trust Amazon on their good intentions and they may trust that Amazon will do its very best to protect the data of their customers. Moreover to support this statement, Amazon notifies their customers before disclosing content and it provides advanced encryption plus key management services to customers to protect their content.372 The previous facts give the impression that Amazon takes the effects of the CLOUD Act very seriously and tries to compensate the intrusive impact of this Act by providing enough information to its customers. Amazon protects its customers’ privacy and data protection rights as much as possible. The question that remains is how Amazon complies with both the GDPR and the CLOUD Act since these two may conflict. Article 48 GDPR is important when data of European citizens is being requested by a U.S. law enforcement agency.373 There is a concern that United States authorities can undermine the GDPR requirements of Article 48 GDPR by using the CLOUD Act to force organizations in the United States (which provide electronic communication services or remote computing services) to permit access to certain types of data stored outside the United States.374 These organizations must comply with a search warrant for their data even if the data is stored in a foreign jurisdiction.375 This could lead to implications for organizations which are located in the United States, such as Amazon, with data storage in the European Union.376 Amazon has several data centers in the European Union. So, the question arises if Amazon has to disclose data even if it may contain data corresponding to European data subjects? This is only the case if Amazon has ‘possession, custody or control’ over the data being sought, then that data would be subject to production under the CLOUD Act.377 This definition is actually still very vague, and the decision is left to the courts in the United States. However, here are some key notes to make. Stakeholders should be careful not
370 Michael Punke, AWS and the CLOUD Act’ ( AWS Security blog 2019)
47 to confuse ‘data controllers’ with the term ‘control’ in the CLOUD Act.378 Considering an entity as a ‘data processor’ does not mean it does not have possession, custody or control of the non- US company’s data.379 Courts should look at the relevant facts when they determine whether a company has a legal day-to-day control over the data.380
3.4 End remarks
The business relationships of United States and European companies with one another regarding cloud computing is complex also due to the fact that both continents have different privacy and data protection laws. European data protection laws are much stricter than in the United States. The GDPR restricts transfers to third countries while law of the United States on the contrary do not. In the United States there is no single federal law on privacy and data protection, thus it is surrendered to state laws. In the past few years several states have established advanced privacy laws for their states, take for example the CCPA by the state of California. Although the United States does not regulate anything on cross-border transfer, Amazon as an U.S. company still has to comply with the GDPR principles when they have an agreement with a European cloud customer. The EU-US Privacy Shield regulates the transfer of data between European Union and United States. The Privacy Shield is still valid, because it declared an adequate level of data protection for personal data when transferred from the European Union to the United States. Nonetheless, the validity of the Privacy Shield still remains a controversial topic and the future must show if this framework will continue to exist. The CLOUD Act is for a lot of cloud companies an eyesore, but Amazon has shown that it is not confronted with it very often. However, Amazon’s cloud customers and their data subject should not be worried about the impacts the CLOUD Act has on their stored data at AWS. As was mentioned before in this chapter, Amazon is considered to be the processor in this thesis and therefore it should comply with the obligations mentioned in the GDPR related to a data processor. It seems that Amazon complies with the relevant cross-border data transfer regulation. Also, as seen in the previous chapter, Amazon does a lot to notify its customers about the legislation they comply to, specifically the GDPR, and which efforts they take to comply with it. This will also become clear in next chapter. Nonetheless after the findings in this chapter, there is still an important question left. How do AWS contracts deal with privacy
378 Peter Swire, Justin Hemmings and Sreenidhi Srinivasan, ‘Defining the Scope of ‘Possession, Custody, or Control’ for Privacy Issues and the Cloud Act’ [2019] 10J. Nat’L Security L. & Pol’Y, p. 42. 379 Ibid. 380 Ibid.
48 and data protection and what legal remedies does Amazon offer to its customers in situations that something goes wrong and the privacy and data protection are invaded due to a data breach? This question will be further discussed and answered in chapter four.
49 Chapter four: Amazon Web Services contract and legal remedies
The previous chapter discussed what regulation applies to cross-border data transfers between the European Union and the United States. Now this has been explained, the next chapter can start looking at what happens if a data breach occurs in AWS. This chapter starts off with the explanation of how the privacy and data protection is guaranteed in an AWS contract. It then goes deeper into the analyses of Amazon’s response, law compliance and implementation.
4.1 Data protection clauses in an AWS contract
A cloud contract normally contains a few components like Terms of Service (hereafter ToS), Service Level Agreement (hereafter SLA), Acceptable Use Policy (hereafter AUP) and a Privacy Policy.381 The terms of service generally contains the details of the relationship between the customer and the cloud service provider, it also contains the commercial terms and legal clauses.382 A SLA is a commonly used concept in cloud computing. The agreement is applicable between a customer and a service provider. It defines the level of performance that is accepted for the service, how that performance will be measured and the enforcement mechanisms that will be used to achieve the ensured levels.383 The Acceptable Use Policy describes the approach to the use of the customers information and the protection of it by the provider.384 The situation in which European data subjects stand when the service provider is a third- party is quite difficult. European companies as cloud customers directly collect data from European data subjects and they are bound by the promises they make to individuals in their privacy policies.385 The cloud service providers are usually not part of these arrangements between the European companies and the European data subjects.386 It is not clear what obligations the cloud service provider has to the European data subjects with whom they have
381 Simon Bradshaw, Christopher Millard and Ian Walden, ‘Standard Contracts for Cloud Services’ in Christopher Millard (ed), Cloud Computing Law, (Chapter 3, 1st edn, Oxford University Press 2013), p. 44. 382 Ibid. 383 Suzanne Kent, ‘Federal Cloud Computing Strategy’ (2019), p. 11
50 no contractual relationship.387 The European data subjects may be placed in a position in which their data is not enough protected. The data subject depend on the data controller (i.e. cloud customer) to ensure that the cloud provider implements adequate privacy and data protection safeguards, measures and controls.388 Cloud providers can by design of their services give the cloud customers increased control over their data (and thus of the data of European data subjects).389 This paragraph goes deeper into the question what the data protection clauses in an Amazon cloud computing contract encompass. Amazon published a privacy notice on its website, which describes how they collect and use personal information of its customers. This notice is not applicable to how they control content of the cloud customer so for this part the customer is referred to the AWS agreement.390 For the main question in this thesis it is important to look at the AWS Privacy Policy regarding the content of the European cloud customer which contains personal information of European data subjects. Amazon defines customer data in two categories: ‘customer content’ and ‘account information’.391 They define customer content as “software (including machine images), data, text, audio, video, or images that a customer or any end users transfers to us for processing, storage, or hosting by AWS services in connection with that customer’s account, and any computational results that a customer or any end user derives from the foregoing through their use of AWS services”.392 Customer content is not the same as account information, which is defined “as information about a customer that a customer provides to us in connection with the creation or administration of a customer account”.393 The next part will explain what AWS clauses prescribe for data handling and what should be considered as important safeguards in a cloud contract. First of all, Amazon mentions on its website that the cloud customer preserves the ownership of the content and only the customer can select which AWS service can process, store and host their content.394 Amazon does not use or access the content of its customers
387 Daniel Solove and Woodrow Hartzog, ‘The FTC and Privacy and Security Duties for the Cloud’ (2014) 13 BNA Privacy & Security Law Report 577, p. 1
51 without their consent.395 Furthermore, the cloud customer can decide in which region the content will be stored.396 The secured state of the content is also dependent on the decision of the customer.397 The customer manages the access to the services, because they can control the users, groups, permissions and credentials.398 They customer controls the format, security and structure of their content.399 Important to note here is that Amazon offers choices to its customers to implement strong encryption options for the content in transit or at rest and the customers can manage their own encryption keys of their choice.400 Amazon thus does not have a hand in everything and this all allows the customer to have control over the entire life-cycle of their own content.401 They can manage their content for example by the control over content classification, access control, retention and deletion.402 With respect to the personal data of individuals Amazon states in its privacy and data considerations that: “AWS does not collect personal data from individuals whose personal data is included in content a customer stores or processes using AWS, and AWS has no contact with those individuals”.403 Furthermore, regarding the ownership of the content it is important to consider the intellectual property rights of the AWS customers and how it is arranged within the AWS Customer Agreement. Both AWS provider and customer have a responsibility to defend themselves and their contract partner against any third-party who claims an alleging of the customer’s content infringes or misappropriates that third-party’s intellectual property right.404 Secondly, an important subject that must be secured is data integrity. Amazon gives full responsibility for preserving the confidentiality and integrity of data and content to the customer.405 Clause 11 of the AWS Customer Agreement states that Amazon will not be liable for damages, reimbursements or compensation in relation to “any unauthorized access to,
395 Amazon Web Services, ‘Data Privacy FAQ’
52 alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data”.406 Thirdly, data preservation can be an issue for many customers and therefore it should be safeguarded in the cloud contract.407 Customers are often worried if the data they put into the cloud, will be deleted from the service if the contract ends. Amazon preserves customer data for 30 days, this is the grace period during which the customer may access their data.408 The AWS Customer Agreement clause 7.3 (b) states that: “ (i) We will not take action to remove from the AWS systems any of Your Content as a result of the termination; and (ii) we will allow you to retrieve Your Content from the Services only if you have paid all amounts due under this agreement”.409 The responsibility to delete content remains thus fully at the customer’s side. Critical here is that it seems that Amazon has the opportunity to hold a customer’s data hostage when it failed to pay the required amounts. This is undesirable, because it means that the customer can suddenly lose its control over their data when it for example accidently has not paid all amounts. Also, this may conflict with the obligations under the GDPR, because according to that regulation the cloud service provider (i.e. processor) must delete or return all the personal data which they processed within the cloud to the controller at the end of the data processing services.410 Fourthly, as was mentioned in chapter two, cloud customers are afraid that their data is being accessed by unauthorized organizations, so data disclosure should be considered in an AWS Customer Agreement. Amazon captured in its AWS Customer Agreement that they do not disclose customer content to government bodies, agencies or third parties unless it is necessary to do so to comply with laws or binding orders of governmental bodies.411 Amazon does a few things to provide protection against binding orders by governmental bodies. Amazon reviews the binding orders and notifies customers before disclosing the content of its customers to offer the customers the opportunity to seek protection from the disclosure to governmental
406 Amazon Web Services, ‘AWS Customer Agreement’, clause 11
53 bodies.412 Amazon also frequently publishes a report of information requests on its website.413 What actually should be a concern is that Amazon is not clear about the requests it receives from national security agencies like the CIA or FBI. Amazon is not specific about the numbers of national security requests. It does not give a specific number, but cites the requests as between 0-249, so that could be basically a very large or very small number.414 This is the case in every report between 2015-2019 that is published on Amazon’s website. While on the other hand, the Amazon Information Requests Reports of July-December 2019 is very explicit in mentioning the numbers of subpoenas, search warrants, court orders and non-U.S. requests.415 It even distinguishes the numbers in full response, partial response and no response. Furthermore, data location and transfer arrangements are significant. As said before, Amazon provides in its AWS Customer Agreement the possibility to the cloud customer to choose in which AWS region they want to store their content.416 They offer ‘regional zones’ where the customer is assured that the data will remain.417 The portability of the cloud raises the question to which extent the data in transit is protected.418 Is this between the customer and the provider or within the provider’s infrastructure?419 Regarding the data portability, the data of customers will only be moved to another provider upon the customer’s request.420 However, an important note here is that the regional zones are not specified in the AWS Customer Agreement (ToS).421 Also, locating data in the European Union cannot provide complete protection against data access by United States intelligence services.422 If data is stored in the European Union it may be easier for European individuals to claim their data protection rights,
412 Amazon Web Services, ‘Data Privacy FAQ’
54 but law in the European Union only provides a framework for the proclamation of rights by parties which are located in the different Member States of the European Union.423 Another issue here is the security of data in transit, because that data will usually be transferred between the customer and the provider over the internet.424 This can cause several problems and therefore securing content should be a high priority. Related to the privacy and data protection is the shared responsibility model that Amazon manages regarding the security of the customers content. The cloud provider is responsible for the ‘security of the cloud’ and the cloud customer is responsible for the ‘security in the cloud’.425 Thus the customer is responsible for the management of the guest operating system, related application software and other security features.426 This means that the AWS customer is responsible for the security of every resource they put into the cloud.427 This also means that the cloud customer is responsible with respect to the European data subjects for securing their data since that is the content they put into the cloud. Amazon on its turn is responsible for the security of the global infrastructure of the services.428 Recently AWS has been implicated in several data leaks due to poorly secured S3 buckets.429 Critics state that it is striking that breached S3 buckets can only reveal data by error or negligence of the cloud customer.430 The shared responsibility model in AWS has several advantages. The shared responsibility model gives the cloud customer a certain comfort regarding the security, because it results in the believe that they are in ‘well experienced hands’.431 Moreover, it does not limit the customer to access the models of Amazon, since customers have the responsibility of addressing the user access themselves.432 Nevertheless, the
423 Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ [2017] Vol. 18, no. 4, Ger. Law. J. 881, p. 914. 424 Simon Bradshaw, Christopher Millard and Ian Walden, ‘Standard Contracts for Cloud Services’ in Christopher Millard (ed), Cloud Computing Law, (Chapter 3, 1st edn, Oxford University Press 2013), p. 56. 425 Amazon Web Services, ‘Using AWS in Context of Common Privacy and Data Protection Considerations’ (2018), p. 5
55 shared responsibility model also has drawbacks, because corporate security teams and service providers must have clear and regular communication on the security while changes and converges happen very often.433 Also there will always be a risk that Amazon only provides the bare minimum requirement for security of the cloud.434 Therefore it is vital to have controls and safeguards in place. This would give a greater insight in the workload of the security and it allows the customer to enforce rules and policies which make sense for their business.435 Another concern which customers have is the potential monitoring by the cloud provider. A lot of providers established ‘back doors’ so that they can access the customers data for maintenance, servicing, support or security issues.436 Amazon mentions in its AUP its possible monitoring. They have included the following provision in its policy: “We reserve the right, but do not assume the obligation, to investigate any violation of this Policy or misuse of the Services or AWS Site”.437 They reserve the right to investigate violations of the policy and misuse of the service of AWS and they may remove or disable access to content that violates the policy or agreement.438 So, clearly Amazon belongs to the group of providers that monitor the data of customers content for purposes of enforcing their AUP.439 However, a critical point is spotted here. In this circumstance Amazon kept a small opportunity to monitor its customers. Either way, who controls that Amazon is not misusing her position and access customers data with no justified purpose? Still there is no control, and therefore it could be very much possible that employees or intelligence agencies acquire access to customer’s data without their notice. Some providers have more than one ToS document which depends on the localization, they have a different set that is tailored to the local law.440 This is not the case with AWS, they offer one set of ToS as the AWS Customer Agreement. Important is that there is room for negotiating of terms for AWS Customer Agreement or Service Level Agreement. In public cloud computing the norm is that the service agreements are non-negotiable, and the terms of service
433 Lydia Pert, ‘Shared Responsibility Model’ (OpenVPN 3019)
56 are completely prescribed by the cloud provider.441 Amazon has a different SLA for a specific service. Therefore, it is concludable that the service levels are non-negotiable.442 They provide one general AWS Customer Agreement so for the ToS it is also assumable that there is no room for negotiations. Lastly, it seems that Amazon waves away the responsibility towards individuals whose data is stored as the content of a cloud customer on AWS (i.e. the European data subjects). They declared that: “AWS does not collect personal data from individuals whose personal data is included in content a customer stores or processes using AWS and has no content with those individuals. Therefore, AWS is not required and is unable in the circumstances to communicate with the relevant individuals”.443 Thus, the customer has a relationship with the data subjects whose personal data is stored on Amazon.444 The customer knows the scope and notifications which they offered to the data subject and they know if consent is obtained for the collection of personal data.445 It is the cloud customers responsibility to inform the individuals where their data is stored and to seek consent to store their personal data on that data location.446
4.2 Liability, consequences, safeguards and remedies of a data breach in Amazon’s cloud for European data subjects
Certain questions arise when anomalies occur in a cloud computing environment. What happens if a cyberattack strikes the content of Amazon’s cloud customers? Who is liable for the interruption of access to data? In the past few years only several data breaches of AWS were reported. The example of the CapitalOne’s data breach has been discussed before. Another data leak occurred at the company GoDaddy. In this case server information that was stored on AWS, revealed data of 31.000 GoDaddy systems.447 Here AWS itself was the cause of the exposure. The S3 bucket that exposed sensitive data was created by an AWS salesperson, but
441 Wayne Jansen and Timothy Grance, ‘The NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing’ (NIST 2011), p. vii
57 this person did not follow AWS best practices with the particular bucket.448 Luckily in this situation there was no personal information exposed. Certain things are essential in the situation of a security breach. This section answers the question who is liable for a data breach. Besides, the paragraph explains what consequences arise if a data breach in Amazon’s cloud occurs. Furthermore, it also answers the question what safeguards and remedies are implemented in the regulations of both continents for the victims. This section starts off with the consequences of a data breach in Amazon’s cloud. Subsequently, the remedies which are provided by the GDPR and consequential liability will be discussed. After this part an evaluation of the remedies in the United States will be touched upon.
4.2.1 Consequences of a data breach in Amazon’s cloud
It would be logical to start with explaining what actually happens when a data breach occurs. The first thing that should be done by Amazon is a data breach notification. Therefore, Amazon has made several efforts in its AWS contracts to handle data breach situations. However, it should be noted that customers retain the responsibility for monitoring their own environment for data breaches.449 Cloud customers, as data controllers, have the responsibility to notify regulators and affected individuals.450 Amazon is right on this point, because this burden is actually established in Article 34 (1) of the GDPR. This responsibility is due to the fact that the customer maintains the control over their content when using AWS and they are the only one who can manage this responsibility.451 The cloud customer is subject to several privacy and data protection laws depending on where they store their data, which business they conduct and in which industry they operate.452 However the data breach notification responsibility of the cloud customer does not mean that Amazon has no data breach notification responsibility. Article 33 (2) of the GDPR requires the processor (Amazon) to notify the controller (the cloud
448 Ibid. An S3 bucket is a cloud storage service of AWS. Mallory Locklear, ‘Amazon AWS exposes info on 31,000 GoDaddy servers’ (Engadget 2018)
58 customer) without undue delay when a personal data breach becomes to their notice.453 This will be further touched upon in the next paragraph of this chapter. Amazon’s customers are responsible for their own content. Nonetheless, Amazon does offer to work with customers who require AWS’s assistance in legal proceedings.454 But, the customers are responsible for responding to legal procedures that involve the identification, collection, processing, analysis and production of electronic documents that they have stored or process with AWS.455 The question what would actually happen if it is Amazons technical fault that personal data is accessed by an unauthorized party or is misused, remains unanswered. Considerable is the fact that Amazon still can be liable in some situations since Amazon divided the security responsibilities of the cloud and in the cloud between them and its cloud customers. This will be further discussed in the next paragraphs of this chapter. Amazon’s liability for data breaches also depends on what the GDPR and data protection laws in the United States have arranged regarding this topic.
4.2.2 Remedies and liability in the European Union
Since the cloud customers and their data subjects are considered to be based in the European Union in this thesis, it is important to look at what the GDPR says about data breaches. The GDPR is a framework of provisions with a lot of detailed explanations. Speaking of the term ‘personal data breach’, a data breach happens when data for which a company is responsible, suffers a security incident which results in a breach of confidentiality, availability or integrity.456 Article 4 (12) of the GDPR explains a data breach as: “A breach of security to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.457 Indeed the GDPR has a lot of provisions which regulate the responses to data breach situations.
453 Regulation (EC) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016) OJ L119/1, art 33 (2). 454 AWS whitepaper, ‘Amazon Web Services: Risk and Compliance’ (2015), p. 15
59 Initially, Article 33 (1) of the GDPR states that the controller (the cloud customer) has to notify the supervisory authority within 72 hours when a security breach has occurred.458 As was said before, according to Article 34 of the GDPR, the cloud customer has the responsibility to notify the data subject of a data breach without undue delay. Additionally, Amazon has another legal obligation to fulfill, because Article 33 (2) of the GDPR requires the processor to notify the controller without undue delay when a personal data breach becomes to their notice.459 It is the cloud customer’s (i.e. controller) responsibility to notify the data subjects of a personal data breach without undue delay if the breach is likely to result in a high risk to the rights and freedoms of the persons.460 This communication is not required in several cases including when the controller has implemented appropriate technical and organizational protection measures such as encryption.461 However Amazon can also have responsibility to notify the data subjects of a data breach if it exploits the role of a joint-controller. Since each controller is still responsible to comply with its obligations under the GDPR.462 As to legal remedies, Article 77 of the GDPR states that a data subject has the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data infringes the GDPR.463 Furthermore, each natural or legal person has the right to an effective remedy against such legally binding decisions of the supervisory authority.464 A data subject also has the right to an effective judicial remedy against a controller or processor if they consider their rights to be infringed as a result of the processing of her personal data in non- compliance with the GDPR.465 In this case the data subject may choose to bring the proceeding before the court of the Member State where the controller or processor has an establishment or where the data subject has his or her habitual residence.466 Amazon has an establishment in the European Union in Luxembourg according to the AWS Customer Agreement. So luckily, European data subjects have the possibility to sue Amazon in the European Union.
458 Ibid, art 33 (1). 459 Ibid, art 33 (2). 460 Ibid, art 34 (1). 461 Ibid, art 34 (2) (a). 462 ICO, ‘What does it mean if you are joint controller?’
60 According to the GDPR a processor is not totally out of liability in some cases because it has to fulfill certain legal duties under the GDPR. First of all, Amazon as the processor, may be held liable by the controller if it fails to meet the terms of the contract which depend on the agreed terms of the AWS Customer Agreement.467 Secondly, according to Article 82 (1) GPDR any person who suffered damage due to an infringement of the GDPR has the right to compensation from a controller or processor.468 The processor can be held liable for the damage that was caused by the processing only if it did not comply with its obligations according to the GDPR.469 This means that Amazon as the processor is directly accountable to those whose data they process if it does not comply with the obligations they have according to the GDPR.470 Under the GDPR it is no longer possible for a cloud service provider to position themselves as a simple processor and avoid the reach of data protection rules.471 This appears from the fact that the GDPR also requires the processors to implement sufficient technical and organizational measures.472 To clarify, if Amazon upholds the role of joint controller then European data subjects can seek the same remedies from Amazon as from the cloud customers as controller.473
467 ICO, ‘What responsibilities and liabilities doe processors have in their own right?’
61 4.2.3 Remedies and liability in the United States
4.2.3.1 Law enforcement on data breaches in the United States
Unfortunately, there is no general federal law on data breaches in the United States, but in fact they do have several safeguards in place. For instance, the FTC, state attorneys general or the regulator for the industry sector enforce violations of privacy laws and rules.474 The FTC has been granted enforcement powers by the FTC Act. The state attorneys have the authority to enforce it states consumer privacy laws and the specific state statute, such as the CCPA.475 However, the FTC is in practice the privacy regulator in the United States.476 Also, state attorney generals and private plaintiffs can enforce privacy standards under the ‘unfair and deceptive acts and practices’ standards in state law.477 The FTC does not expressly address privacy or information security.478 However, they do apply Section 5 of the FTC Act to information privacy and data security.479 The FTC successfully enforce actions under Section 5 of the FTC Act if companies fail: to adequately disclose their data collection practices, to abide to their privacy policies, to comply with their security commitments, to provide a fair level of security for consumer information.480 According to title 15 U.S.C. Section 45 (a)(4) the FTC’s jurisdiction expands across borders which means that they can provide redress for harm abroad which is caused by companies within the United States.481 This is good news for European data subjects of Amazon’s cloud customers, because this means that cloud business are being controlled. The FTC has also started to embrace the idea that third-party data service providers, such as Amazon in the relationship between cloud customers and their data subjects, should act as data stewards.482 For Amazon this would mean that they have responsibilities to minimize harm from the use and distribution of the data by using technical safeguards, administrative procedures and contractual terms.483 Data stewardship opens up the way for
474 Dla Piper, ‘Data protection laws of the world’
62 individuals to receive more protection, because normally they have very little ability to ensure that cloud service providers protect their personal data, which makes them vulnerable and unable to avoid risks.484 So, Amazon also has a duty to European data subjects (or consumers) who are third-party beneficiaries of the data controllers efforts to ensure privacy and data security.485 The FTC safeguards this stewardship by their enforcement duties. Recently, Amazon has been dealing with a United States antitrust scrutiny on their cloud business.486 The FTC asked several software companies about the practices around Amazon’s cloud.487 This could have an impact on Amazon’s business, because the committee also asked questions around AWS.488 This means that AWS is being sufficiently examined and this could end up in discovering negative practices, if any, for Amazon. However, this is not an established fact. The committee asked several questions on how Amazon deals with data. For example, they asked questions about the use of AWS data by non-AWS teams or divisions.489 Some questions also went into more detail whether Amazon implemented policies or procedures on how Amazon can use the data of non-AWS products and services, that is generated by AWS, on AWS business customers or policies.490
4.2.3.2 Data breach notifications in the United States
Let us change the topic to remedies for European data subjects in the United States if a data breach occurred. To start with the first thing that should be considered if something happens. The data breach must be brought to the attention of the victims. As for the United States there is no federal law that covers data breaches which affect personal information of its citizens.491 Every state has its own privacy and data security law. In particular each state has its own data breach notification law which requires organizations to notify customers if a data breach has
484 Daniel Solove and Woodrow Hartzog, ‘The FTC and Privacy and Security Duties for the Cloud’ (2014) 13 BNA Privacy & Security Law Report 577, p. 4
63 occurred.492 The definition of data breaches in the United States is different for each state, but summarized it can be defined as a unauthorized access or acquisition that compromises security, integrity or confidentiality of covered information.493 Most states require a notification to individuals who have been affected and who reside in the state, and some states even require the notification to regulators and state authorities.494 According to the AWS Customer Agreement the laws that govern the contracts are the laws of the State of Washington.495 Washington’s data breach law applies to any entity, person or business, that conducts businesses within the state and also owns or licenses data that contains personal information.496 Also as in many other state laws, Washington’s data breach law does not apply in the situation that data was encrypted and the encryption key was not compromised.497 So, when cloud customers sufficiently encrypt their data and a data breach occurs on that data, Amazon has no data breach notification obligation.
4.2.3.3 Liability for data breaches in the United States
After a data breach has been brought to a data subjects’ notice, they can decide to take action. Individuals have to go court to hold a cloud provider liable for data breaches. First of all, it is important to set out when liability for cloud providers can occur. Liability can mainly be triggered in three situations. A cloud service provider can be liable for the interruption of information access or for the problem of information transfer.498 Besides that, a cloud service provider can face liability for non-compliance with privacy rules.499 Moreover, it can be held liable for the content of information for example if unauthorized access to the data is provided.500 To emphasize again, Amazon is still considered as the data processor and the cloud
492 Legal Thomson Reuters, ‘Who is liable when a data breach occurs?’
64 customer as the controller according to the GDPR. This paragraph first explains the general formalities around legal remedies for data breaches in the United States. After this has been explained the paragraph goes deeper into the several options for data subjects to hold the cloud provider liable for a data breach. Individuals in the United States can bring private rights of actions or class actions for certain privacy or security violations.501 So, European data subjects can pursue legal remedies through private causes of action in United States state courts.502 The United States adopted the Judicial Redress Act of 2015 which extends protections of the Privacy Act to citizens of certified states, which includes the European Union.503 This Act allows European data subjects to bring a civil action and obtain civil remedies in the same manner, to the same extent, and subject to the same limitations as a United States citizen.504 Unfortunately, it is very difficult for victims of data breaches to file a lawsuit in the United States. This is due to the fact that it is very hard for plaintiffs in data breach cases to prove standing.505 Standing is a requirement for courts to hear the case, according to Article III of the United States Constitution.506 For plaintiffs to prove that they have standing they need to show that they suffered harm.507 There is no consensus of courts on the issue of harm in the United States.508 Courts have struggled with this because data breach harms are intangible, risk- oriented and diffuse.509 Courts want harm to be visceral, easy to see and they want it to be vested materialized in the here and now.510 However, when data subjects can prove that they have suffered harm the following question remains: ‘Can Amazon be considered liable for a data breach’? From this part we will go deeper into the possible answers to this question. First of all, under U.S. law the data owner,
501 Dla Piper, ‘Data protection laws of the world’
65 thus the cloud customer, potentially faces full liability for losses due to a data breach.511 This is also the case when the security flaw is the result of the data holder’s (i.e. cloud provider) actions.512 So, it can be arguable that the data subjects can only hold the cloud customers responsible instead of Amazon. As was also expressed before, this is not quite fair because Amazon has the responsibility for the security of the cloud and it therefore should be held liable if a data breach occurs due to their mistake. Regarding the recent Capitol One data breach two senators wrote a letter to the FTC in which they expressed that Amazon should be held liable.513 They said that Amazon knew or should have known the vulnerability to server-side request forgery (SSRF) attack in AWS.514 Amazon’s competitors, Google and Microsoft integrated protections for SSRF so the senators are convinced that Amazon is partly to blame for the attack for not building similar protections.515 Also other critics like Evan Johnsen state that Amazon could be held liable, because cloud providers have a level of responsibility to ensure that its products are protected against attacks like SSRF.516 Secondly, it should be noted here that contractual liability could be an option for cloud customers but not for European data subjects, to hold Amazon liable if it fails to meet the agreements of the AWS Customer Agreement. The European data subjects are not part of the AWS Customer Agreement of Amazon with the cloud customer. This means that individuals can be placed at the mercy of contracts which they did not negotiate and possible offer insufficient protection of their data.517 Luckily a side note should be that, as we have seen in the previous part of this chapter, data subjects are now better covered by the GDPR since Amazon is a data processor. Furthermore, state and federal data privacy laws do not give civil liabilities free rein in the case of a cyber intrusion.518 The Capitol One data breach can be used as an example of a liability case. In this case an old Amazon employee downloaded millions of credit applications
511 Legal Thomson Reuters, ‘Who is liable when a data breach occurs?’
66 from a rented cloud data server.519 In this situation the question is whether Amazon is liable for the data breach or not. Amazon holds that the cause of the intrusion was a misconfiguration of a web application firewall.520 The cause here was not the underlying infrastructure or the location of it for which they have the responsibility.521 Capitol One said that the data breach was caused by the configuration vulnerability in their infrastructure and not by the cloud itself.522 They even stated that the cloud infrastructure helped with responding to the breach, because the speed in which they could diagnose and fix the vulnerability was empowered by their cloud operating model.523 Actually, it is not surprising that Amazon is assumed not to be liable since they exclude any liability issues in their favor in the AWS Customer Agreement.524 However under the GDPR this is not allowed since a processor can be directly hold accountable by data subjects.525 Also liability can also not be sidestepped if a cloud provider failed to implement sufficient safeguards. Nevertheless, if this cannot be proved in liability cases, the European data subjects are in most instances left to sue the cloud customers since they generally still have greater responsibility for data breaches and security issues. However, there may also be some positive news. In the United States, several Capitol One customers have filed a class- action lawsuit against Capitol One and Amazon for failing to safeguard customer data after the bank was hacked.526 If this class action succeeds than this could open up a way for data subjects to file a lawsuit against a data processor for negligence of implementing appropriate safeguards. Additionally, ex post liability could be an adequate option for data subjects when a data breach occurs as a result of negligence by the service provider. Negligence for data breaches has emerged to be the most popular legal theory since 2016.527 Plaintiffs generally claim that the defendant had a duty to exercise reasonable care in protecting their data by failing to
519 Kevin M. LaCroix, ‘Guest Post: Is Amazon Liable for the Capital One Hack?’ (The D&O Diary 2019)
67 adequately protect their data or by failing to notify them of a data breach.528 Compensation can be granted if certain conditions are met. The first condition is met when the company had a duty of care to protect the plaintiff’s information.529 Secondly the company had breached his duty and moreover actual harm was suffered.530 At last the harm is the result of the companies breach of duty.531 It is arguable that, considering the upcoming data stewardship of cloud service providers, that a duty of care could possibly exist. Either way, then still the question remains if such a lawsuit is also available for European data subjects, because the problem of standing also arises here. However, it is not that it has been made harder for European data subjects to go to court, but in general standing remains hard to prove in any data breach case. This is because harm is not always a given fact. Furthermore, privacy in the United States is protected by a network of common law torts which include invasion of privacy, public disclosure of private facts, ‘false light’, appropriation or infringement of the right of publicity or personal likeness, general misappropriation or negligence.532 The main privacy torts are intrusion upon seclusion, appropriation of identity, public disclosure of private facts and false light.533 Courts are more familiar with privacy injuries, so if digital data injuries can be identified with one of the privacy torts they become privacy injuries.534 Unfortunately privacy torts are very complex since all demand to prove substantial requirements. Intrusion upon seclusion requires an objective analysis of a plaintiff’s expectation of privacy.535 The appropriation of identity can be an option for data breaches if there is harm to dignity caused by denying the right to control someone’s information.536 If Amazon releases personal information then this might be addressed with public disclosure of private facts tort.537 However, this disclosure must be of an embarrassing nature.538 So, for data
528 Wayne M. Alder, ‘Data Breaches: Statutory and Civil Liability, and How to Prevent and Defend A claim’
68 subjects to sue Amazon under privacy torts is quite difficult and requires sufficient effort to prove additional circumstances.
4.2.4 Arrangements for legal remedies in the EU-US Privacy Shield
In chapter three the Privacy Shield already has been discussed. This part will return to the Privacy Shield, but it then goes deeper into the question what legal remedies are provided in this framework. The Privacy Shield provides certain individual rights and legal remedies to European individuals. First of all, under the Privacy Shield European individuals have the opportunity to bring a complaint directly to a Privacy Shield participant, upon which the participant has to respond to the individual within 45 days.539 Secondly, individuals can file a complaint to a data protection authority (DPA) in the European Union.540 In this instance the EU DPA’s, the Department of Commerce and the FTC work closely together. If individuals file a complaint with the DPA in the European Union then the Department of Commerce also reviews and makes efforts to enable resolution of this complaint and respond to the DPA within 90 days.541 The FTC works closely with the DPA to provide enforcement assistance when complaints are filed by individuals, such as information sharing and investigative assistance.542 Thirdly, the Privacy Shield participant (Amazon) is obligated to provide a free and independent recourse mechanism that investigates and resolves individual complaints to the cloud provider.543 This recourse mechanism should give individuals complete and easily readable information about the procedure of the dispute resolution when they file a complaint.544 The Privacy Shield participant is obligated to include the Privacy Shield principles and services they provide under the Privacy Shield on their website. Amazon has diligently followed these obligations, because Amazon has mentioned the recourse mechanism on their website with the required information.545
539 Fact Sheet: ‘Overview of the EU-US Privacy Shield Framework 2014-2017’
69 Another option for European individuals could be arbitration since the Privacy Shield participants commit to binding arbitration at the request of the individual to address unresolved complaints by other recourse or enforcement mechanisms.546 Furthermore, the FTC may file a complaint in a federal district or seek an administrative cease and desist order to prohibit the challenged practices if they believe that there has been a violation of section 5 of the Privacy Shield.547 Although the FTC is a very powerful institution, it has difficulty to address all the complaints.548 The FTC experiences difficulties to declare a practice unfair unless it caused substantial injury.549 So, not surprisingly standing is also an issue here. Nevertheless, European cloud customers can sidestep this problem by turning to contract law because it seems that United States courts are less skeptical of claims based on voluntary agreements among private parties. Some courts in the United States upheld privacy policies as enforceable contracts in litigations.550 However, in relation to the case of AWS this is a difficult option for European data subjects since they are often not part of the contract between a cloud provider and a cloud customer. Lastly, the ombudsman which is a mechanism established by the Privacy Shield could be another available remedy.551 The United States government committed to establish an ombudsman which can handle requests form European citizens on national security and intelligence agencies.552 So, if data subjects have complaints about information that is being provided to intelligence agencies in compliance or in non-compliance with the CLOUD Act, they can turn to the ombudsman for a remedy. The ombudsman is supposed to work with appropriate officials from other departments and agencies, including independent oversight bodies, who are responsible for processing requests.553 European citizens can submit a request to the Member State body which is competent for the oversight of national security.554
546 Fact Sheet: ‘Overview of the EU-US Privacy Shield Framework 2014-2017’
70 4.3 Closing remarks
Amazon captured privacy and data protection clauses in its AWS Customer Agreement. These privacy provisions are not very extensive, but Amazon does provide several reports and whitepapers to explain privacy and data protection related issues more in depth. Important subjects as the ownership of data, data access, data integrity, data preservation, data disclosure, data location, data transfer, security responsibility and monitoring are all being discussed in the available documents. However, as has been mentioned in chapter two, these documents do not have any legal status and they are just presented as helpful tools. A conclusion that can be drawn is that the cloud customers have control over the entire lifecycle of their content. This creates the impression that European data subjects are surrendered to the cloud customers on how they handle and secure their data. However, as we have seen in this chapter, cloud processors and controllers both have responsibilities to data subjects and they may both be held accountable to data subjects. Amazon states that European cloud customers have the responsibility to notify the data subjects if a data breach occurs. That the controller has to notify the data subjects is also determined by the GDPR in Article 34 (1) GDPR. However, Amazon as the processor cannot sit back in its chair, because it has an obligation to notify the controller when they become aware of a personal data breach. Under United States law, Amazon has an obligation to notify individuals if a data breach occurs. So, European data subjects have to be informed of a data breach by Amazon. More important is the fact that the full responsibility regarding the security of data and data handling remains at the customer’s side. It seems that Amazon fully waived the liability regarding the data of individuals which are processed or stored on its services. Nonetheless, liability does exist for Amazon in a few circumstances under the GDPR and U.S. law. It can be concluded that Amazon can be held liable if it does not comply with privacy and data protection regulation in the European Union and in the United States. Amazon, as the processor, is liable if it does not comply with the obligations it has under the GDPR. Although it is extremely hard to find redress in the United States due to formal requirements, they still have the opportunity to private actions. What should be noted is that for European data subjects it is quite difficult to hold Amazon liable in the United State because the data owner, the cloud customer, generally has full liability for data breaches. Furthermore, contractual liability turned out to be not one of their options because data subjects are not a contractual party in an AWS Customer Agreement. Tort liability on the other hand could provide an outcome to the data subjects to sue Amazon
71 but in that case, it is still very difficult for data subjects to prove that they have suffered harm. Concludable is that data subjects have several remedies, but the formal requirements in the United States constitute a real blockage in some cases.
72 Chapter five: Conclusion
To summarize what cloud computing comprehends let us refer back to the NIST cloud computing definition. Cloud computing is a model that allows a global on-demand network access to a joint group of configurable computing resources, which can be quickly provisioned and released with management effort or service provider collaboration.555 All chapters showed that cloud computing as the new paradigm, creates a lot of implications. Central in this thesis were the possible privacy and data protection problems within Amazon Web Services. This thesis showed that privacy and data protection risks in cloud computing occur mainly due to a lack of sufficient security measures and cross-border data transfer issues. In the case of Amazon, when a European company enters into a contract with Amazon for cloud services, risks to data exist when data is being transferred between two jurisdictions. The main question which was the focus of this thesis is: ‘To what extent is the data of European data subjects protected within Amazon Web Services?’. The scope of protection of European data subjects’ data partly depends on how adequate cloud customers secure their cloud in the AWS. Due to the shared responsibility model in AWS, the cloud customers are responsible for the security in the cloud. However, to some extent the security level also depends on Amazon’s effort of the security of the cloud. In sum, if both cloud customer and cloud provider take their security tasks serious, the data of European data subjects can be very well protected in AWS. There are several reasons for this conclusion. First of all, the biggest cross-border data protection problem is the fact that cloud customers are generally not aware of the exact location of their data. Luckily Amazons cloud customers are generally aware of the location of their data, because they can choose where they want their data to be stored and Amazon ensures them in the AWS Customer Agreement that the data will remain there. So, this gives the cloud customers the opportunity to be fully transparent to their data subjects on where they store their personal data. Secondly, it is striking that Amazons cloud customers have a lot of control. Amazon allows their cloud customers to control the location of their data, the security in the cloud, and the virtual networking environment. The control of the data remains mainly at the customers side. Thirdly, cloud providers as data processors have been given the obligation by the GDPR to implement reasonable security when they handle personal data. Due to the shared responsibility model in
555 Peter Mell and Timothy Grance, The NIST Definition of Cloud Computing, Recommendations of The National Institute of Standards and Technology, p. 2 (NIST, National Institute of Standards and Technology, US, Department of Commerce 2011)
73 AWS this is more up to the cloud customers. However, Amazon does help with these security responsibilities. Data subjects are more dependent on the security and protection measures of their data provided by the cloud customer than provided by Amazon. Since the cloud customers have the responsibility of the security in the cloud which comprehends the content (i.e. the data subjects’ data). Of course, this does not mean that Amazon is not accountable if something goes wrong. We have seen in chapter four that Amazon can be held liable if a breach of data occurs due to a mistake on Amazon’s side and not on the customer’s side. Also, critics who reacted to the CapitolOne data breach case say that providers have a certain level of responsibility and thus you could say that this also connects with the accountability assumption of processors in the GDPR. Furthermore, chapter three showed that regulation of data transfers between the European Union and the United States is extremely complex. The laws of both jurisdictions differ a lot and they have different perception approaches and legal frameworks of privacy and data protection. An important difference between the European Union and the United States is that the United States do not regulate cross-border data transfer. As has been discussed in chapter three, Amazon as a designated data processor, is subject to the GDPR which does have a more extensive regulation on cross-border data transfer regulation. As it has been demonstrated in their white papers and on its website, Amazon is very well aware of the fact that it has to comply with the GDPR regulation. After chapter four the conclusion can be drawn is that in general, and on paper Amazons cloud customers have control over the entire lifecycle of the data of European data subjects in AWS. So, it seems like European data subjects are surrendered to the protection of their data provided by the cloud customers. Though, thanks to the GDPR both processor and controller have responsibilities and are accountable to their European data subjects. Nonetheless, a possible lack of protection of European data subjects’ data in AWS can be detected in several loopholes of the AWS Customer Agreement. The first issue is found in data preservation in AWS since Amazon has the opportunity to hold a customer’s data hostage if the customer did not fulfill the required payments. If such thing happens it will constitute a conflict with the GDPR which requires a processor to delete or return all the personal data at the end of its services to the data controller. The second concern went around data disclosure. Amazon appears to be very unclear about the requests it receives from national security agencies such as the CIA and the FBI. Also, the available regions regarding data location are not specified in AWS Customers Agreement. Furthermore, we have seen that the shared responsibility model in AWS derives some disadvantages especially since there is a risk that Amazon only provides the bare minimum for its security of the cloud. Besides this Amazon
74 also vested a small opportunity in its AUP to monitor its customers. So, this questions who holds control on the possible unauthorized access by Amazon to its customers data. Especially regarding the fact that the AWS Customer Agreement does not give very much space to adapt to situations since there is no room for negotiations. So, we can conclude that enough protections in AWS exist if everything goes right. However, what happens if something goes wrong, and unfortunately things always go wrong. When something goes wrong and a data breach occurs greater problems can arise, since the available remedies for data subjects could depend on the jurisdiction, they seek redress in. The EU-US Privacy Shield established useful protection for European data subject. This framework ensures that European data subjects have the same available remedies in the United States as U.S. citizens. The GDPR also provides for enough and clear remedies, at least on paper. On the other hand, this does not apply to the United States, where it is absolutely not vested in specific law or regulation what remedies data subjects have when a data breach occurs. However, a guarantee for European data subjects that every bandage will cover their wounds does not exist in any circumstance here. Lack of data protection in AWS can derive when a data breach occurs. The GDPR and data breach notification laws in the United States require that European data subjects are informed by the controller and the processor if a data breach occurs on one of their sides. The GDPR protects European data subjects by granting them several options to seek redress for their damages. Also, it established a certain accountability for processors regarding data subjects if they do not fulfil its legal duties. So, Amazon can be held liable if it does not comply with the GDPR in the European Union and with the data protection regulation in the United States. Negligence can constitute civil liability in the United States for Amazon in certain cases if data subjects suffer harm due to the Amazon’s breach of its duty to secure data. Nonetheless, also privacy torts can constitute liability for Amazon in U.S. courts. However, in almost every circumstance with negligence or privacy torts it is very hard to prove standing in the United States. This because damages due to data breaches are often intangible and diffuse, but harm needs to be visceral and easy to see. To conclude with the answer to the main question. Overall, the data of European data subjects is well protected in AWS if both cloud provider and cloud customer try their best to fulfill its obligations to protect and secure the data in AWS. Though, some problems can still occur in AWS regarding the protection of data for two reasons: the several loopholes in the AWS Customer Agreement and the availability of legal remedies if a data breach occurs. So, where does this leave us? Amazon needs to act and anticipate on situations where something
75 can go wrong to the same extent as its cloud customers. The trust of data subjects in AWS is important for Amazon to continue with its business. For the simple reason that a cloud without cloud customers and their data subjects cannot exist. A first step towards obtaining and keeping data subjects trust would be for cloud customers and Amazon to work together. For example, they should ensure the data protection of European data subjects in the AWS Customer Agreement. As a final note, the main aim of AWS should be kept in mind, namely protecting the data of the cloud consumers and thus the data of the European data subjects.
76 Reference list
Primary resources
Regulation (EC) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016) OJ L119/1
Commission Implementing Decisions (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the council on the adequacy of the protection provided by the EU-US Privacy Shield C (2016)4176)
Commission Implementing Decisions (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the council on the adequacy of the protection provided by the EU-US Privacy Shield C (2016)4176), annex III
Secondary resources
Books
Alan Charles Raul, The privacy, data protection and cybersecurity law review (1st edn, Law Business Research Lrd 2014)
Christopher Millard, Cloud Computing Law, (1st edn, Oxford University Press 2013)
Derrick Rountree and IIeana Castrillo, The Basics of Cloud Computing: Understanding the fundamentals of cloud computing in theory and practice, (Elsevier Science & Technology Books 2013)
FRA/ECtHR/EDPS, Handbook on European data protection law (2018 edn, Publications Office of the European Union)
Richard Hill, Laurie Hirsch, Peter Lake, Siavash Moshiri, Guide to Cloud Computing Principles and Practice, (Springer 2013)
San Murugesan and Irena Bojanova, Encyclopedia of Cloud Computing, (John Wiley & Sons, 2016)
Sasha Romanosky and Alessandro Acquisti, ‘Privacy Costs and Personal Data Protection: Economic and Legal Perspectives’ [2009] vol 24, no. 3 Berkeley Tech. L.J, 1061
S. Pearson and G. Yee, Privacy, Security and Trust in Cloud Computing (1st edn, Springer- Verlag London, 2013)
Vladimir O. Safonov, Trustworthy Cloud Computing, (1st edn, John Wiley & Sons, Incorporated 2016)
77 Article 29 Data Protection Working Party, Guidelines on personal data breach notification under Regulation 2016/679 (2018)
Articles and journals
Abdullah Alqahtani & Hina Gull, ‘Cloud Computing and Security Issues – A Review of Amazon Web Services’ [2018] Vol. 13, no 12 IJAER 16077
Al Morsy, M., Grundy, J. & Mueller, I. ‘An analysis of the cloud computing security problem’ [2010] APSEC
Aurelia Delfosse, Jeremy Fanton, Thierry Floriani, Vincent Malguy, Nargisse Marine and Cedric Tavernier, ‘Cloud security and privacy in IAAS model’ [2013] ICICST 54
Marjory S. Blumenthal, ‘Is Security Lost in the Clouds?’ (2010) TPRC 2010,
CJ Radford, ‘Challenges and solutions protecting data within Amazon Web Services’ [2014] Vol. 2014, issue 6 ISSN 1353-4858
Chris Jay Hoofnagle, ‘US Regulatory Values and Privacy Consequences: Implications for the European Citizen’ (2016) Vol. 2, no. 2, EDPL, p. 7
Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ [2017] Vol. 18, no. 4 Ger. Law. J. 881
Collin Bennet, ‘Redress, the International Protection of Privacy and National Security and Intelligence Agencies: The Role for an Ombudsperson’ (2017)
Daniel J. Solove, ‘Privacy and Power: Computer Databases and Metaphors for Information Privacy’ [2001] 53 Stan. L. Rev 1393
Daniel J. Solove and Danielle Citron, ‘Risk and Anxiety: A Theory of Data Breach Harms’ [2017] no 2017-2 GWU Law School Public Law Research Paper
Daniel Solove and Woodrow Hartzog, ‘The FTC and Privacy and Security Duties for the Cloud’ (2014) 13 BNA Privacy & Security Law Report 577
Dan Svantesson and Roger Clarke, ‘Privacy and consumer risks in cloud computing’ [2010] 26 (4) CLSR 391
Deyan Cheng and Hong Zhao, ‘Data Security and Privacy Protection Issues in Cloud Computing’ [2012] ICCSEE 647
Ioan-Luca Vlad, ‘Importance of the geographical localization of the commercial provider of cloud storage services with regard to the protection of consumer’s rights through European Union rules’ [2015] Vol. 1, no. 2, National Strategies Observer 224
78
Jay P. Kesan and Carol M. Hayes, ‘Liability for data injuries’ [2019] Univ Ill Law Rev. 295
Konstantinos K. Stylianou, ‘An evolutionary study of cloud computing services’ [2010] Vol. 27, issue 4, J. Marschall J. Info. Tech & Privacy L. 101
Mantelero, A, ‘Cloud computing, trans-border data flows and the European Directive 95/46/EC: applicable law and task distribution’ [2012] Vol. 3, no. 2 EJLT
Maria Lillà and Mirta Antonella Cavallo, ‘Cybersecurity and Liability in a Big Data World’ [2018] Vol. 11, no. 2, Market and Competition Law Review 71
Mark Webber, ‘The GDPR’s impact on the cloud service provider as a processor’ (2016) Vol. 16, issue 4, PDP Journals,
Miranda Rutherford, ‘The Cloud Act: Creating Executive Branch Monopoly Over Cross- Border Access’ [2019] Vol. 34, no. 4 BTLJ
Nalini Subramanian and Andrew Jeyaraj, ‘Recent security challenges in cloud computing’ [2018] 71 Computers and Electronical Engineering 28
Nancy J. King and V.T. Raja, ‘Protecting privacy and security of sensitive consumer data in the cloud’, [2012] 28 CLSR 308
Pardis Moslemzadeh Tehrani, Johan Shamsuddin Nin Hj Sabaruddin, Dhiviya A.P. Ramanathan, ‘Cross border data transfer: Complexity of adequate protection and its exceptions’ [2018] 34 CLSR 582
Paul M. Schwarz and Karl-Nikolaus Peifer, ‘Transatlantic Data Privacy Law’ [2017] 106 Geo. L.J. 115
Peter Swire, Justin Hemmings and Sreenidhi Srinivasan, ‘Defining the Scope of ‘Possession, Custody, or Control’ for Privacy Issues and the Cloud Act’ [2019] 10J. Nat’L Security L. & Pol’Y
Rabi Prasad Padhy, Manas Ranjan Patra, Suresh Chandra Satapathy, ‘Cloud Computing: Security Issues and Research Challenges’ [2011] Vol. 1, no. 2, IRACST 136
Renee Berry and Matthew Reisman, ‘Policy Challenges of Cross-Border Cloud Computing’ (2012) Journal of international Commerce and Economics
Roger Clarke, ‘User Requirements for Cloud Computing Architecture’ (2010) IEEE/ACM
79 Rolf H. Weber and Dominic Nicolaj Staiger, ‘Cloud Computing: A cluster of complex liability issues’ (2014) 20(1) Web JCLI
Saakshi Narula, Arushi Jain, Ms. Prachi, ‘Cloud computing security: Amazon Web Services’ [2015] IEEE 501
Siani Pearson and Azzedine Benameur, ‘Privacy and Trust Issues Arising from Cloud Computing’ [2010] IEEE 693
Suzanne Kent, ‘Federal Cloud Computing Strategy’ (2019)
Theodore Christakis, ‘Transfer of EU Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?’ [2019]
Timane, Rajesh, Analysis of Cloud Computing Market Players. International Journal of Research in IT & Management. [2011] Vol. 1, no. 5, ISSN 2231-4334 96
W. Gregory Voss, ‘The Future of Transatlantic Data Flows: Privacy Shield or Bust?’ [2016] Vol. 19, no. 11 Journal of Internet Law 9
W. Gregory Voss and Kimberly A. Houser, ‘Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies’ [2019] Vol. 56, Issue 2, American Business Law Journal
Yunchuan Sun, Junsheng Zhang, Yongping Xiong, and Guangyu Zhu, ‘Data security and privacy in Cloud Computing’ (2014) 190903 IJDSN
Websites
Aaron Brown, Wally Guzik, Ravi Dhaval, Lakshmi Modugu, Piyum Zonooz and Nill Chitty, ‘Data Protection – Securing data in the cloud’ (2019)
Alexander J. Martin, ‘Don’t doubt it, Privacy Shield is going to be challenged in court’ (The Register 2016)
Alleweldt F. & others, ‘Cloud computing. European Internal Market and Consumer Protection Committee Study’ (2012)
Amazon Web Services, ‘AWS Global Infrastructure’
80
Amazon Web Services, ‘What is cloud computing’
Amazon Web Services, ‘Cloud computing with AWS’
Amazon Web Services, ‘Amazon EC2’
Amazon Web services, ‘Global infrastructure’
Amazon Web Services, ‘Types of Cloud Computing’
Amazon Web Services, ‘Protecting data using encryption’
AWS security whitepapers, ‘Amazon Web Services: Overview of security processes’ (2020)
Amazon Web Services, ‘Amazon Information Request Report’
Amazon Web Services, ‘Clarifying Lawful Overseas Use of Data (CLOUD) Act’
Amazon Web Services, ‘Privacy Notice’
Amazon Web Services, ‘Data Privacy FAQ’
Amazon Web Services, ‘Using AWS in Context of Common Privacy and Data Protection Considerations’ (2018)
AWS whitepaper, ‘Amazon Web Services: Risk and Compliance’ (2015)
Amazon Web Services, ‘AWS Acceptable Use Policy’ (2016)
81 Amazon Web Services, ‘AWS Service Level Agreements (SLAs)’
Amazon Web Services, ‘EU-US Privacy Shield’
Amazon Web Services, ‘AWS Customer Agreement’ (2019)
Amazon Web Services, ‘Navigating GDPR Compliance on AWS’ (2019)
Amazon Web Services, ‘EU-US and Swiss-US Privacy Shield’
Amazon Web Services, ‘Data Privacy’
Amazon Web Services, ‘Compliance FAQ’
Amazon Web Services, ‘AWS Identity and Access Management (IAM)’
Business Insider, ‘Elizabeth Warran is urging the FTC to investigate Amazon over concerns that it played a role in the massive Capital One data breach that affected 100 million people’ (Business Insider, 2019)
Chad Woolf, ‘AWS GDPR Data Processing Addendum – Now Part of Service terms’ (AWS Security Blog 2018)
Chad Woolf, ‘All AWS Services GDPR ready’ (AWS Security Blog 2018)
Christian Berthelsen, Matt Day & William Turton, ‘Capital One says Breach Hit 100 Million Individuals in U.S.’ (Bloomberg 2019)
CNBC, ‘Amazon Faces US antitrust scrutiny on cloud business: Bloomberg’ (CNBC 2019)
82 Darchevia Woods, ‘Cloud Security: The Pros and Cons of a Shared Responsibility Model’ (Illinois technology association 2016)
Digital Guardian, ‘The Definitive Guide to U.S. State Data Breach Laws’
Dla Piper, ‘Data protection laws of the world’
European Commission, ‘What is a data breach and what do we have to do in case of a data breach?’
European Commission - Entrepreneurship and SMEs, ‘What is an SME?’
European Commission, ‘Wat is a data breach and what do we have to do in case of a data breach?’
Edward McNicholas and Kevin Angle, ‘USA: Cybersecurity 2020’ (ICLG 2019)
EU GDPR Compliant, ‘What is a data subject?’
Fact Sheet: Overview of the EU-US Privacy Shield Framework 2014-2017’
FindLaw, ‘Defamation vs. False Light: What Is the Difference?’ (FindLaw 2018)
Guidance Software, ‘Cross-border data privacy in focus’
IAPP, ‘2017 Data Breach Litigation Report’
83 ICO, ‘What responsibilities and liabilities doe processors have in their own right?’
ICO, ‘What does it mean if you are joint controller?’
CapitolOne, ‘Information on the Capitol One Cyber Incident’
Kasey Panetta, ‘Is the Cloud Secure?’ (Gartner 2019)
Kevin M. LaCroix, ‘Guest Post: Is Amazon Liable for the Capital One Hack?’ (The D&O Diary 2019)
Legal Thomson Reuters, ‘Who is liable when a data breach occurs?’
Lindsey O’Donnell, ‘Is AWS Liable in Capitol One Breach?’ (Threatpost 2019)
Lisa Eadicco, ‘Elizabeth Warran is urging the FTC to investigate Amazon over concerns that it played a role in the massive capital One data breach that affected 100 million people’ (Business Insider 2019)
Lydia Pert, ‘Shared Responsibility Model’ (OpenVPN 3019)
Jennifer Baker, ‘EU High Court hearings to determine future of Privacy Shield, SCCs’ (IAPP 2019)
Jessica Stenklyft, ‘Part 3: GDPR and the future of the EU-US Privacy Shield’ (Accudata Systems 2017)
Michael Punke, AWS and the CLOUD Act’ (AWS Security blog 2019)
84 Malia Thuret-Benoit, ‘What is the difference between personally identifiable information (PII) and personal data?’ (TechGDPR 2019)
Mallory Locklear, ‘Amazon AWS exposes info on 31,000 GoDaddy servers’ (Engadget 2018)
Matthias Artzt and Walter Delacruz, ‘How to comply with both the GDPR and the CLOUD Act’ (IAPP 2019)
Miroslav Chlipala and Stefan Pilar, ‘Cloud service provider – processor, controller or both?’ (INPLP 2017)
Morgan Lewis, ‘The Judicial Redress Act of 2015 becomes law’ (Morgan Lewis 2016)
Natasha Lomas, ‘EU-US Privacy Shield complaint to be heard by Europe’s top court in July’ (Techcrunch 2019)
Pete Cheslock, ‘The Real Implications of The Shared Security Model’ (Threat Stack 2017)
Peter Mell and Timothy Grance, The NIST Definition of Cloud Computing, Recommendations of The National Institute of Standards and Technology (NIST, National Institute of Standards and Technology, US, Department of Commerce 2011)
Peter Swire and Jennifer Daskal, ‘Frequently Asked Questions about the U.S. Cloud Act’ (2019) CBDF
Privacy Shield Framework – Amazon.com, Inc.
Privacy Shield Framework, ‘Dispute res and Enforcement (d-e)’
PWC, ‘CCPA Watch’
85 Rich Mogull, ‘AWS vs. Azure vs. GCP: A Security Pro’s Quick Cloud Comparison’ (Disrupt Ops 2019)
Rob Wright, ‘AWS security faces challenges after a decade of dominance’ (SearchAWS 2020)
Sarah Murray, ‘Court rulings threaten to upset defenses against data breach claims’ (Financial Times 2016)
Seth Humeniuk, ‘Capital One, Amazon Web Services Facing Class Action Suit Over Recent Data Breach’ (Newswire 2019)
Service Architecture, ‘Application Program Interfaces’
Shaping Europe’s digital future policy – ‘Cloud computing’
Shaping Europe’s digital future policy – ‘International cooperation on cloud computing’
Shaping Europe’s digital future policy – ‘European Cloud Strategy 2012’
Sooraj Shah, ‘Amazon, AWS and antitrust: How tough could US lawmakers be on the tech titan?’ (Computerweekly.com 2019)
Springmeyer law, ‘Dealing With Data Breaches’
Stephen Schmidt, ‘Customer Update: Amazon Web Services and the EU-US Privacy Shield’ (AWS Security Blog 2016)
Steven Chabinsky, F. Paul Pittman, ‘USA: Data Protection 2019’ (ICLG 2019)
86
Toni M. Fine, ‘Excerpt reproduced from American Legal Systems’ (LexisNexis)
U.S. Department of Commerce - NIST Cloud Computing Standards Roadmap (Special publication 500-291, version 2)
Wayne Jansen and Timothy Grance, ‘The NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing’ (NIST 2011)
Wayne M. Alder, ‘Data Breaches: Statutory and Civil Liability, and How to Prevent and Defend A claim’
Wikipedia, ‘Business-to-Business’
Wikipedia, ‘Web Service’
Wikipedia, ‘Xen’
Wikipedia, ‘Amazon Web Services’
87