As Europe Revamps Privacy Laws, AWS and Microsoft Move To Comply
Amazon Web Services (AWS) and Microsoft this week touted their compliance with emerging European data privacy regulations as they escalate their respective datacenter build-outs on that side of the Atlantic.
Both cloud providers' announcements are related to the European Union's General Data Protection Regulation (GDPR), which aims to "harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy." The GDPR was approved by EU lawmakers last spring and will begin to be enforced on May 25, 2018, signalling the first major overhaul of the European Union's aging data privacy laws in two decades.
Microsoft on Wednesday said that it is taking steps to ensure that its entire cloud services portfolio is fully compliant with the GDPR in time for its enforcement. Companies will be able to "leverage our broad portfolio of enterprise cloud services to meet your GDPR obligations for areas including deletion, rectification, transfer of, access to and objection to processing of personal data," wrote Brendon Lynch, Microsoft's chief privacy officer, in a blog post.
Microsoft also plans to update its licensing agreements and security notification processes to comply with the new GDPR requirements.
"As the fast-approaching GDPR deadline draws closer, we look forward to working in close partnership with you on GDPR compliance. We will continue to share the resources, tools and solutions you need to help develop your own compliance plan. In March, we will announce the details of our contractual commitments in accordance with GDPR rules. In the coming months, we will hold workshops, and host webinars for all customers and partners," Lynch wrote.
For its part, AWS on Monday announced that it has joined the Cloud Infrastructure Services Providers in Europe (CISPE), a group of roughly 20 cloud infrastructure providers whose goals include establishing industrywide compliance with the GDPR through its Code of Conduct.
"One of CISPE's key priorities is to ensure customers get what they need from their cloud infrastructure service providers in order to comply with the new EU General Data Protection Regulation (GDPR)," wrote Stephen Schmidt, AWS vice president and chief information security officer, in a blog post. "With the publication of its Data Protection Code of Conduct for Cloud Infrastructure Services Providers, CISPE has already made significant progress in this space."
On the service level, six of AWS' cloud products -- Amazon EC2, Amazon S3, Amazon RDS, AWS Identity and Access Management, CloudTrail and Amazon EBS -- are certified to be compliant with the CISPE Code of Conduct.
"This provides our customers with additional assurances that they fully control their data in a safe, secure, and compliant environment when they use AWS," Schmidt said.
AWS is the arguably the largest cloud provider in the CISPE's roster by market share. Neither Microsoft nor Google -- AWS' two closest competitors in the public cloud market -- is a member.
These announcements by AWS and Microsoft come as the two companies rapidly expand their cloud footprints in Europe, where laws related to data sovereignty can be especially stringent. A recent report by Canalys concluded that "[s]trict data sovereignty laws and customer demand are pushing cloud service providers to build data centers in key markets, such as Germany, Canada, Japan, the UK, China and the Middle East; where personal data is increasingly required to be stored in facilities that are physically located within the country."
AWS currently has datacenter regions in Ireland, Frankfurt and, as of late 2016, London, with plans to open a region in Paris later this year. Microsoft also has regions located throughout Europe, including the Netherlands, the United Kingdom and, most recently, Germany. Like AWS, Microsoft also plans to launch a Paris region in 2017.