Hacker News new | ask | show | jobs
by eitally 3910 days ago
Model Clauses/Contracts (https://www.dataprotection.ie/docs/Model-Contracts/38.htm) are an alternative method of satisfying EU data protection requirements in dealing with overseas data transfers. Amazon, like Google and many other multinational technology companies, have adopted these in years past.

What this posting means is that * from Amazon's perspective * they are compliant with Directive 95/46/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...), which established (for the EU) these regulations.

What it doesn't mean is that customers of Amazon are also compliant, because Amazon has no clue what types of data they are processing, what they are doing with it, and where they are putting it. They are wisely advised to consult counsel to ascertain this fact.
3 comments
the8472 3910 days ago
But does amazon have a reasonable claim of being able to fulfill those requirements considering secret court orders that can't be challanged by european citizens, NSLs and the microsoft case[1]?

[1] http://www.theguardian.com/technology/2015/sep/09/microsoft-...

link
aries1980 3910 days ago
I'm not sure they still comply for the UK Data Protection Act. According to the Information Commisioner Office https://ico.org.uk/for-organisations/guide-to-data-protectio... :

> A company in the UK uses a centralised human resources system in the United States belonging to its parent company to store information about its employees.

or

> A travel agent sends a customer’s details to a hotel in Australia where they will be staying while on holiday.

> If you intend information on the website to be accessed outside the EEA, then this is a transfer.

This means if your data can be accessed outside the EEA e.g. you access your on-premise CRM on your African holiday, you are likely to void the Principle 8.

link
M2Ys4U 3910 days ago
The ICO is a member of the Article 29 Working Party (the WP is made up of a representative from each of the 28 EU Member States + the European Commission and EU bodies dealing with data protection, as detailed in Article 29 of the Data Protection Directive).

The WP is designed to make sure that Member States' Data Protection Authorities apply the DPD in a roughly uniform manner.

Of course, if the ICO deviates from the DPD then any party is able to appeal to the First-Tier Tribunal, the Upper Tribunal and the Court of Appeal who may then refer any questions of EU law to the ECJ in a similar way to Schrems' case.

link
pinaceae 3910 days ago
correct.

salesforce.com posted the same.

link