[mbesto]

> I believe using Amazon AWS already disqualifies you from being fully GDPR-compliant.

AFRIK - There is nowhere in GDPR that says your data ought to reside in EU server per GDPR.

However, if I understand the Shopify legality complaint it's saying "because your data is hosted by a US entity and theoretically could be accessed by the US authorities it means the US authorities are now part of the data custody and you can't guarantee that they also have that data". That's a legal grey area with a lot of political ramifications.

According to Shopify this doesn't make it illegal: https://www.shopify.com/de/blog/shopify-dsgvo-konform-deutsc...

[fxtentacle]

Yeah, according to Shopify.

According to a German court, a US parent company being able to access your data - which is the case both for Shopify and here - automatically disqualifies you from being GDPR-compliant: https://gdprhub.eu/index.php?title=VK_Baden-W%C3%BCrttemberg...

[mbesto]

> which is the case both for Shopify and here - automatically disqualifies you from being GDPR-compliant:

It doesn't automatically disqualify you. No reason to spread this FUD. From your article:

> The Chamber found that, contrary to what Company A stated in their offer, it did disclose customer data to a third party. More specifically, it disclosed customer data to a third party in a third country (its parent company in the U.S.). Therefore, a transfer pursuant to Article 44 GDPR would take place. The Chamber explained that a transfer in this context must also be assumed when data can be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server that provided such access was located in the EU was irrelevant.

This has to do with the transfer of data from the EEA region to the US, which AWS covers: https://aws.amazon.com/compliance/gdpr-center/#GDPR_FAQs

So, no, from a blanket perspective using AWS doesn't automatically disqualify you from GDPR, but it may have implications based on how you transfer the data.

EDIT: To add, as part of Article 44 of GDPR:

> Under Article 44 GDPR, the transfer (or the onward transfer) shall only take place “subject to the other provisions of this Regulation”. As a result, data controllers or processors exporting personal data to third countries or international organisations must ensure the GDPR compliance of the overall processing activity.

So, if AWS follows GDPR compliance in the US (which as a default AWS US does) and you transfer from EU to US, then you can still achieve GDPR compliance. The reason this was thrown out: https://gdprhub.eu/index.php?title=VK_Baden-W%C3%BCrttemberg... was because the company said "that it would not disclose customer data to any third party", but when they reviewed the case they found out that because a parent company. So they are not GDPR compliant because they failed to disclose that data would transfer to AWS US, NOT that they are using AWS. This is the discrepancy. Lesson learned here - GPDR is more about process control than it is technology.

FYI - that case appears to be a public trading company that is owned by the public serving the government. It seems clear to me that they wanted to send a message of "hey just don't use any US-based company for your services to German government services, here's how we're legally going to penalize you for it". This would be like having an "American first" policy for gov't procurement and making sure TenCent's US based wholly owned entity can't do business with the US gov't.

[fxtentacle]

That "disclose customer data to a third party" violates article 44 of the GDPR if there's no matching exemption to allow it. One possible exemption would be if the recipient is also bound by the GDPR. But obviously, the US government is not bound by GDPR. So anything that would allow the US CLOUD act to access a EU customer's data is a GDPR violation.

[mbesto]

"So anything that would allow the US CLOUD act to access a EU customer's data is a GDPR violation"

Which is essentially the argument and is a huge legal grey area right now.

Similar situation here:

The EU’s data protection supervisor (EDPS), which oversees the bloc’s own institutions’ GDPR compliance, has been looking into the European Commission’s use of Microsoft Office 365 since May last year — as well as probing EU bodies’ use of Amazon’s cloud services.

The European Data Protection Board (EDPB) also kicked off a related coordinated enforcement action in February that it said would focus on the public sector’s use of cloud services — which it said would take about a year to report, with the aim for the action to harmonize regulatory interventions in this area.[0]

As you can see, nothing has happened yet and this is all still evolving. It seems pretty clear that the EU is using GDPR as a political wedge to drive business back to their countries (despite company's in those countries clearly having a desire to continue to use those products and services). Again, it's not as black and white as you are making it out to be - it's still be fought.

[0] - https://techcrunch.com/2022/11/28/microsoft-365-faces-darken...