> which is the case both for Shopify and here - automatically disqualifies you from being GDPR-compliant:
It doesn't automatically disqualify you. No reason to spread this FUD. From your article:
> The Chamber found that, contrary to what Company A stated in their offer, it did disclose customer data to a third party. More specifically, it disclosed customer data to a third party in a third country (its parent company in the U.S.). Therefore, a transfer pursuant to Article 44 GDPR would take place. The Chamber explained that a transfer in this context must also be assumed when data can be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server that provided such access was located in the EU was irrelevant.
So, no, from a blanket perspective using AWS doesn't automatically disqualify you from GDPR, but it may have implications based on how you transfer the data.
EDIT: To add, as part of Article 44 of GDPR:
> Under Article 44 GDPR, the transfer (or the onward transfer) shall only take place “subject to the other provisions of this Regulation”. As a result, data controllers or processors exporting personal data to third countries or international organisations must ensure the GDPR compliance of the overall processing activity.
So, if AWS follows GDPR compliance in the US (which as a default AWS US does) and you transfer from EU to US, then you can still achieve GDPR compliance. The reason this was thrown out: https://gdprhub.eu/index.php?title=VK_Baden-W%C3%BCrttemberg... was because the company said "that it would not disclose customer data to any third party", but when they reviewed the case they found out that because a parent company. So they are not GDPR compliant because they failed to disclose that data would transfer to AWS US, NOT that they are using AWS. This is the discrepancy. Lesson learned here - GPDR is more about process control than it is technology.
FYI - that case appears to be a public trading company that is owned by the public serving the government. It seems clear to me that they wanted to send a message of "hey just don't use any US-based company for your services to German government services, here's how we're legally going to penalize you for it". This would be like having an "American first" policy for gov't procurement and making sure TenCent's US based wholly owned entity can't do business with the US gov't.
That "disclose customer data to a third party" violates article 44 of the GDPR if there's no matching exemption to allow it. One possible exemption would be if the recipient is also bound by the GDPR. But obviously, the US government is not bound by GDPR. So anything that would allow the US CLOUD act to access a EU customer's data is a GDPR violation.
"So anything that would allow the US CLOUD act to access a EU customer's data is a GDPR violation"
Which is essentially the argument and is a huge legal grey area right now.
Similar situation here:
The EU’s data protection supervisor (EDPS), which oversees the bloc’s own institutions’ GDPR compliance, has been looking into the European Commission’s use of Microsoft Office 365 since May last year — as well as probing EU bodies’ use of Amazon’s cloud services.
The European Data Protection Board (EDPB) also kicked off a related coordinated enforcement action in February that it said would focus on the public sector’s use of cloud services — which it said would take about a year to report, with the aim for the action to harmonize regulatory interventions in this area.[0]
As you can see, nothing has happened yet and this is all still evolving. It seems pretty clear that the EU is using GDPR as a political wedge to drive business back to their countries (despite company's in those countries clearly having a desire to continue to use those products and services). Again, it's not as black and white as you are making it out to be - it's still be fought.
It doesn't automatically disqualify you. No reason to spread this FUD. From your article:
> The Chamber found that, contrary to what Company A stated in their offer, it did disclose customer data to a third party. More specifically, it disclosed customer data to a third party in a third country (its parent company in the U.S.). Therefore, a transfer pursuant to Article 44 GDPR would take place. The Chamber explained that a transfer in this context must also be assumed when data can be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server that provided such access was located in the EU was irrelevant.
This has to do with the transfer of data from the EEA region to the US, which AWS covers: https://aws.amazon.com/compliance/gdpr-center/#GDPR_FAQs
So, no, from a blanket perspective using AWS doesn't automatically disqualify you from GDPR, but it may have implications based on how you transfer the data.
EDIT: To add, as part of Article 44 of GDPR:
> Under Article 44 GDPR, the transfer (or the onward transfer) shall only take place “subject to the other provisions of this Regulation”. As a result, data controllers or processors exporting personal data to third countries or international organisations must ensure the GDPR compliance of the overall processing activity.
So, if AWS follows GDPR compliance in the US (which as a default AWS US does) and you transfer from EU to US, then you can still achieve GDPR compliance. The reason this was thrown out: https://gdprhub.eu/index.php?title=VK_Baden-W%C3%BCrttemberg... was because the company said "that it would not disclose customer data to any third party", but when they reviewed the case they found out that because a parent company. So they are not GDPR compliant because they failed to disclose that data would transfer to AWS US, NOT that they are using AWS. This is the discrepancy. Lesson learned here - GPDR is more about process control than it is technology.
FYI - that case appears to be a public trading company that is owned by the public serving the government. It seems clear to me that they wanted to send a message of "hey just don't use any US-based company for your services to German government services, here's how we're legally going to penalize you for it". This would be like having an "American first" policy for gov't procurement and making sure TenCent's US based wholly owned entity can't do business with the US gov't.