Governance, Risk and Compliance, Content, Networking

Amazon GDPR Violation, EU Fine: Big Data Privacy Reminder for MSPs, CSPs

Amazon.com, parent of AWS, faces a record $886.6 million fine from the European Union for allegedly violating GDPR (General Data Protection Regulation) rules. The fine, which Amazon plans to appeal, represents a strong data privacy and compliance reminder to MSPs and CSPs worldwide that manage data within and across Europe.

The Luxembourg National Commission for Data Protection (CNPD) imposed the fine in a July 16 decision, Amazon disclosed in a regulatory filing on July 30, 2021, Reuters reported.

GDPR applies to all organizations worldwide that are handing European Union (EU) citizen data. Indeed, GDPR is designed to empower citizens within the EU to control who has access to their personal data, including personally identifiable information such as a name, photo, email address, social media posts, or their computer’s IP address, as Barracuda MSP explained in a ChannelE2E blog post.

Penalties for not complying with GDPR can be severe and apply to both processors and controllers. The maximum fine is 4 percent of annual revenue or 20 million Euros, whichever is greater, for serious infractions such as processing data without consent. Lower tiers of fines exist for less severe violations, such as a 2 percent annual revenue fine for not having records in order or not making proper notification of a data breach.

Amazon Web Services achieved GDPR compliance in 2018 -- around the time the mandate went into effect. Amazon did not say whether the CNPD fine involves Amazon's e-commerce or cloud business, or some other operation from the company.

GDPR Compliance Requirements Explained

Although the GDPR regulation has a complex list of requirements, most pundits say the mandate boils down to four key prerequisites. They include:

  1. Breach Notification Policy: A data breach of any kind must be communicated within 72 hours of  first becoming aware of a breach.
  2. Right to Access: Organizations must describe how they collect and use personal data, and why. Users should also be able to request their data freely, with a 40-day turnaround from the vendor.
  3. Right to Be Forgotten: A user can request that an organization completely erases any data pertaining to that user.
  4. Data Portability: A user must have the option to download their data and transfer it elsewhere.

GDPR Compliance: Implications for MSPs, CSPs Worldwide

MSPs, CSPs (cloud service provides) and channel partners that handle any type of personal data that pertains to EU citizens need to comply with GDPR. Moreover, organizations that aren’t compliant may lose business to other companies that are prepared to appropriately handle or store data on behalf of their clients that do business in the EU, that Barracuda blog pointed out in 2017.

Fast forward to present day, and Amazon finds itself locked in a legal battle with the EU -- essentially trying to avoid an $886.6 million fine for an alleged GDPR lapse. Channel partners worldwide should take note and double-check their GDPR compliance efforts.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.