The EDPS (European Data Protection Supervisor), the European privacy watchdog, hasĀ opened two investigations before the weekend into the use of Amazon Web Services (AWS) and Microsoft Azure cloud services by European Union institutions, bodies, and agencies (EUIs) under Cloud II contracts. Another investigation has been opened into the use of Microsoft Office 365 by the European Commission.
Individuals’ personal data is transmitted outside the EU and, in particular, to the United States as a result of various processing processes, particularly when using tools and services offered by these large cloud service providers.

āFollowing the outcome of the reporting exercise by the EU institutions and bodies, we identified certain types of contracts that require particular attention and this is why we have decided to launch these two investigations,ā said Wojciech Wiewiórowski, EDPS. āI am aware that the āCloud II contractsā were signed in early 2020 before the āSchrems IIā judgement and that both AWS and Microsoft Azure have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.ā
Following the āSchrems IIā Judgement, the EDPS issued a strategic document on October 29, 2020, aimed at ensuring that European institutions, bodies, offices, and agencies (EUIs) are complying with the āSchrems IIā Judgement in relation to personal data transfers to third countries, particularly the United States. The purpose was to ensure that all current and future overseas transfers comply with EU data protection legislation. The EDPS has prepared an action plan in their strategy to streamline compliance and enforcement procedures by separating short-term and medium-term compliance actions.
Privacy and Data Protection: āLead by Exampleā
The first investigationās goal is to determine whether EUIs are complying with the ‘Schrems II’ decision while using cloud services provided by AWS and Microsoft Azure under the so-called āCloud II contractsā when data is moved to non-EU nations, particularly the United States.
The second inquiry into the usage of Microsoft Office 365 aims to ensure that the European Commission complies with the EDPSās earlier Recommendations on EUIsā use of Microsoft’s products and services.
āWe acknowledge that EUIs – like other entities in the EU/EEA – are dependent on a limited number of large providers,ā added Wojciech Wiewiórowski, EDPS. āWith these investigations, the EDPS aims to help EUIsĀ to improve their data protection compliance when negotiating contracts with their service provider.ā
When it comes to privacy and data protection, the EDPS believes that EUIs are well positioned to lead by example. The announced initiatives are part of a long-term collaboration between the EDPS and the EUIs to guarantee that these fundamental rights are well-protected.