The EDPS (European Data Protection Supervisor), the European privacy watchdog, has opened two investigations before the weekend into the use of Amazon Web Services (AWS) and Microsoft Azure cloud services by European Union institutions, bodies, and agencies (EUIs) under Cloud II contracts. Another investigation has been opened into the use of Microsoft Office 365 by the European Commission.

Individuals’ personal data is transmitted outside the EU and, in particular, to the United States as a result of various processing processes, particularly when using tools and services offered by these large cloud service providers.

Photo Wojciech Wiewiórowski, EDPS
“With these investigations, the EDPS aims to help EUIs to improve their data protection compliance when negotiating contracts with their service provider”, said Wojciech Wiewiórowski, EDPS.

“Following the outcome of the reporting exercise by the EU institutions and bodies, we identified certain types of contracts that require particular attention and this is why we have decided to launch these two investigations,” said Wojciech Wiewiórowski, EDPS. “I am aware that the “Cloud II contracts” were signed in early 2020 before the ‘Schrems II’ judgement and that both AWS and Microsoft Azure have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.”

Following the ‘Schrems II’ Judgement, the EDPS issued a strategic document on October 29, 2020, aimed at ensuring that European institutions, bodies, offices, and agencies (EUIs) are complying with the ‘Schrems II’ Judgement in relation to personal data transfers to third countries, particularly the United States. The purpose was to ensure that all current and future overseas transfers comply with EU data protection legislation. The EDPS has prepared an action plan in their strategy to streamline compliance and enforcement procedures by separating short-term and medium-term compliance actions.

Privacy and Data Protection: ‘Lead by Example’

The first investigation’s goal is to determine whether EUIs are complying with the ‘Schrems II’ decision while using cloud services provided by AWS and Microsoft Azure under the so-called ‘Cloud II contracts’ when data is moved to non-EU nations, particularly the United States.

The second inquiry into the usage of Microsoft Office 365 aims to ensure that the European Commission complies with the EDPS’s earlier Recommendations on EUIs’ use of Microsoft’s products and services.

“We acknowledge that EUIs – like other entities in the EU/EEA – are dependent on a limited number of large providers,” added Wojciech Wiewiórowski, EDPS. “With these investigations, the EDPS aims to help EUIs to improve their data protection compliance when negotiating contracts with their service provider.”

When it comes to privacy and data protection, the EDPS believes that EUIs are well positioned to lead by example. The announced initiatives are part of a long-term collaboration between the EDPS and the EUIs to guarantee that these fundamental rights are well-protected.