The European Data Protection Supervisor (EDPS) has opened a couple of investigations regarding the use of Amazon’s and Microsoft’s cloud services by European Union institutions and agencies and regarding the use of Microsoft 365 by the European Commission.
The two parallel investigations will look into whether the use of these cloud services by the European Commission and by European Union agencies are in line with European data protection law, namely the GDPR, considering the European Court of Justice had previously invalidated the EU-US Privacy Shield that enabled the transfer of EU data to the United States.
EDPS said that European Union institutions, bodies and agencies (EUIs) are increasingly relying on cloud-based software and cloud infrastructure or platform services from large ICT providers, some of which are based in the United States and are subject to disproportionate surveillance activities by the US authorities.
The use of tools and services offered by large service providers based in the United States is enabling the transfer of EU citizens’ personal data to the United States. This enables the US government to allow federal agencies to access such data at will through the use of intrusive legislations, EDPS said.
“Following the outcome of the reporting exercise by the EU institutions and bodies, we identified certain types of contracts that require particular attention and this is why we have decided to launch these two investigations. I am aware that the “Cloud II contracts” were signed in early 2020 before the “Schrems II” judgment and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgment. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly,” said Wojciech Wiewiórowski, the European Data Protection Supervisor.
“We acknowledge that EUIs – like other entities in the EU/EEA – are dependent on a limited number of large providers. With these investigations, the EDPS aims to help EUIs to improve their data protection compliance when negotiating contracts with their service provider,” he added.
The EU- U.S. Privacy Shield, which allowed the transfer of personal data between the two regions, was invalidated by the European Court of Justice in July last year which held that personal data protection and its judicial protection in the U.S. is not as per requirements of EU law.
The court noted that the personal data of EU citizens can be processed outside the European Union only if a country has data protection rules and regulations that are essentially equivalent to those required under EU law. However, in the case of the United States, there is no such equivalence as the scope of surveillance programmes is not limited to what is strictly necessary.
It added that the limitations on the protection of personal data from the access and use by U.S. public authorities do not place any limitations on the power they confer to implement surveillance programmes and also do not offer any guarantees to potentially targeted non-U.S. persons.