The European Data Protection Supervisor (EDPS) has launched an inquiry into the use of Amazon Web Services (AWS) and Microsoft’s cloud services by the European Union (EU) institutions, bodies, offices and agencies (EUI) under the Cloud II agreements.
It has also begun to look at the use of Microsoft Office 365 in the European Commission.
These studies are part of the EDPS’s strategy to ensure that the EU institutions comply with the Schrems II judgment, with ongoing and future international transfers being carried out in accordance with EU data protection law.
In line with this strategy, the EDPS instructed the EUI in October 2020 to report on transfers of personal data to non-EU countries. The EDPS ‘analysis shows that due to the different processing operations, in particular when using tools and services provided by large service providers, personal data of individuals are transferred outside the EU and in particular to the United States (US).
The EDPS ‘analysis also confirms that EUIs are increasingly relying on cloud-based software and cloud infrastructures or platform services from large ICT providers, some of which are based in the US and therefore subject to legislation that allows disproportionate controls by US authorities under Schrems II.
Wojciech Wiewiórowski, European Data Protection Supervisor, said: “As a result of the reporting results of the EU institutions and bodies, we have identified certain types of agreements that require special attention, and we have therefore decided to launch these two inquiries.
“I am aware that the” Cloud II agreements “were signed in early 2020 before the Schrems II judgment and that both Amazon and Microsoft have announced new measures to harmonize the judgment. However, these notified measures may not be sufficient to ensure compliance with EU data protection law. full compliance and it is therefore necessary to examine this properly. “
The first study aims to assess EU compliance with the Schrems II judgment when using Amazon Web Services and Microsoft’s cloud services under so-called Cloud II agreements when transferring data to non-EU countries, in particular the United States.
The second study on the use of Microsoft Office 365 aims to ensure that the European Commission follows previous recommendations from the European Data Protection Supervisor on the use of Microsoft products and services in intra-EU data.
Wiewiórowski said: “We recognize that EUIs – like other EU / EEA entities – are dependent on a limited number of large service providers. Through these studies, the EDPS seeks to help the EUI improve its data protection requirements when negotiating agreements with its service provider.
The EDPS believes that the EUI is well placed to lead by example in terms of privacy and data protection. The announced steps are part of the ongoing cooperation between the EDPS and the EUI to ensure a high level of protection of these fundamental rights.