EU privacy watchdog the European Data Protection Supervisor (EDPS) has started examining whether the bloc’s top institutions and agencies are effectively protecting citizens’ personal data when using Amazon’s AWS and Microsoft’s Azure cloud services.
In a separate investigation, the EDPS will also probe whether the European Commission’s use of Microsoft Office 365 is compliant with data protection laws.
The EDPS announced the launch of both inquiries in relation to the Schrems II ruling that occurred last summer and which introduced new obstacles to the transfer of personal data between the US – where Amazon and Microsoft are based – and the EU.
In the ruling, the EU Court of Justice concluded that national laws in the US did not match the stringent data protection requirements established by the bloc’s General Data Protection Regulation (GDPR), meaning that without additional safeguards, the personal data of EU citizens cannot be safely processed across the Atlantic.
For example, under the Clarifying Lawful Overseas Use of Data Act (CLOUD), US authorities are allowed to require national storage providers to give them access to information held on their servers, even if that data is located overseas.
An EU-based organization using a US-based cloud provider like AWS or Azure, therefore, might find that some of their data – including personal data about customers or employees, for example – can potentially be made available for US authorities to snoop on.
This is why the EU’s Court of Justice invalidated the scheme that was in place to enable personal data to flow freely between the bloc and the US, called the Privacy Shield, and ruled that instead, organizations will have to implement new privacy-protecting contracts, called Standard Contractual Clauses (SCCs) for each data transfer.
In some cases where even SCCs are insufficient, the data exchange can be suspended.
The EDPS, an independent organization that monitors the processing of personal data by EU institutions, has been closely watching the impact of Schrems II on some of the contracts that tie European offices and agencies to tech companies in the US.
“We identified certain types of contracts that require particular attention and this is why we have decided to launch these two investigations,” said Wojciech Wiewiórowski, the European Data Protection Supervisor.
“We acknowledge that EUIs (European Union Institutions) – like other entities in the EU/EEA – are dependent on a limited number of large providers. With these investigations, the EDPS aims to help EUIs to improve their data protection compliance when negotiating contracts with their service provider.”
In particular, the privacy watchdog will be looking at so-called “Cloud II” contracts agreed between the EU and Microsoft or Amazon for the use of their cloud services.
When EUIs use Azure and AWS, in effect, individuals’ personal information can be sent outside of the EU and to the US, and unless appropriate GDPR-compliant measures are taken to protect the data transfer, there is a risk of surveillance from the authorities.
In other words, the EDPS will now be checking whether these GDPR-compliant measures are being taken by institutions in the bloc.
“We will actively support the EU institutions to answer questions raised by the European Data Protection Supervisor and are confident to address any concerns swiftly,” a Microsoft spokesperson told . “We remain committed to responding to guidance from regulators and will continuously seek to strengthen customer privacy protections.” AWS did not respond to a request for comment.
The privacy threats posed by the reliance on foreign ICT providers’ cloud services have long been flagged by the EDPS: as early as 2018, the privacy watchdog published guidelines for EU institutions that highlighted EUIs’ responsibility in ensuring the protection of personal data in cloud infrastructure.
The message has not gone unheard. Recently, the European Data Protection Board validated the use of a new “EU Cloud Code of Conduct”, which acts as a standard certifying that a given cloud service provider is GDPR-compliant. Microsoft Azure and Google Cloud, among others, have already declared adherence to the code of conduct.
What’s more: since the Schrems II ruling, cloud providers have come forward to announce changes to their policy to better comply with GDPR restrictions. Both Microsoft and Amazon have promised to contest government requests for access to customer data when they are able to. When required by law, Amazon also committed to disclose the minimum amount necessary of information, while Microsoft said that it would provide monetary compensation to the customers affected.
Microsoft has even gone one step further by pledging to enable EU customers to store and process most of their data within the EU by the end of 2022, meaning that personal data wouldn’t even need to be sent to the US anymore.
Wiewiórowski recognized that both companies have made amends, but nevertheless said that the announced measures might not be sufficient to ensure full compliance with EU data protection law, and still require a proper investigation.
“It’s not just about law – it’s also about ethics. There are many social and economic issues that come with relying on only a handful of corporations for your critical infrastructure. If they don’t comply to the rules, then your privacy will never be protected,” Subhajit Basu, associate professor of information technology law at the University of Leeds, told .
But there is also a political dimension to the new investigations, according to Basu. The EU is increasingly keen to re-assert the bloc’s “digital sovereignty”, especially when it comes to data infrastructure and cloud services.
The majority of the European cloud market, in effect, is controlled by non-European hyperscalers, with recent research showing that more than half of decision makers on the continent use AWS, Microsoft Azure, IBM Cloud and Google Cloud.
In an attempt to re-gain control over the bloc’s digital infrastructure, EU leaders are trying to develop a homegrown cloud initiative called GAIA-X, which will adhere to European principles of data protection and transparency – but the project is stalling, and still remains far behind US-based cloud behemoths.
“This is about the future of cloud services, and making sure that the EU has its share in the pie of cloud business,” says Basu. “The whole world is in the cloud nowadays, showing the importance of having a cloud infrastructure.”
In addition to probing EUIs’ use of US-based cloud services, the EDPS is also investigating the European Commission’s use of Microsoft Office 365 – another sticking point for the privacy watchdog, given that over 45,000 staff of EU institutions are users of the Redmond giant’s products and services.
Last year, the EDPS published a first set of recommendations related to the use of Microsoft’s suite, including the imperative of knowing exactly where data is located, what information is transferred out of the EU and whether it is protected by proper safeguards.
For Basu, the move falls in line with both the primary objective of better protecting EU citizens’ privacy, and the underlying goal of re-establishing the bloc’s digital sovereignty and control over the personal data of its residents.
“What surprises me is it’s taken the EDPS this long to launch an investigation,” says Basu. “This is good for EU citizens, but it was needed and it should have been done before.”