On 27th May the European Data Protection Supervisor (EDPS) launched two investigations which will examine 1) the use of AWS and Microsoft cloud services by EU institutions and 2) the use of Microsoft 365 by the EU Commission. The investigations are part of a wider strategy published by the EDPS in October 2020 which aims to provide a clear roadmap for EU institutions in complying with the GDPR & "Schrems II" ruling.
The EDPS has recognised EU institutions' increased reliance on the use of cloud services from large tech companies, many of these being based in the US. This has come to light following a data mapping and reporting exercise which was undertaken last year, which highlighted the diverse processing activities being undertaken by EU institutions and the prevalence of controller to processor arrangements where data was being sent to the US without appropriate contractual, organisational or technical protections.
Following the Schrems II judgment, it is clear that personal data can only be transferred outside the EU where it can be demonstrated that 'essentially equivalent' protections to the EU are afforded to data subjects following the transfer. The Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework as a mechanism for transferring data to the US and took particular issue with US surveillance programmes which it deemed invasive and disproportionate.
These investigations highlight the EDPS' desire that EU institutions lead from the front on data protection and has led some commentators to believe that a move away from the use of US based cloud providers is on the horizon or even an eventual reform of US surveillance law. In response, AWS and Microsoft have both issued statements pointing to their commitment to meet and exceed privacy standards.
We await the outcome of the investigations to establish whether EU institutions and the tech giants can provide suitable protections to satisfy the EDPS' concerns and for (long-awaited) advice on how companies are supposed to manage data transfers in the post-Shrems landscape.
