Following the Schrems II judgment, the European Data Protection Supervisor launched two investigations against Amazon and Microsoft.
On May 27, 2021, the European Data Protection Supervisor (EDPS) launched two surveys on the use of cloud services from Amazon and Microsoft, AWS and Microsoft Azure. The EDPS is also scrutinizing the use by different EU bodies and institutions of the Microsoft 365 office suite. The two investigations must determine whether transfers of personal data outside the EU comply with EU law.
“We have identified certain types of contracts that require special attention and that is why we have launched these two investigations,” said Wojciech Wiewiórowski, the European Data Protection Supervisor in a press release.
The first investigation by the EDPS aims to verify the compliance of the European institutions with the judgment in the Schrems II judgment. The second inspects the use of Microsoft Office 365 and its follow-up to the recommendations issued by the CEDP. Both come in the wake of the Schrems II judgment of July 16, 2020. The following October, the EDPS ordered the European institutions to notify data transfers to third countries. A lot of European data is processed abroad, particularly in the United States.
Investigations following the Schrems II judgment
Wojciech Wiewiórowski acknowledges certain measures taken by GAFAM to guarantee better data protection, but he considers them insufficient. “These announced measures may not ensure full compliance with EU data protection law,” says the European Data Protection Supervisor.
A Microsoft spokesperson claims to take the EDPS ‘action into consideration. ” We will actively support the EU institutions to respond to the questions raised by the European Data Protection Supervisor and we are certain to respond quickly to any concerns,” a Microsoft spokesperson told ZDNet. Amazon did not respond to requests for comment from the media.
Lawyer and privacy activist Max Schrems issued the Schrems II judgment following a lawsuit against Facebook in European justice. The judgment considers that the level of protection of personal data in the United States is not equivalent to that of the EU. It does not offer guarantees equivalent to the General Data Protection Regulation (GDPR). Indeed, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) allows American law enforcement agencies and their intelligence agencies to access the data of their telecom operators and cloud service providers. And this does not matter where the data is stored. The Privacy Shield, which allowed the transfer of European data to the United States, was thus invalidated. Therefore, European data processed in the United States no longer has any legal basis .
In early 2020, before the Schrems II judgment, cloud service contracts, called “Cloud II”, were concluded between AWS, Microsoft Azure and the European Union. In addition, the European Commission uses the Microsoft 365 suite. With the Schrems II judgment, many data find themselves in a legal vagueness – even void – as to their protection. With the development of cloud services or the imminent arrival of the Internet of Things (IoT), these issues are growing.