The European Data Protection Supervisor (EDPS) has started to examine if the main institutions and agencies of the bloc effectively protect the personal data of citizens when they use the cloud services AWS from Amazon and Azure from Microsoft. In addition to this, in another investigation, the same body must also analyze whether the use of Microsoft Office 365 by the European Commission complies with data protection laws.
Both investigations are in response to the Schrems II ruling, of last summer of 2020, which introduced new obstacles to the transfer of personal data between the United States -where Amazon and Microsoft are headquartered- and the European Union.
The US could access private data stored in the cloud
The privacy watchdog will examine the so-called "Cloud II" contracts agreed between the EU and Microsoft or Amazon for the use of their cloud services. Wojciech Wiewiórowski, the European Data Protection Supervisor, has clarified that "when the Institutions of the European Union use Azure and AWS, the personal information of individuals can be sent to the United States."
It adds that, unless appropriate measures are taken according to the General Data Protection Regulation (RGPD) to protect the transfer of data, there is a risk of surveillance by the authorities.
The investigation will analyze if an EU-based organization using a US-based cloud service provider such as AWS or Azure, you could find that some of your data - including the personal data of customers or employees, for example - may be available to the US authorities so they can access it, according to ZDnet according to the information.
In addition to the cloud, Microsoft Office 365 will also be investigated. The purpose of this second investigation says that it is to verify the conformity of the European Commission to the recommendations previously issued by the EDPS on the use of Microsoft products and services by the institutions of the European Union. Brussels has not given more specific information in this regard. What does stand out is that 45,000 employees of the EU institutions are users of the products and services of the Redmond giant.
"We have identified certain types of contracts that require special attention and that is why we have decided to launch these two investigations"Wiewiórowski clarified.
What does European justice say about data protection laws in the US?
It should be remembered that in the judgment of July 2020, the Court of Justice of the EU (CJEU) concluded that the national laws of the USA. They did not comply with the strict data protection requirements established by the General Data Protection Regulation (GDPR) of the EU. This translates to, Without additional protection measures, the personal data of EU citizens cannot be processed securely in the American country.
It all started with a claim from Maximiliam Schrems, an Austrian Facebook user. He argued that his data should not be transferred on the social network considering that the United States does not offer sufficient privacy guarantees. After several judicial decisions of different organisms, finally the Court of Justice has declared that the so-called 'Privacy Shield' It's not valid.
Under the Foreign Legal Use of Data Clarification Act (CLOUD Act), US authorities are authorized to require storage providers who are from their country to give them access to the information contained in their servers, even if that data is located abroad.
The EDPS, an independent organization that oversees the processing of personal data by the EU institutions, has closely observed the impact of Schrems II on some of the contracts that bind the offices and European agencies with US tech companies before starting this investigation.
It recognizes that the institutions "depend on a limited number of large providers." With these investigations, the EDPS intends to help IUE to improve compliance with data protection when negotiating contracts with your service provider.
As he explains, when the EU institutions use Azure and AWS ** the personal information of individuals can be sent outside the EU and to the United States **, and unless appropriate measures are taken that comply with the GDPR to protect transfer of data, there is a risk of surveillance by the authorities. In other words, the EDPS will now check whether the institutions of the bloc adopt these measures in accordance with the GDPR.
While waiting for the conclusions to be reached in the investigation, this could be an opportunity for companies from European Union countries that offer cloud services and that have joined in the GAIA-X initiative whereby the European Union also has bet.