The European Union’s (EU) privacy watchdog has opened two investigations into the use of US-based cloud services by European public sector organisations to see whether they are effectively protecting citizens’ personal data.
The first investigation by the European Data Protection Supervisor (EDPS) will look at the use of cloud services provided by Amazon Web Services (AWS) and Microsoft across the bloc’s public sector bodies and agencies under Cloud II contracts. The second will look specifically at the European Commission’s (EC) use of Microsoft Office 365.
The investigations form part of the EDPS’s strategy to ensure that European institutions are carrying out international data transfers in accordance with EU data protection law and complying with the Schrems II ruling, which struck down the EU-US data-sharing agreement Privacy Shield in July 2020.
The judgment found US surveillance laws meant the US did not offer privacy protections equivalent to those under EU law, ruling they were not proportionate and went beyond what was strictly necessary.
As part of its Schrems II compliance strategy, the EDPS ordered a variety of European institutions to report on their transfers of personal data to non-EU countries in October 2020, which it then conducted an analysis on.
The analysis confirmed that EU bodies are increasingly reliant on cloud-based software, infrastructure and platforms from large IT providers, some of which are based in the US and therefore subject to its intrusive surveillance laws.
The US Cloud Act, for example, passed in March 2018, effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud, while Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows the US attorney general and director of intelligence services to jointly authorise the targeted surveillance of people outside the US, as long as they are not a US citizen.
“Following the outcome of the reporting exercise by the EU institutions and bodies, we identified certain types of contracts that require particular attention and this is why we have decided to launch these two investigations,” said EDPS chief Wojciech Wiewiórowski.
“I am aware that the Cloud II contracts were signed in early 2020 before the Schrems II judgment and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgment. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.”
Depending on the outcome of the investigations, EU bodies could be required to find alternative cloud service providers going forward.
According to a Microsoft spokesperson, the company will actively support EU institutions in answering the EDPS’s questions and is confident that any concerns will be swiftly addressed.
“Our approach to ensuring we comply with and exceed EU data protection requirements remains unchanged. As part of our Defending Your Data initiative, we’ve committed to challenge every government request for an EU public sector or commercial customer’s data where we have a lawful basis for doing so,” they said.
“We will provide monetary compensation to our customers’ users if we disclose data in violation of the applicable privacy laws that causes harm. We remain committed to responding to guidance from regulators and will continuously seek to strengthen customer privacy protections.”
While Microsoft has committed to creating an EU Data Boundary by the end of 2022, data protection experts have criticised the move as a tacit admission that data is being routinely processed outside the bloc, claiming there is no feasible way it would protect European citizens’ data from being transferred overseas to the US where there is a lower standard of protection.
In the case of Amazon, which has committed to challenging law enforcement requests for data and only disclosing the minimum amount of data necessary when compelled to do so, a spokesperson said: “EU institutions are able to use AWS services in compliance with Schrems II requirements and we are happy to support our customers as they demonstrate this to the European Data Protection Supervisor.
“Our strengthened contractual commitments to protect customer data go beyond what’s required by the Schrems II ruling, building on our long track record of challenging law enforcement requests.”
On 4 June, organisations in Europe were given 18 months to introduce new data transfer agreements, known as standard contractual clauses (SCCs), to move data between Europe and other countries, including the US and potentially the UK, which will soon exist as a third country outside the bloc.
Revised SCC’s provided by the European Commission (EC) include more robust protections to ensure that personal data transferred overseas is not disclosed to foreign governments and intelligence services, and specifically incorporate the requirements of the General Data Protection Regulation (GDPR).
“With these reinforced clauses, we are giving more safety and legal certainty to companies for data transfers,” said the EC’s European commissioner for justice, Didier Reynders. “After the Schrems II ruling, it was our duty and priority to come up with user-friendly tools, which companies can fully rely on. This package will significantly help companies to comply with the GDPR.”
Bridget Treacy and David Dumont, partners at law firm Huton Andrews Kurth, said it was not yet clear whether European data protection regulators would agree that the SCCs were sufficient without companies introducing additional measures.
“It remains to be seen the extent to which the European Data Protection Board will consider the new SCCs to provide a sufficient level of protection, or whether regulators will require additional contractual, organisational, technical or other safeguards to be implemented,” they said in a written analysis.