EU Probes US Cloud Services - AWS, Microsoft Privacy Concerns

Investigations Launched into EU Institutions’ Cloud Service Usage

The primary data protection authority in Europe has initiated two investigations concerning the utilization of cloud services provided by major U.S. companies, Amazon and Microsoft, by EU institutions. These investigations center around contracts – known as Cloud II agreements – established between European organizations and these cloud providers, AWS and Microsoft.

Commission’s Office 365 Use Also Under Review

In addition to the Cloud II contract investigations, a separate inquiry has been commenced to evaluate the European Commission’s employment of Microsoft Office 365. This assessment aims to verify adherence to previously issued recommendations, as stated by the European Data Protection Supervisor (EDPS) today.

Context: The Schrems II Ruling and Data Transfers

Wojciech Wiewiórowski is overseeing the EU’s adoption of U.S. cloud services as part of a broader strategy to ensure compliance. This strategy was announced last October in the wake of a pivotal decision by the Court of Justice of the European Union (CJEU) – commonly referred to as Schrems II. This ruling invalidated the EU-US Privacy Shield agreement and raised concerns about the legitimacy of other data transfer mechanisms when personal data of EU citizens is sent to countries potentially subject to extensive surveillance practices.

Last October, the EU’s leading privacy regulator requested that all bloc institutions submit reports detailing their transfers of personal data to nations outside the EU. The EDPS confirmed today that this analysis revealed ongoing data flows to third countries, particularly to the U.S. This is largely due to EU bodies’ reliance on large-scale cloud service providers, many of which are headquartered in the United States.

Examining Existing Contracts

This outcome is not unexpected. However, the subsequent phase could prove significant, as the EDPS intends to ascertain whether existing contracts – those signed prior to the Schrems II ruling – are consistent with the CJEU’s judgement.

The EDPS cautioned today that these contracts may not align with the ruling, potentially necessitating EU bodies to seek alternative cloud service providers. These alternatives would likely be based within the EU, mitigating legal uncertainties. Consequently, this investigation could trigger a shift away from U.S. cloud giants within the EU.

Statement from the EDPS

In a released statement, Wiewiórowski explained: “The reporting exercise conducted by EU institutions and bodies highlighted specific contract types requiring focused attention, leading to the launch of these two investigations. I recognize that the ‘Cloud II contracts’ were finalized in early 2020, before the ‘Schrems II’ judgement, and that both Amazon and Microsoft have announced new measures to align with the judgement. However, these measures may not be sufficient to guarantee full compliance with EU data protection legislation, thus necessitating a thorough investigation.”

Requests for comment have been directed to Amazon and Microsoft regarding any specific adjustments made to these Cloud II contracts with EU bodies.

Update: A statement has been received from a Microsoft spokesperson.

Update II: Amazon has also provided a statement.

EU Institutions Expected to Lead by Example

The EDPS emphasized the importance of EU institutions setting a precedent. This is particularly relevant considering that, despite a warning from the European Data Protection Board (EDPB) last year – indicating no regulatory leniency in implementing the Schrems II implications – there has been no substantial disruption to data transfers.

Potential for Superficial Compliance

The likely explanation is a degree of inaction or the implementation of only minor contract modifications, hoping to satisfy legal requirements without facing rigorous regulatory review.

Detailed guidance from the EDPB is still forthcoming, although preliminary advice was issued last fall.

CJEU Ruling Requires Action

The CJEU ruling unequivocally stated that EU law in this domain cannot be disregarded. As data regulators within the bloc begin to scrutinize contracts involving data transfers outside the EU, some arrangements will inevitably be deemed insufficient, leading to the cessation of associated data flows.

Facebook Data Transfers Under Scrutiny

A protracted complaint against Facebook’s EU-US data transfers – initially filed in 2013 by Max Schrems, a prominent EU privacy advocate and lawyer – is nearing a similar outcome.

Following the Schrems II ruling, the Irish regulator issued a preliminary order to Facebook to halt the transfer of European users’ data to the U.S. Facebook challenged this order in Irish courts but failed to prevent the proceedings earlier this month. A suspension order could be issued within months.

Potential Responses and EU-Based Alternatives

Schrems suggested last summer that Facebook may ultimately need to segment its service, storing data of EU users within the EU.

The Schrems II ruling is generally anticipated to benefit EU-based cloud service providers, who can offer solutions to address the legal uncertainties, even if they may not match the scalability or cost-effectiveness of their U.S. counterparts.

U.S. Surveillance Law Reform Needed

Addressing U.S. surveillance laws – to ensure independent oversight and accessible redress for non-citizens, thereby eliminating the perceived threat to EU citizens’ data – will likely take considerably longer than ‘months’. This is contingent on whether U.S. authorities can be persuaded to reform their approach.

However, if EU regulators begin to enforce Schrems II by halting prominent EU-US data transfers, it may encourage U.S. policymakers to prioritize surveillance reform. Otherwise, local data storage may become the prevailing standard.