EU bodies’ use of Amazon, Microsoft cloud services faces privacy probes

Announced measures to ensure privacy of EU communications "may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly," said Wojciech Wiewiórowski, the European Data Protection Supervisor (EDPS). [© European Union 2020 - Source : EP]

The European Commission and European Parliament’s use of cloud computing services provided by Amazon and Microsoft has prompted two EU privacy investigations over concerns about the transfer of personal data to the United States.

Data privacy came under scrutiny after revelations in 2013 by former US intelligence contractor Edward Snowden of mass US surveillance.

In response, Europe’s highest court last year rejected a transatlantic data transfer deal, known as the Privacy Shield, following a long-running dispute between Facebook and Austrian privacy activist Max Schrems.

EU privacy watchdog the European Data Protection Supervisor (EDPS) on Thursday (27 May) opened the investigations after identifying certain types of contracts between EU institutions and the two companies that require particular attention.

The investigations, one of which focuses on the use of Microsoft Office 365 by the European Commission, will look into whether the EU bodies comply with privacy rules and the Court judgment.

The EU watchdog said EU bodies were relying increasingly on cloud-based software and cloud infrastructure or platform services from large US providers governed by legislation that allows disproportionate surveillance activities by the US authorities.

“I am aware that the ‘Cloud II contracts’ were signed in early 2020 before the Schrems II Judgement and that both Amazon and Microsoft Web Services have announced new measures with the aim to align themselves with the judgment,” EDPS head Wojciech Wiewiorowski said in a statement.

“Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly,” he said.

EU data watchdog 'strongly encourages' institutions to avoid US data transfers

The EU’s data protection watchdog has warned the bloc’s institutions that they should refrain from embarking on new activities that involve transferring personal data to the US, in the wake of a decision from the European Court of Justice earlier this year.

Market leader Amazon, Alphabet unit Google and Microsoft dominate the realm of data storage worldwide.

Microsoft said it was confident that it would be able to swiftly address any concerns.

“We’ve committed to challenge every government request for an EU public sector or commercial customer’s data where we have a lawful basis for doing so,” a spokeswoman said.

“And we will provide monetary compensation to our customers’ users if we disclose data in violation of the applicable privacy laws that causes harm,” she said.

Neither the Commission nor the Parliament responded to requests for comment.

EP's COVID website overrun with US web trackers, MEP raises data concerns

The European Parliament’s coronavirus test management website is overrun with user tracking requests, some of which are attempting to siphon data to US-based firms at a time in which the future of transatlantic data flows is far from clear.

Subscribe to our newsletters