Europe’s lead information safety regulator has opened two investigations into EU establishments’ use of cloud providers from U.S. cloud giants, Amazon and Microsoft, beneath so referred to as Cloud II contracts inked earlier between European our bodies, establishments and companies and AWS and Microsoft.
A separate investigation has additionally been opened into the European Commission’s use of Microsoft Office 365 to evaluate compliance with earlier suggestions, the European Data Protection Supervisor (EDPS) mentioned at the moment.
Wojciech Wiewiórowski is probing the EU’s use of U.S. cloud providers as a part of a wider compliance technique introduced final October following a landmark ruling by the Court of Justice (CJEU) — aka, Schrems II — which struck down the EU-US Privacy Shield information switch settlement and forged doubt upon the viability of different information switch mechanisms in instances the place EU customers’ private information is flowing to 3rd international locations the place it could be in danger from mass surveillance regimes.

In October, the EU’s chief privateness regulator requested the bloc’s establishments to report on their transfers of private information to non-EU international locations. This evaluation confirmed that information is flowing to 3rd international locations, the EDPS mentioned at the moment. And that it’s flowing to the U.S. specifically — on account of EU our bodies’ reliance on giant cloud service suppliers (a lot of that are U.S.-based).
That’s hardly a shock. But the following step may very well be very fascinating because the EDPS desires to find out whether or not these historic contracts (which had been signed earlier than the Schrems II ruling) align with the CJEU judgement or not.
Indeed, the EDPS warned at the moment that they might not — which might thus require EU our bodies to seek out various cloud service suppliers sooner or later (probably ones situated throughout the EU, to keep away from any authorized uncertainty). So this investigation may very well be the beginning of a regulator-induced migration within the EU away from U.S. cloud giants.
Commenting in a press release, Wiewiórowski mentioned: “Following the outcome of the reporting exercise by the EU institutions and bodies, we identified certain types of contracts that require particular attention and this is why we have decided to launch these two investigations. I am aware that the ‘Cloud II contracts’ were signed in early 2020 before the ‘Schrems II’ judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.”
Amazon and Microsoft have been contacted with questions relating to any particular measures they’ve utilized to those Cloud II contracts with EU our bodies.
Update: A Microsoft spokesperson has now despatched this assertion:
“We will actively support the EU institutions to answer questions raised by the European Data Protection Supervisor and are confident to address any concerns swiftly. Our approach to ensuring we comply with and exceed EU data protection requirements remains unchanged. As part of our Defending Your Data initiative we’ve committed to challenge every government request for an EU public sector or commercial customer’s data where we have a lawful basis for doing so. And we will provide monetary compensation to our customers’ users if we disclose data in violation of the applicable privacy laws that causes harm. We remain committed to responding to guidance from regulators and will continuously seek to strengthen customer privacy protections.”
The EDPS mentioned it desires EU establishments to steer by instance. And that appears vital given how, regardless of a public warning from the European Data Protection Board (EDPB) final yr — saying there could be no regulatory grace interval for implementing the implications of the Schrems II judgement — there hasn’t been any main information switch fireworks but.
The probably motive for that may be a honest quantity of head-in-the-sand response and/or superficial tweaks made to contracts within the hopes of assembly the authorized bar (however which haven’t but been examined by regulatory scrutiny).
Final steering from the EDPB can also be nonetheless pending, though the Board put out detailed recommendation final fall.
The CJEU ruling made it plain that EU legislation on this space can not merely be ignored. So because the bloc’s information regulators begin scrutinizing contracts which are taking information out of the EU a few of these association are, inevitably, going to be discovered wanting — and their related information flows ordered to cease.
To wit: A protracted-running criticism towards Facebook’s EU-US information transfers — filed by the eponymous Max Schrems, a long-time EU privateness campaigners and lawyer, all the best way again in 2013 — is slowing winding towards simply such a chance.
Last fall, following the Schrems II ruling, the Irish regulator gave Facebook a preliminary order to cease transferring Europeans’ information over the pond. Facebook sought to problem that within the Irish courts however misplaced its try to dam the continuing earlier this month. So it might now face a suspension order inside months.
How Facebook would possibly reply is anybody’s guess however Schrems recommended to TechSwitch final summer time that the corporate will in the end have to federate its service, storing EU customers’ information contained in the EU.
The Schrems II ruling does typically appear to be it will likely be excellent news for EU-based cloud service suppliers which may place themselves to unravel the authorized uncertainty challenge (even when they aren’t as competitively priced and/or scalable because the dominant US-based cloud giants).
Fixing U.S. surveillance legislation, in the meantime — in order that it will get unbiased oversight and accessible redress mechanisms for non-citizens with a view to now not be thought of a menace to EU folks’s information, because the CJEU judges have repeatedly discovered — is actually more likely to take so much longer than ‘months’. If certainly the US authorities can ever be satisfied of the necessity to reform their method.
Still, if EU regulators lastly begin taking motion on Schrems II — by ordering excessive profile EU-US information transfers to cease — which may assist focus US policymakers’ minds towards surveillance reform. Otherwise native storage would be the new future regular.