EU Data Protection Officer Initiates Proceedings against Institutions of the European Union for using Amazon AWS and Microsoft Office 365
Update Data Protection No. 97
Since the European Court of Justice declared the EU-US Privacy Shield as an invalid legal basis for the transfer of personal data to the US, stipulating increased requirements for the use of the EU standard contractual clauses in July 2020 (C-311/18, 'Schrems II'), uncertainty has been rife within many companies: a legally compliant data transfer to the USA on the basis of the Privacy Shield is no longer possible and the new EU standard contractual clauses announced in November 2020 have still not yet been adopted by the EU Commission (see our report). A clearly legally compliant solution for the use of US cloud services such as Microsoft Office 365, Amazon AWS, Salesforce, Google & Co. is therefore not possible today even if the servers in question are located within the EU (see the interview with the state data protection officer in Baden-Württemberg). However, not only companies have this problem, but also the institutions of the European Union, as they also use Microsoft Office, for example.
The controller responsible for the data protection control of these institutions, EU data protection officer Wojciech Wiewiórowski, announced in a press release dated 27.05.2021 that two proceedings will be initiated to check compliance with EU law when using US cloud services.
- The first procedure concerns the use of Amazon AWS and Microsoft services by EU institutions on the basis of the so-called 'Cloud II contracts'. These enable a simplified procurement process with regard to cloud services and establish standards for technical and legal cloud use (especially for third-country transfers). These standards were established at the beginning of 2020 and, in the opinion of the EU data protection officer, require review and amendment following the above ECJ decision of July 2020.
- The second procedure concerns the specific use of Microsoft Office 365 by the EU Commission itself. The European Data Protection Board (an association of representatives of the national data protection authorities in the EU) adopted, in a document of 29 pages, distinct specifications for the use of Microsoft products by EU institutions on 02.07.2020 (also before the Schrems II Decision). The purpose is to examine whether the EU Commission itself also complies with these requirements when using Microsoft Office 365, in particular taking into account the new requirements of the ECJ.
What significance does the above announcement made by the EU data protection officer now have for German companies?
Almost a whole year after the Schrems II Decision of the ECJ described above, no legal certainty exists cloud services from US providers are used, even with exclusive use of EU servers. The new EU standard contractual clauses should provide this legal certainty, but they are a long time coming. In addition, even after the publication of the final version for third-country transfers by the EU Commission, it can be expected that it will later be declared invalid by the ECJ, as the US government will probably not change its surveillance practices and, in addition, a no-spy agreement (as is now required for Great Britain) is unlikely. Yesterday's press release from the EU data protection officer shows that things are finally moving forward. Not only are the German supervisory authorities considering a ban on Amazon AWS, Microsoft Office 365, etc., but now also the EU supervisory bodies. That being said, Microsoft regularly concedes and brings new implementation models into play. Microsoft is also increasingly receiving support from the German federal government, which currently sees no real alternatives among EU providers. However, all these efforts and tendencies do not change the unrestrained desire of the US government to monitor international data traffic, so German companies should already prepare themselves for a possible review by the supervisory authorities with regard to the use of US cloud providers. The ITM Institute of the University of Münster recently proposed a possible answer to such hearings.