GDPR: EU privacy watchdog probing usage of AWS and Azure cloud services
The European Data Protection Supervisor (EDPS), the European Data Protection Supervisor, has started examining whether key EU institutions and agencies effectively protect citizens’ personal data when using Amazon’s AWS cloud services and Microsoft’s Azure.
In a separate investigation, the EDPS will also examine whether the use of Microsoft Office 365 by the European Commission complies with data protection laws.
The EDPS announced the launch of the two investigations relating to the Schrems II judgment which took place last summer and which introduced new obstacles to the transfer of personal data between the United States – where Amazon and Microsoft are based – and the EU.
SEE: Green energy policy of computer data center (TechRepublic Premium)
In the ruling, the EU Court of Justice found that domestic laws in the US did not meet the stringent data protection requirements set by the bloc’s General Data Protection Regulation (GDPR), which means that without additional guarantees, the personal data of EU citizens cannot be processed securely across the Atlantic.
For example, under the Clarifying Lawful Overseas Use of Data Act (CLOUD), US authorities are allowed to require national storage providers to give them access to information kept on their servers, even if that data is located at the foreign.
An EU-based organization using a US-based cloud provider like AWS or Azure may therefore find that some of its data – including personal data about customers or employees, for example – can potentially be released. available to US authorities.
This is why the EU Court of Justice struck down the system put in place to allow personal data to flow freely between the bloc and the United States, called the Privacy Shield, and ruled that instead From this, organizations will need to implement new privacy protection contracts, called Standard Contractual Clauses (SCCs) for each data transfer.
In some cases where even the SCCs are insufficient, the data exchange may be suspended.
The EDPS, an independent organization that monitors the processing of personal data by EU institutions, is closely monitoring the impact of Schrems II on some of the contracts that bind European offices and agencies to technology companies in the United States. United.
“We have identified certain types of contracts that require special attention and that is why we have decided to launch these two investigations,” said Wojciech Wiewiórowski, the European Data Protection Supervisor.
“We recognize that EUIs (European Union institutions) – like other EU / EEA entities – depend on a limited number of large providers. With these investigations, the EDPS aims to help EUIs improve their data protection compliance when negotiating contracts with their service provider. ”
In particular, the privacy watchdog will examine so-called “Cloud II” contracts between the EU and Microsoft or Amazon for the use of their cloud services.
SEE: Cloud computing: Microsoft offers new data storage options for European customers
When EUIs use Azure and AWS, indeed, individuals’ personal information may be sent outside of the EU and into the US, and unless appropriate GDPR compliant measures are taken to protect the data transfer. , there is a risk of surveillance by the authorities. .
In other words, the EDPS will now check whether these GDPR-compliant measures are taken by the institutions of the bloc.
“We will actively support the EU institutions to respond to the questions raised by the European Data Protection Supervisor and are confident to respond quickly to any concerns,” a Microsoft spokesperson told ZDNet. “We remain committed to responding to guidance from regulators and will continually seek to strengthen the protection of customer privacy.” AWS did not respond to a request for comment.
The threats to privacy posed by the dependence on cloud services of foreign ICT providers have long been pointed out by the EDPS: as early as 2018, the has published guidelines for EU institutions that highlight the responsibility of EUIs in ensuring the protection of personal data in the cloud infrastructure.
The message was not heard. Recently, the European Data Protection Board validated the use of a new “European Code of Conduct on the Cloud”, which acts as a standard certifying that a given cloud service provider is GDPR-compliant. Microsoft Azure and Google Cloud, among others, have already declared adherence to the code of conduct.
Additionally: Since the Schrems II decision, cloud providers have come forward to announce policy changes to better comply with GDPR restrictions. Microsoft and Amazon have promised to challenge government requests for access to customer data when they can. When required by law, Amazon has also pledged to disclose the minimum amount of information necessary, while Microsoft has said it will provide monetary compensation to affected customers.
Microsoft has even gone one step further by committing to allow EU customers to store and process most of their data within the EU by the end of 2022, which means that personal data is no longer available. ‘won’t even need to be shipped to the United States.
Wiewiórowski acknowledged that the two companies had made amends, but nevertheless said the measures announced may not be sufficient to ensure full compliance with EU data protection law and still require a proper investigation.
“It’s not just a question of law, it’s also a question of ethics. There are many social and economic issues associated with relying on only a handful of companies for your critical infrastructure. If they don’t follow the rules, your privacy will never be protected, ”Subhajit Basu, associate professor of information technology law at the University of Leeds, told ZDNet.
But there is also a political dimension to the new investigations, according to Basu. The EU is increasingly keen to reaffirm the Union’s ‘digital sovereignty’, in particular with regard to data infrastructure and cloud services.
The majority of the European cloud market is indeed controlled by non-European hyperscalers, with recent research showing that more than half of decision makers on the continent use AWS, Microsoft Azure, IBM Cloud and Google Cloud.
SEE: GDPR: Fines increased 40% last year, and they’re about to get much bigger
In an attempt to regain control of the EU’s digital infrastructure, EU leaders are trying to develop a local cloud initiative called GAIA-X, which will respect European principles of data protection and transparency – but the project is at a standstill and is still relevant today. far behind the cloud giants based in the United States.
“It’s about the future of cloud services and ensuring that the EU has its share of the cloud business,” says Basu. “The whole world is in the cloud these days, which shows the importance of having a cloud infrastructure.”
In addition to probing UIE’s use of US-based cloud services, the EDPS is also investigating the European Commission’s use of Microsoft Office 365 – another sticking point for the privacy watchdog , given that more than 45,000 staff from the EU institutions are users of the Redmond giant. products and services.
Last year, the EDPS published a first set of recommendations related to the use of the Microsoft suite, including the imperative of knowing exactly where the data is located, what information is transferred outside the EU and whether it is protected by appropriate safeguards.
For Basu, this decision fits both with the main objective of better protecting the privacy of EU citizens and with the underlying objective of restoring the digital sovereignty of the bloc and the control of personal data of its residents.
“What surprises me is that it took so long for the EDPS to launch an investigation,” says Basu. “It’s good for the citizens of the EU, but it was necessary and it should have been done before.”