Microsoft and Amazon at the heart of an investigation into EU data protection.

The European Data Protection Supervisor (EDPS) has launched two investigations into the use of Amazon and Microsoft Cloud services by the European institutions. The focus is on AWS and Microsoft Office 365

These investigations are part of the EDPS's strategy to ensure that EU institutions comply with the Schrems II judgment so that current and future international transfers are carried out in accordance with EU data protection law.

Checking the proper use of cloud services by the EU institutions.

The objective of the first enquiry is to assess the compliance of the European institutions with the Schrems II judgment when using cloud services provided by Amazon Web Services and Microsoft under the so-called "Cloud II" contracts when data are transferred to third countries, in particular to the United States.

The purpose of the second investigation on the use of Microsoft Office 365 is to verify the compliance of the European Commission with the recommendations previously issued by the EDPS on the use of Microsoft products and services by the European institutions.

With these surveys, the EDPS aims at helping these European institutions and agencies to improve their data protection compliance when negotiating contracts with their cloud service provider.

The report commissioned at the time showed that individuals' personal data was being transferred outside the EU and to the United States (US) in particular, through the use of tools and services offered by large cloud service providers.

The report also confirmed that EU institutions are increasingly relying on software and infrastructure services or cloud platforms from large providers, some of which are based in the US and therefore subject to legislation that, according to the Schrems II ruling, allows for disproportionate surveillance activities by the US authorities. "I am aware that the Cloud II contracts were signed in early 2020 before the Schrems II ruling and that Amazon and Microsoft have since announced new measures in order to comply with the ruling. However, these announced measures may not be sufficient to ensure full compliance with EU data protection law, hence the need to properly investigate this issue," explains Wojciech Wiewiórowski, head of the supervisory institution.

The EDPS believes that the EU institutions are well placed to set an example in the field of privacy and data protection. The announced measures are part of an ongoing cooperation between the EDPS and the EU institutions to ensure a high level of protection of these fundamental rights.

Microsoft plays the EU game, growth requires

In response to this demand for compliance, Microsoft announced last May a plan called "EU Data Boundary for the Microsoft Cloud" in which it undertakes to process and store data from Azure, Microsoft 365 and Dynamics 365 services for all business and public sector customers in the EU.

It should be remembered that Microsoft currently has the largest market share (>17%) in SaaS office and collaborative cloud services (365) with a growth of 34%/year in the area of IaaS infrastructure services (19% market share and annual growth of 50%. It is therefore in the US publisher's interest to play the "EU compliance" card in order to maintain its growth strategy, especially as at the same time all the European CSPs (OVH, Orange and Deutsche Telekom) have lost 16% market share.

In addition to committing to data localisation in Europe, Microsoft also says it will integrate these EU data 'delimitation' solutions into its core cloud services to enhance its current offerings. It even goes so far as to plan a European Cloud Customer Summit this autumn and the creation of a Privacy Engineering Centre of Excellence in Dublin, Ireland (home of the European CNIL) to help its European customers choose the right solutions to build robust data protection into their cloud workloads. Already involved in the Gaia-X alliance, Microsoft is also helping to build "Tech Fit 4 Europe".

More information