top of page

Microsoft and Amazon at the heart of an investigation into EU data protection.

Updated: Nov 8, 2021

The European Data Protection Supervisor (EDPS) has launched two investigations into the use of Amazon and Microsoft Cloud services by the European institutions. The focus is on AWS and Microsoft Office 365

Cloud de confiance, GCTI

These investigations are part of the EDPS's strategy to ensure that EU institutions comply with the Schrems II judgment so that current and future international transfers are carried out in accordance with EU data protection law.


Checking the proper use of cloud services by the EU institutions.


The objective of the first enquiry is to assess the compliance of the European institutions with the Schrems II judgment when using cloud services provided by Amazon Web Services and Microsoft under the so-called "Cloud II" contracts when data are transferred to third countries, in particular to the United States.

The purpose of the second investigation on the use of Microsoft Office 365 is to verify the compliance of the European Commission with the recommendations previously issued by the EDPS on the use of Microsoft products and services by the European institutions.

With these surveys, the EDPS aims at helping these European institutions and agencies to improve their data protection compliance when negotiating contracts with their cloud service provider.



In November 2020, the supervisory authority had already asked the European institutions to avoid processing activities that involved transfers of personal data across the Atlantic.

The report commissioned at the time showed that individuals' personal data was being transferred outside the EU and to the United States (US) in particular, through the use of tools and services offered by large cloud service providers.