Published On: Sun, Jun 20th, 2021

EU bodies’ use of US cloud services from AWS, Microsoft being probed by bloc’s remoteness chief

Europe’s lead information insurance regulator has non-stop dual investigations into EU institutions’ use of cloud services from U.S. cloud giants, Amazon and Microsoft, underneath so called Cloud II contracts inked progressing between European bodies, institutions and agencies and AWS and Microsoft.

A apart review has also been non-stop into a European Commission’s use of Microsoft Office 365 to consider correspondence with progressing recommendations, a European Data Protection Supervisor (EDPS) pronounced today.

Wojciech Wiewiórowski is probing a EU’s use of U.S. cloud services as partial of a wider correspondence plan announced final Oct following a landmark statute by a Court of Justice (CJEU) — aka, Schrems II — that struck down a EU-US Privacy Shield information send agreement and expel doubt on a viability of choice information send mechanisms in cases where EU users’ personal information is issuing to third countries where it competence be during risk from mass notice regimes.

Europe’s tip justice strikes down flagship EU-US information send mechanism

In October, a EU’s arch remoteness regulator asked a bloc’s institutions to news on their transfers of personal information to non-EU countries. This research reliable that information is issuing to third countries, a EDPS pronounced today. And that it’s issuing to a U.S. in sold — on comment of EU bodies’ faith on vast cloud use providers (many of that are U.S.-based).

That’s frequency a surprise. But a subsequent step could be really engaging as a EDPS wants to establish either those chronological contracts (which were sealed before a Schrems II ruling) align with a CJEU settlement or not.

Indeed, a EDPS warned currently that they competence not — that could so need EU bodies to find choice cloud use providers in a destiny (most expected ones located within a EU, to equivocate any authorised uncertainty). So this review could be a start of a regulator-induced emigration in a EU divided from U.S. cloud giants.

Commenting in a statement, Wiewiórowski said: “Following a outcome of a stating practice by a EU institutions and bodies, we identified certain forms of contracts that need sold courtesy and this is because we have motionless to launch these dual investigations. we am wakeful that a ‘Cloud II contracts’ were sealed in early 2020 before a ‘Schrems II’ settlement and that both Amazon and Microsoft have announced new measures with a aim to align themselves with a judgement. Nevertheless, these announced measures competence not be sufficient to safeguard full correspondence with EU information insurance law and hence a need to examine this properly.”

Amazon and Microsoft have been contacted with questions per any special measures they have practical to these Cloud II contracts with EU bodies.

Update: A Microsoft orator has now sent this statement:

“We will actively support the EU institutions to answer questions lifted by a European Data Protection Supervisor and are assured to residence any concerns swiftly. Our proceed to ensuring we approve with and surpass EU information insurance mandate stays unchanged. As partial of our Defending Your Data initiative we’ve committed to plea each supervision ask for an EU open zone or blurb customer’s information where we have a official basement for doing so. And we will yield financial remuneration to a customers’ users if we divulge information in defilement of a germane remoteness laws that causes harm. We sojourn committed to responding to superintendence from regulators and will invariably find to strengthen patron remoteness protections.”

Update II: Amazon has also now sent us this statement:

“EU Institutions are means to use AWS services in correspondence with Schrems II mandate and we are happy to support our business as they denote this to a European Data Protection Supervisor (EDPS). Our strengthened contractual commitments to strengthen patron information go over what’s compulsory by a Schrems II ruling, building on a prolonged lane record of severe law coercion requests.”

The EDPS pronounced it wants EU institutions to lead by example. And that looks critical given how, notwithstanding a open warning from a European Data Protection Board (EDPB) final year — observant there would be no regulatory beauty duration for implementing a implications of a Schrems II settlement — there hasn’t been any vital information send fireworks yet.

The many expected reason for that is a satisfactory volume of head-in-the-sand greeting and/or extraneous tweaks done to contracts in a hopes of assembly a authorised bar (but that haven’t nonetheless been tested by regulatory scrutiny).

Final superintendence from a EDPB is also still pending, nonetheless a Board put out minute recommendation final fall.

The CJEU statute done it plain that EU law in this area can't simply be ignored. So as a bloc’s information regulators start scrutinizing contracts that are holding information out of a EU some of these arrangement are, inevitably, going to be found wanting — and their compared information flows systematic to stop.

To wit: A long-running censure opposite Facebook’s EU-US information transfers — filed by a eponymous Max Schrems, a long-time EU remoteness campaigners and lawyer, all a proceed behind in 2013 — is negligence circuitous toward only such a possibility.

Last fall, following a Schrems II ruling, a Irish regulator gave Facebook a rough sequence to stop relocating Europeans’ information over a pond. Facebook sought to plea that in a Irish courts though mislaid a try to retard a move progressing this month. So it could now face a cessation sequence within months.

How Facebook competence respond is anyone’s theory though Schrems suggested to TechCrunch final summer that a association will eventually need to combine a service, storing EU users’ information inside a EU.

The Schrems II statute does generally demeanour like it will be good news for EU-based cloud use providers that can position themselves to solve a authorised doubt emanate (even if they aren’t as competitively labelled and/or scalable as a widespread US-based cloud giants).

Fixing U.S. notice law, duration — so that it gets eccentric slip and permitted calibrate mechanisms for non-citizens in sequence to no longer be deliberate a hazard to EU people’s data, as a CJEU judges have regularly found — is positively expected to take a lot longer than ‘months’. If indeed a US authorities can ever be assured of a need to remodel their approach.

Still, if EU regulators finally start holding movement on Schrems II — by grouping high form EU-US information transfers to stop — that competence assistance combine US policymakers’ minds toward notice reform. Otherwise internal storage competence be a new destiny normal.

Facebook’s EU-US information transfers face their final countdown

Facebook told it competence have to postpone EU information transfers after Schrems II ruling

European Parliament amps adult vigour on EU-US information flows and GDPR enforcement

Legal clouds accumulate over US cloud services, after CJEU ruling

EU contracts with Microsoft lifting ‘serious’ information concerns, says watchdog

About the Author