27 May 2021
These investigations are part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” Judgement so that ongoing and future international transfers are carried out according to EU data protection law.
In line with his strategy, the EDPS ordered EUIs in October 2020 to report on their transfers of personal data to non-EU countries. The EDPS’ analysis shows that because of diverse processing operations, in particular when using tools and services offered by large service providers, individuals’ personal data is transferred outside the EU and to the United States (US) in particular.
The EDPS’ analysis also confirms that EUIs increasingly rely on cloud-based software and cloud infrastructure or platform services from large ICT providers, of which some are based in the US and are therefore subject to legislation that, according to the “Schrems II” Judgement, allows disproportionate surveillance activities by the US authorities.
Wojciech Wiewiórowski, EDPS, said:
“Following the outcome of the reporting exercise by the EU institutions and bodies, we identified certain types of contracts that require particular attention and this is why we have decided to launch these two investigations. I am aware that the “Cloud II contracts” were signed in early 2020 before the “Schrems II” judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.”
The objective of the first investigation is to assess EUIs’ compliance with the “Schrems II” Judgement when using cloud services provided by Amazon Web Services and Microsoft under the so-called “Cloud II contracts” when data is transferred to non-EU countries, in particular to the US.
The objective of the second investigation into the use of Microsoft Office 365 is to verify the European Commission’s compliance with the Recommendations previously issued by the EDPS on the use of Microsoft’s products and services by EUIs.
Wojciech Wiewiórowski, EDPS, said:
“We acknowledge that EUIs – like other entities in the EU/EEA – are dependent on a limited number of large providers. With these investigations, the EDPS aims to help EUIs to improve their data protection compliance when negotiating contracts with their service provider”.
The EDPS believes that EUIs are well positioned to lead by example when it comes to privacy and data protection. The announced steps are part of a continuous cooperation between the EDPS and the EUIs to ensure a high level of protection of these fundamental rights.
Background information
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.
About EDPS investigations: We conduct investigations on our own initiative or on the basis of a complaint. We have extensive powers to access all personal data, information and documents, which are necessary for our investigations, and to access premises, including any data processing equipment and means, in case an on-site investigation is needed. An investigation can be of a general nature, such as our survey on compliance with data protection rules in the EU institutions, which we conduct every two years. We also conduct more targeted investigations on specific subjects, for instance video surveillance in the EU institutions. More information can be found on the EDPS website here.
About the “Schrems II” Judgement: Following the “Schrems II” Judgement, on 29 October 2020 the EDPS issued his strategic document aiming to monitor compliance of European institutions, bodies, offices and agencies (EUIs) with the “Schrems II” Judgement in relation to transfers of personal data to third countries, and in particular the United States. The goal is that ongoing and future international transfers are carried out in accordance with EU data protection law. In his Strategy, the EDPS has developed an action plan to streamline compliance and enforcement measures, distinguishing between short-term and medium-term compliance actions. More information can be found on the EDPS website here.
About transfers of personal data: The European Data Protection Supervisor and the European Data Protection Board (EDPB) cooperate closely on matters of data protection, including on transfers of personal data. They have issued, in relation to the latter, joint opinions on two sets of contractual clauses (SCCs): one opinion on the SCCs for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries. The EDPB, with the EDPS’ active cooperation, issued Recommendations 01/2020 on supplementary measures to ensure an essentially equivalent level of protection in the EU/EEA when transfers of personal data to non-EU countries occur, which can be found on the EDPB website here. The Recommendations 01/2020 became applicable immediately following their publication in November 2020, despite the ensuing public consultation process.
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. See the glossary on the EDPS website.
Personal data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content – related to or provided by end-users of communications services – are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).