EDPS launches investigations following the judgment in Schrems II

May 26, 2021

The European Data Protection Supervisor has launched two investigations. One considers the use of cloud services provided by Amazon and Microsoft Web Services under Cloud II contracts by European Union institutions, bodies and agencies (EUIs) and the other considers the use of Microsoft Office 365 by the European Commission.

These investigations are part of the EDPS’ strategy for EU institutions to comply with Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (Schrems II) so that ongoing and future international transfers are carried out according to EU data protection law.

In line with this strategy, in October 2020, the EDPS ordered EUIs to report on their transfers of personal data to non-EU countries. The EDPS’ analysis shows that because of diverse processing operations, especially when using tools and services offered by large service providers, individuals’ personal data is transferred outside the EU and to the US in particular.

The EDPS’ analysis also confirms that EUIs increasingly rely on cloud-based software and cloud infrastructure or platform services from large ICT providers, of which some are based in the US and are therefore subject to legislation that, according to the judgment, allows disproportionate surveillance activities by the US authorities.

The objective of the first investigation is to assess EUIs’ compliance with the Schrems II judgment when using cloud services provided by Amazon and Microsoft Web Services under the so-called “Cloud II contracts” when data is transferred to non-EU countries, in particular to the US.

The objective of the second investigation into the use of Microsoft Office 365 is to verify the European Commission’s compliance with the Recommendations previously issued by the EDPS on the use of Microsoft’s products and services by EUIs.