GDPR inquiry launched on the use of Azure and AWS in the bloc

Get a free Techzine subscription!

EU’s privacy regulator, the European Data Protection Supervisor (EDPS) has started an inquiry into whether the bloc’s leading institutions are protecting citizens’ private data when using Microsoft’s Azure and Amazon’s AWS clouds.

The EDPS has also opened a separate examination into whether the European Commission’s use of Microsoft Office 365 complies with data protection laws.

The watchdog announced both inquiries in relation to the Schrems II ruling from last summer. It brought with it, new challenges regarding the transfer of citizens’ private data between the United States and the European Union.

On Trans-Atlantic data transfers

In the Schrems ruling, the EU Court of Justice concluded that the national laws of the US did not match the strict protections provided by the EU’s GDPR. That means that without the General Data Protection Regulation, the personal data of EU citizens cannot be safely processed outside the bloc.

For an EU-based organization using a US-based provider like AWS or Azure, some of the data about their employees may be made available to people in the United States who have no right to access such data.

The Court of Justice invalidated a scheme that was in place, called the Privacy Shield.

The fallout

What followed was the introduction of new provisions called Standard Contractual Clauses (SCCs) for each data transfer. Where the SCCs are insufficient, the data transfer is not allowed to happen.

The EDPS is an independent organization that monitors the processing of personal data by EU institutions.

It has kept a close watch on the impact of the Schrems II ruling and some of the contracts that tie EU offices and institutions to tech companies operating out of the US. These inquiries are a result of recent changes concerning ethics, data protection, and a series of incriminating cases against tech companies misbehaving.