EU bodies use of Amazon, Microsoft cloud services faces privacy probes

The European Commission and European Parliament’s use of cloud computing services provided by Amazon and Microsoft has prompted two EU privacy investigations over concerns about the transfer of personal data to the United States.

After revelations in 2013 by former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance, the data privacy came under scrutiny. In response to this the Europe’s highest court last year rejected a transatlantic data transfer deal. This is known as the Privacy Shield. This is after following a long-running dispute between Facebook and Austrian privacy activist Max Schrems.

After identifying certain types of contracts between EU institutions and the two companies, the EU privacy watchdog the European Data Protection Supervisor (EDPS) opened the investigations. This contract requires particular attention. The investigations, one of which focuses on the use of Microsoft Office 365 by the European Commission, will look into whether the EU bodies comply with privacy rules and the Court judgment.

EU bodies were relying increasingly on cloud-based software and cloud infrastructure or platform services. This is from the large U.S. providers governed by legislation. These allows surveillance activities by the U.S. authorities. EDPS head Wojciech Wiewiorowski said in a statement that he is aware that the Cloud II contracts were signed in early 2020 before the Schrems II Judgement. And that both Amazon and Microsoft Web Services have announced new measures with the aim to align themselves with the judgment.

He also added that the announced measures are not enough to ensure full compliance with EU data protection law and hence the need to investigate this properly. Market leader Amazon, Alphabet unit Google and Microsoft dominate the realm of data storage worldwide. Any concerns will be able to be handled by Microsoft.

A spokeswoman said that they have committed to challenge every government request for an EU public sector or commercial customer’s data where they have a lawful basis for doing so. And they will provide monetary compensation to their customer’s users if they disclose data in violation of the applicable privacy laws that causes harm. Neither the Commission nor the Parliament responded to requests for comment.