It was recently found out that Europe’s lead data protection regulator has begun two investigations into EU institutions’ use of cloud services from U.S. cloud giants, Amazon and Microsoft.
Indeed, the investigation was started under Cloud II contracts made between AWS and Microsoft. The inquiry aims to understand the EU’s use of U.S. cloud services as part of a wider compliance strategy that struck down the EU-US Privacy Shield data transfer agreement and questioned the viability of alternative data transfer mechanisms in the case where EU users’ personal data is going to third countries at risk from mass surveillance regimes.
After a request in October, it was reported that data is flowing to third countries, and to the U.S. in particular. The European Data Protection Supervisor (EDPS) then wants to determine if these contracts align with the CJEU judgment or not. If they don’t, EU bodies would be required to find alternative cloud services providers.
Both cloud providers Amazon and Microsoft have been contacted to find out if they have applied any special measures to the Cloud II contracts with EU bodies. It was made clear that EU law is to be followed so the data flow has to be regulated closely.