The European Union’s data regulator is investigating whether agencies and institutions in the bloc using Amazon Web Services and Microsoft Azure cloud services are sufficiently protecting EU citizens’ data.
The investigation could see EU institutions and bodies migrate away from cloud services provided by Amazon and Microsoft, experts have said.
The European Data Protection Supervisor (EDPS) launched its investigation into the use of Azure and AWS in light of the landmark “Schrems II” judgement. In July 2020 the EU’s highest court declared that Privacy Shield, the legal mechanism for transferring data between the EU and US, was no longer legal.
Privacy activist Max Schrems successfully argued that US surveillance laws meant Privacy Shield did not protect EU citizens from snooping by the US government.
That has triggered a series of investigations by the EDPS to ensure “future international transfers are carried out according to EU data protection law.”
Cloud services providers are now in the EDPS’ crosshairs because the leading players – including AWS and Azure – are based in the US. The EDPS said this makes them subject to legislation that “allows disproportionate surveillance activities by the US authorities.”
The investigation could threaten lucrative public sector cloud contracts that AWS and Microsoft Azure have with EU bodies, should it find their US-ties incompatible with European data protection law.
“This is an issue that was obvious from the moment the Privacy Shield law was struck down and cloud providers have essentially stuck their heads in the sand in the hope that their existing customer contracts would allow them to carry on regardless,” said Matthew Gribben, information assurance and cybersecurity expert and formerly of GCHQ.
“It’s entirely possible this investigation could start a landslide of data migrations from US-hosted cloud providers to EU-based hosting in order to ensure compliance. The European Data Protection Board has made it abundantly clear there would be no grace period for compliance so this could quickly become a serious issue for the likes of Microsoft & Amazon AWS.”
Laura Petrone, senior analyst in GlobalData’s thematic research team, told Verdict that the investigation stems from diametrically opposed philosophies that puts the EU and US “increasingly at odds” when it comes to the transfer of personal data. While the EU is “firmly in favour” of privacy protections, the US prioritises the right to conduct surveillance for national security, she said.
However, it could be a long time before the US and EU resolve these differences, which could spell bad news for US-based cloud providers in the meantime.
“The investigation might also push EU institutions to find alternative cloud service providers in the future, with a special focus on the ones located in the EU to avoid any future legal issues,” said Petrone.
Gribben believes it’s “almost certain” that the EDPS will find fault with the current arrangements that US-based cloud providers have with EU agencies.
In February AWS announced it had “strengthened contractual commitments that go beyond what’s required by the Schrems II ruling.”
This included challenging law enforcement requests for customer data from governments inside or outside the European Economic Area if it conflicts with EU law. Verdict has contacted AWS for comment.
In a statement, Microsoft said: “We will actively support the EU institutions to answer questions raised by the European Data Protection Supervisor and are confident to address any concerns swiftly. Our approach to ensuring we comply with and exceed EU data protection requirements remains unchanged. As part of our Defending Your Data initiative we’ve committed to challenge every government request for an EU public sector or commercial customer’s data where we have a lawful basis for doing so. And we will provide monetary compensation to our customers’ users if we disclose data in violation of the applicable privacy laws that causes harm.”
But European Data Protection Supervisor Wojciech Wiewiórowski warned that measures already taken by Amazon and Microsoft “may not be sufficient.”
“I am aware that the “Cloud II contracts” were signed in early 2020 before the “Schrems II” judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement,” he said. “Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.”