On May 27, 2021, the European Data Protection Supervisor (the “EDPS”) announced that it has opened two investigations regarding (1) the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies; and (2) the use of Microsoft Office 365 by the European Commission.

These investigations are part of the EU institution's strategy to comply with the Schrems II judgment of the Court of Justice of the European Union.

Background

As a result of the Schrems II judgment, controllers relying on a transfer mechanism under Article 46 of the EU General Data Protection Regulation (“GDPR”) to transfer personal data outside the European Economic Area (“EEA”) (“data exporters”) must verify, on a case-by-case basis and in collaboration with the data importers, as appropriate, whether the law of the importer’s country ensures a level of protection for the personal data that is essentially equivalent to the EEA’s protections. If not, data exporters need to assess whether they can implement supplementary measures to help ensure the requisite level of protection.

According to Wojciech Wiewiórowski, the EDPS, the EU institutions must “lead by example when it comes to privacy and data protection.”

Read the EDPS Press Release.