The European Data Protection Supervisor (EDPS) investigates contracts that Amazon and Microsoft have with European institutions.
These may no longer comply with EU legislation for sending data to countries outside the country block, said EDPS Director Wojciech Wiewiórowski.
“We have found certain types of contracts that require special attention, and that is why we are starting research on them,” says Wiewiórowski. It concerns two studies. One of the studies focuses on using the cloud services of Amazon and Microsoft Web Services and the other of Microsoft Office 365 by the European Commission, the executive committee of the EU.
Last July, the European Court of Justice put an end to the so-called Privacy Shield from 2016, the regulation by which Brussels permits transferring personal data to the US. The court ruled that companies sending personal data from Europe to the United States are less well protected than in the European Union.
The contracts with Amazon and Microsoft predate that ruling. The American tech companies announced changes to their data policy because of the verdict. “Still, these interventions may not be enough to comply with data laws in the EU fully, so we need to investigate this properly,” said Wiewiórowski.
The lawsuit is known as “Schrems II,” after Austrian privacy activist Maximilian Schrems. He had complained about the possibly inadequate protection in transferring personal data from Facebook Ireland to its US parent company. He was right. In 2015, the judge also annulled the so-called Safe Harbor Program, the predecessor of the Privacy Shield.