On 27 May 2021, the European Data Protection Supervisor (EDPS) launched two investigations following the Court of Justice ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (“Schrems II”) of 16 July 2020 (→ eucrim 2/2020, 98-99). The two investigations, pertaining to the use of cloud services provided by Amazon Web Services and Microsoft (under Cloud II contracts by European Union institutions, bodies, and agencies (EUIs)) and the use of Microsoft Office 365 by the European Commission, are part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” judgement.

Following the EDPS’ order to EUIs in October 2020 to report on their transfers of personal data to non-EU countries, it had been shown that individuals’ personal data is being transferred outside EU and to the United States (USA), in particular. Against this background, the EDPS strongly encouraged EUIs to avoid transfers of personal data to third countries. The EDPS’ analysis also showed that EUIs increasingly rely on the use of cloud computing services or platform services from large information and communications technology (ICT) providers. Some of the ICT providers are based in the USA and therefore subject to legislation that, according to the “Schrems II” judgement, allows disproportionate surveillance activities to be carried out by the US authorities.

With its first investigation, the EDPS wishes to assess the EUIs’ compliance with the “Schrems II” judgement when using cloud services provided by Amazon Web Services and Microsoft. With a second investigation, into the use of Microsoft Office 365, the EDPS would like to verify the European Commission’s compliance with the recommendations issued by the EDPS, on 2 July 2020, on the use of Microsoft’s products and services by EUIs.