Azure and AWS under scrutiny: EDPS investigates how European bodies use Microsoft and Amazon clouds

Large companies are once again in the eye of the hurricane, at least in the old continent. And it is that the European Data Protection Supervisor (EDPS) (independent organization that supervises the processing of personal data by the EU institutions) is studying if the different entities and organizations of the European Union effectively protect personal data when using cloud storage services. And in this situation, the cases of Microsoft's Azure, but also of Amazon's AWS, come to light.

They are two of the large platforms (Google is missing) that are in charge of controlling the traffic, management and storage in the cloudAnd now they appear as the center of a news item in which they are involved together with different organizations of the European Union.

Protect data here and in the United States

An investigation that is direct consequence of the judgment Schrems II (name originating from Facebook user Maximiliam Schrems). This is a resolution that tries to hinder the transfer of user data from Europe to the United States, which is where these two large companies have their headquarters.

What the Schrems II ruling does is declare invalid the Privacy Shield, a system that was designed by the United States, the European Union and Switzerlandto guarantee the integrity of the data when it is transferred from Europe to the United States.

"

This is a judicial decision of the Court of Justice of the European Union of July 16, 2020, in the Facebook Ireland and Schrems case that has caused the authorities of data protection must adapt their guidelines taking into account that any transfer of data information to the United States that is based on the Privacy Shield requires other adequate guarantees from the same day of publication of that>"

"

The objective is to prevent companies and authorities on American soil from accessing the data stored in the cloud and therefore the highest body of privacy control will examine the so-called Cloud contracts II>" "

In the words of Wojciech Wiewiórowski European Data Protection Supervisor, this investigation seeks to prevent that when European Union Institutions use Azure and AWS the personal information of individuals may be sent to the United States>"

Adds that unless appropriate measures are taken under the General Data Protection Regulation (GDPR) to protect the transfer of data, there is a risk of surveillance by authorities.

This investigation seeks to determine if any European organization that makes use of one of these two platforms may be allowing the personal data of customers or employees to reach the United States.

Microsoft Office 365 in the magnifying glass

But not only AWS or Azure are in the eye of the hurricane, but services like Microsoft Office 365 are also under investigation. The aim is to verify if the European Commission has complied with the recommendations issued by the EDPS on the use of Microsoft products and services by the institutions of the European Union .And it is that more than 45,000 workers of the institutions of the European Union are users of Microsoft products.

It is a question of verifying if when using Office 365 the European Commission complies with the regulations on data protection "

According to Wojciech Wiewiórowski, we have identified certain types of contracts that require special attention and that is why we have decided to launch these two investigations>"

Two investigations that grow on the basis of the aforementioned ruling, which concludes that US laws do not guarantee the same level of data protectionthat it does establish the General Data Protection Regulation (RGPD) of the EU. And although in Europe people's data is adequately protected, the same is not the case once they arrive in the United States.

A situation that allows US authorities to access the data of users of US cloud services, even if that data is located abroad .

The ultimate goal of the investigation opened by the EDPS is to help European entities improve data protection compliance by negotiating contracts with your service provider and preventing widely used services like Azure and AWS from being able to send data from Europe to the United States without being GDPR compliant to protect data transfer.

Via | ZDNet