EU investigation into AWS and Azure could threaten lucrative cloud contracts with EU bodies

European regulator seeks to close data protection loopholes

An EU probe into AWS and Microsoft could see EU institutions and agencies move away from cloud services provided by the US firms and switch to EU-based hosting instead.

Last week, the European Data Protection Supervisor (EDPS), the EU's privacy regulator, announced that it was launching an investigation to examine whether EU agencies and institutions that use AWS and Microsoft Azure cloud services were effectively protecting the personal data of European users in accordance with GDPR guidelines.

The EDPS also announced a separate probe to examine whether the European Commission's use of Microsoft Office 365 complied with earlier recommendations.

The EDPS said it was launching both probes in light of the EU Court of Justice (ECJ) ruling in July last year, which ruled the transatlantic Privacy Shield agreement between the EU and the US invalid because it failed to adequately protect European users' data from US surveillance.

The court added that the US laws did not match the strict data protection requirements established by the GDPR and that the personal data of European citizens cannot be safely processed in the US without additional safeguards.

However, the ECJ said cloud companies could still use standard contractual clauses (SCCs) as a legal mechanism for data transfers, with some adjustments.

The EDPS is now pushing to ensure that future data transfers from the EU to the US are fully in line with EU data protection law, which could have consequences for US cloud companies.

"It's entirely possible this investigation could start a landslide of data migrations from US-hosted cloud providers to EU-based hosting in order to ensure compliance," said Matthew Gribben, information assurance and cybersecurity expert, who formerly worked at GCHQ.

"The European Data Protection Board has made it abundantly clear there would be no grace period for compliance, so this could quickly become a serious issue for the likes of Microsoft and Amazon AWS," Gribben said.

Laura Petrone, senior analyst in GlobalData's thematic research team, told Verdict the EDPS probe might also push EU bodies to sign new contracts with alternative cloud providers in future, giving special preference to firms located in the EU to avoid any future legal issues.

Petrone believes the EDPS probe will likely find many issues with the current data arrangements between EU bodies and American cloud providers.

Earlier this year, AWS said that it had "strengthened contractual commitments that go beyond what's required by the Schrems II ruling."

In a statement, Microsoft told Verdict that it was confident of addressing any issues raised by EDPS regarding the safety of European users' data.

"Our approach to ensuring we comply with and exceed EU data protection requirements remains unchanged," the company said.

The EDPS's investigations into AWS and Microsoft Azure come less than a month after a ruling by Ireland's High Court in which the judges dismissed Facebook's attempt to block the Irish Data Protection Commission's (DPC) decision on the social media company's data transfers, about EU users, to the USA.

The DPC issued its preliminary ruling on data flows last August, when it told Facebook to stop transferring European users' data to servers in the USA. The regulator said it was concerned that the privacy of European citizens might not be respected in the country.

Facebook said that it was taking 'all adequate measures' to protect data.

"We look forward to defending our compliance to the [Irish Data Protection Commission], as their preliminary decision could be damaging not only to Facebook, but also to users and other businesses," a Facebook spokesperson said.