The European Commission and European Parliament’s use of cloud computing services provided by Amazon and Microsoft has prompted two EU privacy investigations over concerns about the transfer of personal data to the United States.
Data privacy came under scrutiny after revelations in 2013 by former US intelligence contractor Edward Snowden of mass US surveillance.
In response, Europe’s highest court last year rejected a transatlantic data transfer deal, known as the Privacy Shield, following a long-running dispute between Facebook and Austrian privacy activist Max Schrems.
EU privacy watchdog the European Data Protection Supervisor (EDPS) on Thursday opened the investigations after identifying certain types of contracts between EU institutions and the two companies that require particular attention.
The investigations, one of which focuses on the use of Microsoft Office 365 by the European Commission, will look into whether the EU bodies comply with privacy rules and the Court judgment.
The EU watchdog said EU bodies were relying increasingly on cloud-based software and cloud infrastructure or platform services from large US providers governed by legislation that allows disproportionate surveillance activities by the US authorities.
“I am aware that the ‘Cloud II contracts’ were signed in early 2020 before the Schrems II Judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgment,” EDPS head Wojciech Wiewiorowski said.
“Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.”
Market leader Amazon, Alphabet unit Google and Microsoft dominate the realm of data storage worldwide.
Microsoft said it was confident that it would be able to swiftly address any concerns.
“We’ve committed to challenge every government request for an EU public sector or commercial customer’s data where we have a lawful basis for doing so,” a spokeswoman said.
“And we will provide monetary compensation to our customers’ users if we disclose data in violation of the applicable privacy laws that causes harm,” she said.
Neither the Commission nor the Parliament responded to requests for comment.