by Joana Campos e Matos (Senior Consultant at Vieira de Almeida & Associados)
On May 27, 2021, the European Data Protection Supervisor (“EDPS”) announced that it has opened two investigations regarding the use of Amazon and Microsoft services by European Union institutions (EUIs).
In a press release, the EDPS announced the opening of two investigations, one concerning the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies and the other regarding the use of Microsoft Office 365 by the European Commission.
The EDPS underlined that these investigations are part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” Judgement.
1. Legal framework for international data transfers by EUIs
According to the Regulation (EU) 2018/1725 , international data transfers are only permitted if the third country to which the data are transferred, ensures that the conditions set out in the Regulation are respected, in such a way that the level of protection of natural persons guaranteed by the Regulation is not undermined (Article 46). Thus, data transfers to countries located outside the European Economic Area (“EEA”) can only occur within the strict terms provided for by the Regulation.
a) Adequate countries
Cross-border data transfers are permitted if the European Commission has decided that a country ensures an adequate level of protection for citizens’ personal data. In these cases, transfers of personal data to such country can take place without the need to comply with other procedures (Article 47).
b) Appropriate safeguards
In the absence of an adequacy decision, an international data transfer can take place through the provision of appropriate safeguards and on the condition that enforceable rights and effective legal remedies are available for individuals (Article 48). Such appropriate safeguards might, for example, include:
(i) a legally binding and enforceable instrument between public authorities or bodies;
(ii) contractual arrangements with the recipient of the personal data, using, for example, the standard contractual clauses approved by the European Commission; or
(iii) the adherence to a code of conduct or certification mechanism together with obtaining binding and enforceable commitments from the recipient to apply the appropriate safeguards to protect the transferred data.
Lastly, in the absence of an adequacy decision or of appropriate safeguards, an international data transfer can occur if the data subject has explicitly consented to the proposed transfer, or if the transfer is necessary for the performance of a contract (Article 50).
2. The conclusions arising from the “Schrems II” Judgement
In the Schrems II judgment, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield Adequacy Decision and confirmed that the Standard Contractual Clauses (SCCs) were valid providing that they include effective mechanisms to ensure compliance with the level of protection guaranteed within the EU by the General Data Protection Regulation.
Hence, the adoption of SCCs for data transfers may require, depending on the prevailing position of a particular third country, the implementation of supplementary measures by the data exporter in order to ensure compliance with that level of protection.
This means that data controller must assess whether the third country does offer an equivalent level of protection to the personal data transferred or whether it is necessary to implement supplementary measures to ensure an essentially equivalent level of protection as provided by EU law.
According to “Schrems II” case, U.S. laws enable interference, based on national security and public interest requirements or on domestic legislation of the U.S., with the fundamental rights of the persons whose personal data are transferred to the U.S. Mostly, such interference can arise from access to, and use of, personal data transferred to the U.S. by U.S. public authorities through the PRISM and UPSTREAM surveillance programmes under Section 702 of the FISA (Foreign Intelligence Surveillance Act) and Executive Order 12333.
The CJEU concluded that such interferences were not proportional, because the legislation did not provide clear and precise rules governing the scope and application of the measure in question, neither imposed minimum safeguards, so that the persons whose data has been transferred did not have sufficient guarantees to protect effectively their personal data against the risk of abuse. Furthermore, data subjects were not provided with enforceable rights against the US authorities in the courts.
3. The Strategy for EUIs to comply with “Schrems II” Ruling
The EDPS has published this Strategy following the “Schrems II” case, in particular due to the substantial rise in the number of data transfers related to the core business of EUIs to organizations located in the U.S..
In this strategy, the EDPS designed an action plan for bringing EUIs into compliance with the Regulation 2018/1725 which was essentially divided into two different phases (a short and a mid-term action).
In the first stage (which ended on October 2020), the EDPS ordered the EUIs to perform an inventory of all processing operations involving cross-border data transfers (“mapping”). This first stage aimed to identify priority enforcement actions.
Then, EUIs reported to the EDPS the specific risks and gaps that have been identified during the mapping exercise (this action ended on November 2020). The EUIs had also to provide specific information to the EDPS on three main categories of transfers which were likely to present higher risks to the rights and freedoms of individuals. This included information of high risks transfers to the U.S. subject to Section 702 of the FISA and Executive Order 12333 and involving either large scale processing operations or complex processing operations or processing of sensitive data.
The medium-term exercise included a Transfer Impact Assessment to identify whether an essentially equivalent level of protection as provided in the EEA is afforded in the third country and was supposed to end in the course of spring 2021. Depending on the outcome of the Impact Assessment, EUIs might be asked to report to the EDPS the transfers to third countries that do not ensure an equivalent level of protection.
Based on its Strategy for Union Institutions to comply with the “Schrems II” case, the EDPS has initiated enforcement actions to bring the cross-border transfers into compliance and has therefore opened the two investigations concerning the use of Amazon and Microsoft services by EUIs.
As mentioned by the European Data Protection Supervisor Wojciech Wiewiórowski, these investigations are aimed to help EUIs to improve their data protection compliance when negotiating contracts with their service provider. Furthermore, the EDPS believes that EUIs are well positioned to lead by example when it comes to privacy and data protection. The results of these investigations will certainly have an impact on the approach of National Data Protection Authorities to international data transfers.
 The press release is available on https://edps.europa.eu/press-publications/press-news/press-releases/2021/edps-opens-two-investigations-following-schrems_en
 The EDPS´ Strategy is available on https://edps.europa.eu/sites/default/files/publication/2020-10-29_edps_strategy_schremsii_en_0.pdf
 Regulation (EU) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001.
 International data transfers correspond to transfers of personal data to third countries or organizations outside the European Economic Area.
 The adequacy decision on the EU-US Privacy Shield was adopted on 12 July 2016 and allowed the free transfer of data to companies certified in the US under the Privacy Shield.
 As explained above, Regulation (EU) 2018/1725 contains equivalent provisions to the General Data Protection Regulation on data transfers to third countries.
 In this regard, the European Data Protection Board (the “EDPB”) published its recommendations following the “Schrems II” judgement regarding supplementary measures in the context of international transfer safeguards such as Standard Contractual Clauses, which are available on https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/recommendations-012020-measures-supplement_en
 Judgement, paragraphs 175-176.
 Judgement, paragraphs 180-185.
 See Strategy, page 7.
 In this regard, see EDPS reply to informal consultation on the application of Article 39(3) (b) of Regulation (EU) 2018/1725, available on https://edps.europa.eu/data-protection/our-work/publications/consultations/informal-consultation-application-article-393b_en and Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, adopted by the Article 29 Working Party and endorsed by the EDPB, available on https://ec.europa.eu/newsroom/article29/items/611236.
 The EDPS provided some examples of complex processing operations, such as processing operations involving large datasets of complex data structure, linking different databases, big data analytics, the use of novel technologies or complex techniques (like those in profiling and automated-decision making processes), or involving many different or unknown actors (See, Strategy page 10, footnote 21).
 See Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP248 rev.01, adopted by the Article 29 Working Party and endorsed by the EDPB, available on https://ec.europa.eu/newsroom/article29/items/611236/en.
Picture credits: Geralt.