- By Ulrika C. Skadhauge, Legal Consultant
Cloud and Third-Party Transfers: When EU Institutions Are in Conflict Over Using Microsoft 365 Cloud Services - and What It Can Mean for You
- November 1, 2024
In May 2024, both the European Commission and Microsoft sued the European Data Protection Supervisor (EDPS) before the Court of Justice of the European Union (CJEU).
This marks the latest chapter in an ongoing debate on how European businesses can unite the use of standardized cloud services with the GDPR.
Then read on as I give you my perspectives on a case that could change the way businesses use cloud services:
- A summary of the key points of no return that have led us here
- The contentious issues underlying the litigation
- An indication of what your organization should be aware of in the coming months.
The role of the cloud provider is most often found in the US
Cloud services are an indispensable tool for those who want to run a modern business. Small and medium-sized businesses alike rely on cloud-based solutions to stay innovative and competitive.
The provider typically offers these services via a subscription with the added benefit that the provider handles all security updates and patches centrally.
However, this division of roles leads to a certain loss of control for the customer – especially when it comes to the processing of personal data in the cloud.
Figures from 2022 show that service providers such as Amazon, Microsoft, and Google held 72% of the European cloud market.
European providers only had 15%.
This taps into and confirms a general trend:
Most cloud giants are headquartered in the US.
As a result of this trend, the widespread use of their services has created a greater need for effective mechanisms to transfer and protect personal data outside the EU.
Transfers outside the EU: What’s up and down?
Non-EU countries are known as ‘third countries’ under the General Data Protection Regulation (GDPR).
Since its entry into force in 2018, the GDPR has introduced a high, consistent level of protection for EU citizens’ personal data.
A key set of obligations is outlined in Chapter V of the GDPR.
The chapter takes you through different transfer mechanisms. They’re designed to ensure that the EU’s level of data protection stays high when a company or authority transfers personal data to third countries.
Even to countries that don’t offer the same protection as the EU.
One such mechanism for transferring data is relying on adequacy decisions:
It’s basically about the European Commission leaning on Article 45 of the GDPR and giving the green light to do the transfer.
These decisions stem from thorough analyses of third-country jurisdictions conducted by the Commission. Adequacy decisions designate a jurisdiction as a 2safe third country.”
This means that the local privacy laws provide an adequate level of protection for EU personal data.
In the absence of adequacy decisions, EU data can only be transferred to so-called ‘non-safe third countries’ if the parties involved in the transfer ensure an adequate level of protection through a private contract.
In practice, it’s the European Commission’s Standard Contractual Clauses (SCC) under Article 46(2) that are used as the transfer mechanism by most businesses.
SCCs are pre-approved templates made by the Commission that include provisions outlining specific data protection measures that the parties commit to uphold.
This way, the parties ensure a sufficient level of protection through a private legal framework when they adopt SCCs between themselves.
In theory, this approach seems effective in ensuring data protection across global borders.
But in practice?
SCCs are not an easy-peasy solution in practice.
Schrems II and ‘the zero-tolerance approach’
SCCs were at the center of the CJEU’s ruling in the Schrems II case. It revolved around US authorities’ access to data processed by Facebook – which we now know as Meta.
The landmark judgment showed the interplay between EU and third countries’ national legislation, particularly concerning government surveillance programs.
Following the Schrems II ruling, the European Data Protection Board (EDPB) and national data protection authorities in Europe have issued guidelines that adopt a restrictive stance on data transfers to non-safe third countries.
Some see this approach as a “zero tolerance” interpretation of Chapter V of the regulation.
It compels European data controllers and data processors to eliminate any theoretical risk of third-country authorities accessing EU citizens’ data. And that only leads to documentation requirements that are even harder to manage.
If you’ve ever dealt with a Transfer Impact Assessment (TIA) you know that assessing foreign jurisdictions is tricky.
This is especially the case for European SMEs that lack the resources to handle such tasks.
And then, yet…
Critics of the zero-tolerance approach believe that this strict interpretation is not in line with EU law.
In fact, Recital 4 of the GDPR preamble itself clearly states that the right to data protection isn’t “absolute.”
It’s meant to be viewed in the broader context of society and should be balanced against other fundamental rights. All this is in line with the principle of proportionality at the base of all EU law.
When interpretations clash: The Microsoft 365 case
After the Schrems II ruling, the EDPB, EDPS, and several national data protection authorities began delving into how European companies and institutions use data processors.
Specifically, they focused on those based outside the EU or with parent companies located outside the EU.
One such investigation done by the EDPS focused on the Commission’s use of Microsoft 365. It lasted three years, culminating in the publication of a detailed 180-page decision in March 2024.
The EDPS found that the Commission violated the EUDPR in three key areas. For that reason, they ordered the Commission to comply with the following issues by December 9, 2024:
Issue 1) Ensure limitation of purpose
The data protection law principle of purpose limitation requires that a controller only processes data for explicitly stated purposes.
Although the Commission’s agreement with Microsoft had such an instruction, the EDPS considered that the types of personal data and processing purposes specified were not clearly defined and limited to specific purposes.
Similarly, the description of the types of personal data Microsoft was allowed to process was too imprecise.
Therefore, the EDPS concluded that the Commission could not get a sufficient overview of the types of personal data processed and the actual processing purposes.
For this reason, the EDPS considered that the Commission couldn’t monitor whether Microsoft was processing personal data within the agreed framework – and thus whether the processing was lawful.
Issue 2) Ensure adequate security measures for international transfers
The Commission didn’t precisely describe which personal data Microsoft could transfer to which recipients outside the EU/EEA.
As mentioned in issue 1: In order to ensure the lawfulness of processing activities, it’s a prerequisite that data controllers know the scope of which data is processed in which ways (and where).
The EDPS concluded that the Commission hadn’t mapped international data transfers accurately enough to be able to ensure that these transfers were also carried out with adequate security.
For this reason, the EDPS also found that the Commission wasn’t able to decide whether they should provide additional measures for the transfers.
Nor did they ensure that adequate safeguards were in place for this reason.
Although the Commission had arranged SCCs with Microsoft, the Commission had neither risk assessed nor mapped the transfers of personal data.
Issue 3) Prevent unauthorized disclosures
The Commission didn’t ensure that Microsoft only notified them of personal data requests when required by EU or Member State law.
Also, they hadn’t assessed the data protection laws of third countries where data might be transferred.
This left potential gaps in preventing unauthorized disclosures.
Although the EDPS’ decision is based on a law that applies only to EU institutions. It’s a regulatory authority that only supervises the institutions that enforce the law.
However, the situation is a strong indicator of the challenges many EU businesses face when using cloud services.
The 365-million-dollar question: What can we expect from the 'appeal'?
As of May 2024, the Commission — and since Microsoft — have brought the EDPS decision before the CJEU.
That makes this case particularly interesting to follow.
Businesses using cloud services will be eagerly awaiting the CJEU’s perspective on several key issues that many are currently grappling with. Among others:
#1: When does using a cloud-based tool become a third-party transfer?
It has been a recurring question of what actually makes up a transfer to third countries.
This is especially the case when we talk about cloud services, which can often have servers or backup infrastructure located outside the EU. Even if the service is primarily offered in the EU.
The CJEU’s ruling could have major practical consequences for how the contractual relationship between data controllers and cloud providers will look in the future.
#2: How precisely should the personal data and purposes of processing be described in a data processing agreement?
We expect the CJEU to address a key question:
How detailed and precise must a controller’s instructions in a data processing agreement describe the type of personal data that the processor may process?
Also, they’ll have to decide how clearly and precisely the specified processing purposes must be defined in the instructions.
#3: What role does the general EU principle of proportionality play when data protection authorities make decisions with fatal consequences for European businesses?
The EDPS’s requirement for the Commission to bring all data processing activities into compliance with the EDPS decision by December 9 is a significant interference in the institution’s operations.
We look forward to clarification from the CJEU on how the principle of proportionality should be applied when enforcing data protection rules.
Speaking of looking forward: I’m diving even more into the questions above and will elaborate on my perspectives at my webinar on November 7 from 11:00-12:00.
Want to join me? Sign up for free here.
Join our free webinar
Want to learn (even) more about what we can learn from the EU Commission’s legal action against the EDPS over the MS 365 decision?
