SECOND PART: ANNEX1 EDPRS AND MICROSOFT
THE INTERINSTITUTIONAL AGREEMENT WITH MICROSOFT
EDPRS’s “Strategy for EU institutions to comply with ‘Schrems II’ Ruling” tries to solve, directly, the problem set forth by the Microsoft Corp.’s licensing agreements with European Union authorities, which gave the U.S. tech giant free rein to oversee data processing activities for more than 45,000 EU officials, and, indirectly, the question on how all Data Protection Authorities in Europe must cope with the legal gap created by the Dhrems II Judgement.
The EU’s in-house data protection regulator said in its findings of a probe that institutions’ lack of control “over which sub-processors Microsoft used and lack of meaningful audit rights also presented significant issues.”EU institutions should “carefully consider any purchases of Microsoft products and services or new uses of existing products and services until after they have analyzed and implemented the recommendations” of the European Data Protection Supervisor, the watchdog said.
The staff and agencies using the products “had insufficient clarity as to the nature, scope and purposes of the processing and the risks to data subjects to be able to meet their transparency obligations,” the EDPS, which acts independently of the EU bodies it oversees, said in the 29-page report on its findings.
The criticism over the use of Microsoft products is an unusual step for the body, which keeps a far lower profile than EU data privacy authorities who police the bloc’s tough rules at national level.
As a solution to the uncertainties arisen from the above report, and in effort of further clarification,the European Data Protection Supervisor (EDPS) issued on 29 October a strategic document aiming to monitor compliance of European institutions, bodies, offices and agencies (EUIs) with the “Schrems II” Judgement in relation to transfers of personal data to third countries, and in particular, the United States. The goal is that ongoing and future international transfers are carried out in accordance with EU data protection law.
Wojciech Wiewiórowski, EDPS, said: “Transfers of personal data by EUIs to third countries should comply with the EU Charter of Fundamental Rights, as well as applicable EU data protection legislation, specifically Chapter V of Regulation (EU) 2018/1725. To this end, the Strategy builds on the cooperation and accountability of controllers to assess whether the essentially equivalent standard of protection, based on the Court’s ruling, is guaranteed when transfers of personal data are made towards third countries. Furthermore, the EDPS will continue to closely cooperate with other Data Protection Authorities (DPAs) within the European Data Protection Board (EDPB) so that individuals’ personal data is consistently protected throughout the EU/EEA, when data transfers to third countries occur”.
In this context, the EDPS has developed an action plan to streamline compliance and enforcement measures, distinguishing between short-term and medium-term compliance actions.
As the strategy continues to be implemented, the EDPS strongly encourages EUIs to avoid transfers of personal data towards the United States for new processing operations or new contracts with service providers
OUTCOME OF OWN-INITIATIVE INVESTIGATION INTO EU INSTITUTIONS’ USE OF MICROSOFT PRODUCTS AND SERVICES, July 2nd, 2020
“..The EDPS made the following key findings in its investigation into the EU institutions’ use of Microsoft products and services.
First, the licensing agreement between Microsoft and the EU institutions allowed Microsoft to define and change the parameters of its processing activities carried out on behalf of EU institutions and contractual data protection obligations. The discretion that Microsoft had, amounted to a broad right for Microsoft to act as a controller. Given the EU institutions’ role as public service institutions, the EDPS did not consider this appropriate. The EDPS recommended to EU institutions that they act to retain controllership.
Second, EU institutions needed to put in place a comprehensive and compliant controller-processor agreement and documented instructions of the EU institutions to the processors. Their lack of control over which sub-processors Microsoft used and lack of meaningful audit rights also presented significant issues. The EDPS made recommendations on how to improve the controller-processor agreement and put robust audit checks in place.
Third, EU institutions faced a number of linked issues concerning data location, international transfers and the risk of unlawful disclosure of data. They were unable to control the location of a large portion of the data processed by Microsoft. Nor did they properly control what was transferred out of the EU/EEA and how. There was also a lack of proper safeguards to protect data that left the EU/EEA. EU institutions also had few guarantees at their disposal to defend their privileges and immunities and ensure that Microsoft would only disclose personal data insofar as permitted by EU law. The EDPS made recommendations to assist EU institutions in addressing these issues.
Fourth, the EDPS considered the technical measures that the Commission had put in place to stem the flow of personal data generated by Microsoft products and services and sent to Microsoft. The EDPS recommended that all EU institutions perform tests using a revised and comprehensive approach, share among them the knowledge and technical solutions they developed to prevent unauthorised data flows to Microsoft and inform each other of any data protection issues they identify with the products or services.
Fifth, the EU institutions had insufficient clarity as to the nature, scope and purposes of the processing and the risks to data subjects to be able to meet their transparency obligations towards data subjects. The EDPS recommended that EU institutions seek the clarity and assurances allowing them to keep data subjects properly informed…”