EDPS Opens Investigations Following Schrems II Judgment
Time 2 Minute Read
Categories: European Union, Information Security

On May 27, 2021, the European Data Protection Supervisor (the “EDPS”) announced that it has opened two investigations regarding (1) the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies; and (2) the use of Microsoft Office 365 by the European Commission.

These investigations are part of the EU institutions strategy to comply with the Schrems II judgment of the Court of Justice of the European Union.

Background

As a result of the Schrems II judgment, controllers relying on a transfer mechanism under Article 46 of the EU General Data Protection Regulation (“GDPR”) to transfer personal data outside the European Economic Area (“EEA”) (“data exporters”) must verify, on a case-by-case basis and in collaboration with the data importers, as appropriate, whether the law of the importer’s country ensures a level of protection for the personal data that is essentially equivalent to the EEA’s protections. If not, data exporters need to assess whether they can implement supplementary measures to help ensure the requisite level of protection.

According to Wojciech Wiewiórowski, the EDPS, the EU institutions must “lead by example when it comes to privacy and data protection.”

Read the EDPS Press Release.

Tags: Cloud, Cross-Border Data Flow, Data Controller, Data Transfer, EU Member States, European Commission, European Data Protection Supervisor, GDPR, Microsoft, Personal Data, Schrems
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
European Commission Seeks Feedback on Draft Cyber Resilience Act Guidelines

On March 3, 2026, the European Commission published draft guidelines intended to clarify the application of the Cyber Resilience Act and opened a public consultation to gather feedback from stakeholders.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 6 Minute Read
NetChoice Files Suit Challenging South Carolina Age-Appropriate Code Design

On February 9, 2026, trade association NetChoice filed a lawsuit challenging South Carolina’s newly passed Age-Appropriate Code Design (“SC AACD”) on First and Fourteenth Amendment grounds. The SC AACD was signed into law on February 5, 2026, making South Carolina the fifth U.S. state to enact such a law, following California, Maryland, Nebraska and Vermont.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
Congress Extends Cybersecurity Information Sharing Act of 2015 through September 2026

Congress has extended the Cybersecurity Information Sharing Act of 2015 through September 30, 2026 as part of the Consolidated Appropriations Act, a government funding package enacted in early February 2026.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page