Greetings from Brussels!
The interesting news this week emanates from the heart of Europe in my view, from the European Data Protection Supervisor. The independent supervisory watchdog announced Monday that it will launch an investigation to assess the overall compliance of contractual arrangements between the European Commission and other EU institutions with Microsoft. A core activity of the EDPS mandate, as the supervisory authority for the EU institutions, is to enforce and monitor how the processing of personal data is carried out by EU institutions or agencies in accordance with EU privacy rules. One can assume that with the advent of the GDPR, it is natural enough for such an investigatory assessment to come to the fore.
To put some scope on this, on 23 May 2018, representatives of the EU Council and the Parliament agreed on a new regulation (2018/1725) on the handling of personal data by EU institutions and other EU bodies. The new rules were aligned with the GDPR, which as you know came into being a couple of days later. These new data protection rules for the EU institutions and bodies came into force in early December 2018. The rules denote that contractors have direct responsibilities for ensuring compliance. However, when contracting with third-party vendors, the EU institutions — in their role as controllers — remain accountable for any outsourced data processing activities. Moreover, like any other organization, they have a duty to ensure that contractual arrangements respect the new rules in the areas of identification and mitigation of risk.
As stated by Wojciech Wiewiórowski, assistant EDPS, in a news release, the EU institutions work with Microsoft services and products to carry out their daily activities. This includes the processing of large amounts of personal data. Considering the nature, scope, context and purposes of this data processing, it is important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance. The investigation will, therefore, assess which Microsoft products and services are currently being used by the EU institutions and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules.
It is important to note that on the question of enforcement, as governed under Article 66 of the GDPR, the EDPS may only impose administrative fines on EU institutions and bodies (whom they are mandated to supervise). Their application, in turn, depends on the circumstances of each individual case where a given EU entity would fail to comply with an instruction by the EDPS. The authority may not impose fines on third-party vendors. Depending on the nature of infringement of the obligations, an EU institution or body may be fined up to 50,000 euros per infringement and to a maximum of 500,000 euros per year. Furthermore, any funds collected by the imposition of administrative fines, related to enforcement action, shall be the income of the general budget of the EU.
In launching such an initiative, the EDPS is committed to ensuring that the EU institutions lead by example. Microsoft said it was ready to assist its customers in the EDPS investigation, stating it was equally committed to helping their customers comply with the GDPR, EU institutional regulations, and applicable laws.
It is an important signal for citizens: Tighter rules on data protection are for everybody, including the EU institutions themselves.
If you want to comment on this post, you need to login.