On 1 April 2022, the EDPS reprimanded the European Border and Coast Guard Agency (Frontex) for a breach of the Data Protection Regulation (EU) 2018/1725, applicable to Union institutions, offices, bodies and agencies.
The EDPS found that Frontex moved to the cloud without a timely, exhaustive assessment of the data protection risks and without the identification of appropriate mitigating measures or relevant safeguards for processing. Frontex also failed to demonstrate the necessity of the planned cloud services, as it has not shown that the chosen solution (“Microsoft 365”) was the outcome of a thorough process whereby the existence of data protection compliant, alternative products and services meeting Frontex’s specific needs were assessed. In addition, Frontex failed to demonstrate that it limited Microsoft’s collection of personal data to what is necessary, based on an identified legal basis and established purposes. Frontex therefore breached the accountability principle as well as its obligations as a controller and the requirements of data protection by design and by default.
In addition to the reprimand, the EDPS ordered Frontex to review its Data Protection Impact Assessment and the Record of Processing activities relating to the processing of personal data in cloud services.
Wojciech Wiewiórowski, EDPS, said: “It is the controller’s responsibility towards the competent authority and towards the individuals whose data is processed to clearly identify the activities requiring the processing of personal data and to assess the impact on individuals’ fundamental rights. This analysis must be carried out properly before taking any decisions to process personal data. Any choice should be guided by the consideration of the necessity of the technology and tools used, and by thoroughly investigating whether less- risky alternatives exist.”
The EDPS investigation was launched after Frontex communicated its decision to move all of its IT services into a hybrid cloud (consisting of Microsoft Office 365, Amazon Web Services (AWS), and Microsoft Azure) in the context of the implementation of the new Frontex Regulation. It focused on the Frontex’s obligation to comply with the principle of accountability under Article 4(2) of the Regulation as well as with the obligations under Article 26 (‘Responsibility of the controller’) and Article 27 (‘Data protection by design and by default’) of Regulation (EU) 2018/1725.
Other elements, such as the analysis of the underlying contracts or the lawfulness of transfers to non-EU/EEA countries were not in scope of this investigation. These latter elements are the object of two other ongoing EDPS investigations on the use of cloud services following the Schrems II judgment, one regarding the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies (EUIs), and one regarding the use of Microsoft Office 365 by the European Commission. These investigations are part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” Judgement so that ongoing and future international transfers are carried out according to EU data protection law.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Frontex Regulation: Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard. Section 2 of Chapter IV established rules on the processing of personal data by the European Border and Coast Guard.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
About EDPS investigations: We conduct investigations on our own initiative or on the basis of a complaint. We have extensive powers to access all personal data, information and documents, which are necessary for our investigations, and to access premises, including any data processing equipment and means, in case an on-site investigation is needed. An investigation can be of a general nature, such as our survey on compliance with data protection rules in the EU institutions, which we conduct every two years. We also conduct more targeted investigations on specific subjects, for instance video surveillance in the EU institutions. More information can be found on the EDPS website here.