EDPS finds that the CJEU’s use of cloud videoconferencing services complies with data protection law

In its Decision published on 13 July 2023, the EDPS finds that the use of Cisco Webex videoconferencing and related services by the Court of Justice of the European Union (the Court) meets the data protection standards under Regulation 2018/1725 applicable to EU institutions, bodies, offices and agencies.

Wojciech Wiewiórowski, EDPS, said: “EU institutions, bodies, offices and agencies in their day-to-day work must uphold individuals’ fundamental rights and in particular data protection rules when using videoconferencing tools. This is all the more true when the use of these tools may involve transfers of personal data to countries outside the EU and the European Economic Area (EEA) that can lead to increased risks for the rights and freedoms of individuals. I welcome that the Court has taken leadership to obtain significant changes from Cisco; we hope this achievement can act as an example for other EU institutions, bodies, offices and agencies.”

The EDPS has issued this decision on the basis of the revised agreement between the Court and Cisco, which ensures that the processing of individuals’ personal data occurs only in the EU/EEA. Importantly, the EDPS welcomes the Court’s inclusion of technical and organisational measures to prevent the risks associated with transfers of personal data outside the EU/EEA.

The EDPS encourages the ongoing commitments by EU institutions, bodies, offices and agencies to respect data protection law when using cloud-based services. One of the ways to achieve this is to conduct thorough assessments and analysis of any potential risks related to non-EU/EEA laws that may impact the privacy of individuals. In the coming months, the EDPS aims to further work on this matter with the Data Protection Officers of the EU institutions, bodies, offices and agencies, by providing relevant advice and guidance as their supervisory data protection authority.