The rapid transition by the European Border and Coast Guard Agency (Frontex) to the Microsoft Office 365 cloud-based office suite in the first half of 2020 has consequences. The European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski gave the authority an official reprimand, mainly because the migration to the cloud occurred without a proper data protection check.
At the end of May 2020, Frontex President Fabrice Leggeri informed Wiewiórowski of his decision to move the agency’s IT services to a hybrid cloud environment. In the future, this will consist of Microsoft 365, Microsoft Azure, and Amazon Web Services (AWS). According to Leggeri, introducing Office 365 is the “first step.” The complete change has not yet been made. In this case, the data protection officer also checks whether the use of the other mentioned services has violated the law, for example due to international data transfers.
The reprimand posted on Tuesday (partially withheld) was sent to Frontex on April 1. Wiewiórowski criticizes violations of Data Protection Regulation 2018/1725, which applies to EU institutions, offices, bodies and agencies and is similar to the General Data Protection Regulation (GDPR).
The EDPS therefore stated that “Frontex has switched to the cloud without a comprehensive and timely assessment of data protection risks and without identifying appropriate remedial measures or relevant safeguards for processing.” According to the decision, the border guards also failed to demonstrate the need to switch to selected cloud services.
In addition, according to the decision, the agency was unable to establish that it had “limited the collection of personal data by Microsoft to what is necessary.” Frontex does not have a specific legal basis for the data flow that occurs with the Office suite in the standard configuration, and cannot name any specific legitimate purposes for the processing itself.
Wiewiórowski complained that Frontex had violated the principle of accountability, its duties as a responsible entity and data protection requirements through technology, and instructed Frontex to expand its previously implemented preliminary data protection impact assessment. The Warsaw-based authority must also provide information about current data flows to Microsoft and other providers or third parties currently in use and justify its purposes.
Telemetry data from Microsoft
At the time of the review, “the agency did not have a sufficiently accurate configuration at the application management level that would have made it possible to stop the collection and processing of diagnostic data for Windows 10 and Office Pro Plus if necessary,” criticizes Wiewiórowski. With Windows 10, Frontex was also unable to verify the personal information Microsoft collects via telemetry data. In June 2020, the inspector warned against the unconsidered use of Microsoft products and advised alternatives.
Leggeri explained the failures by saying that the shift to the cloud occurred “in a very difficult position to implement the new mandate in the midst of the ongoing Covid crisis”. So there was no possibility of timely consultations. Eventually, however, EDPS was fully informed.
Lifelong foodaholic. Professional twitter expert. Organizer. Award-winning internet geek. Coffee advocate.