The rapid switch by the European Border and Coast Guard Agency (Frontex) to the cloud-based office software suite Microsoft Office 365 in the first half of 2020 has consequences. The European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski gave the authority an official reprimand, mainly because the migration to the cloud took place without a proper data protection check.
Frontex boss Fabrice Leggeri informed Wiewiórowski at the end of May 2020 of his decision to relocate the agency's IT services to a hybrid cloud environment. In the future, this will be composed of Microsoft 365, Microsoft Azure and Amazon Web Services (AWS). According to Leggeri, the introduction of Office 365 is "the first step". The complete changeover has not yet taken place. In this case, the data protection officer also checks whether the use of the other services mentioned has violated the law, for example due to international data transfers.
The reprimand published on Tuesday (partly blacked out) was sent to Frontex on April 1st. Wiewiórowski criticizes violations of the data protection regulation 2018/1725, which applies to EU institutions, offices, bodies and agencies and is similar to the more general General Data Protection Regulation (GDPR).
The EDPS therefore stated "that Frontex switched to the cloud without a timely, comprehensive assessment of the data protection risks and without determining appropriate remedial measures or relevant safeguards for the processing". The border guards also failed to prove the need to switch to the chosen cloud services, according to the decision.
In addition, according to the decision, the agency could not prove that it "limited the collection of personal data by Microsoft to what was necessary". Frontex has no specific legal basis for the data outflow that occurs with the Office suite in the standard configuration, and cannot name any specific legitimate purposes for the processing itself.
Wiewiórowski complained that Frontex had violated the principle of accountability, its duties as the responsible entity and the requirements of data protection through technology, and instructed Frontex to expand the rudimentary data protection impact assessment that had previously been carried out. The Warsaw-based authority must also provide information about existing data flows to Microsoft and other providers or third parties currently used and justify their purposes.
Microsoft's telemetry data
At the time of the audit, the agency "did not have a sufficiently fine-grained configuration at the application management level that would have made it possible to switch off the collection and processing of diagnostic data for Windows 10 and Office Pro Plus if necessary," criticizes Wiewiórowski. With Windows 10, Frontex was also unable to check which personal information Microsoft collects via the telemetry data. In June 2020, the inspector warned against the ill-considered use of Microsoft products and advised alternatives.
Leggeri explained the failures by saying that the switch to the cloud took place "in a very difficult situation to implement the new mandate in the midst of the ongoing Covid crisis". So there was no possibility of a timely consultation. Ultimately, however, the EDPS was fully informed.