The EU data protection authority has negotiated a contract for the use of Nextcloud and LibreOffice Online in EU institutions. She is now testing the solutions.
The EU data protection officer Wojciech Wiewiórowski wants to make it easier for EU institutions to switch from Microsoft programs to free software. His authority has negotiated a framework agreement with a service provider in a member state that is open to all EU institutions. This involves using the Nextcloud collaboration solution and the LibreOffice Online office package. They should offer users the opportunity to exchange files, send messages, make video calls and create joint designs in a secure cloud environment.
“Privacy Friendly Alternatives”
Wiewiórowski and his team began testing the two solutions this month, the agency’s chief announced on Thursday . In the coming months, they want to examine “how these instruments can support the day-to-day work of the EU institutions.” This pilot phase is part of a larger “reflection process” around structures in the IT area of administration, which has been running since last year. The aim is to encourage EU institutions to “consider alternatives to large service providers”. This is important in order to better comply with applicable regulations such as the special data protection regulation based on the GDPR for these institutions .
By procuring the open source software from a single location in the EU, the use of other processors is avoided, the supervisory body advertises for the path taken. This would avoid data transfers to third countries such as the USA, which are problematic after the end of the Privacy Shield . In addition, more effective control over the processing of personal data is made possible.
According to Wiewiórowski, free software offers “privacy-friendly alternatives to the commonly used large cloud service providers”. Solutions like these can therefore “minimise monopoly vendor dependency and adverse lock-in effects.” With the negotiated contract, the authority is fulfilling its obligations to support other EU institutions “to protect digital rights”. You are setting a good example here.
Targeting Microsoft’s Office
Wiewiórowski has already examined the EU institutions’ contracts with Microsoft and came to the conclusion in 2020 that the purposes of data processing when using Windows or Microsoft Office are far too openly defined. Sub-processors would not be adequately checked, data could be transferred to countries outside the community without control by the EU institutions. At the time, he demanded that Microsoft should only keep user information in the EU. The roles of all those involved with all their rights and obligations must be clearly regulated. It is best for users to look around for alternatives that “allow higher data protection standards”.
In May 2021, the data protection officer launched further investigations into the use of Microsoft and Amazon cloud services at EU institutions. These relate, for example, to the use of Microsoft Office 365 by the EU Commission. Many relevant contracts Wiewiórowski were concluded before the “Schrems II judgment” and would have to be reviewed in the light of the case law of the European Court of Justice. In Germany, the conference of the independent data protection supervisory authorities of the federal and state governments at the end of November emphasized that institutions such as authorities, schools and companies could easily “use the Office package from Microsoft with a cloud connection not legally compliant” .
