Investigations are to begin at a national level ‘in the coming months’ into the use of cloud-based services across much of Europe’s public sector.
Signalling the start of its first co-ordinated enforcement action, the European Data Protection Board (EDPB) has announced that 22 national supervisory authorities across the European Economic Area (EEA), including the European Data Protection Supervisor (EDPS), will be launching probes.
The move comes as use of cloud computing technologies – the delivery of services such as data storage and servers through the internet – increases worldwide, with a growing number of public sector organisations turning to cloud technology during the Covid-19 pandemic. But public bodies at national and European Union-level ‘may face difficulties in obtaining information and communication technology products and services that comply with EU data protection rules’, the EDPB states in its announcement of the probe.
Through co-ordinated guidance and action, supervisory authorities ‘aim to foster best practices and thereby ensure the adequate protection of personal data’, the EDPB said. More than 80 public bodies across the EEA, including European Union (EU) institutions, covering sectors such as health, finance, tax, education, central buyers or providers of IT services, can expect contact.
Supervisory authorities will explore public bodies’ challenges with GDPR (the EU’s General Data Protection Regulation) compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers and ‘provisions governing the controller-processor relationship’.
EDPB report due this year
The investigations follow the EDPB’s decision to set up a ‘Co-ordinated Enforcement Framework’ (CEF) 18 months ago. The CEF stems from the board’s 2021-2023 Strategy (presented in December 2020), together with the creation of a ‘support pool of experts’. The two initiatives aim to boost enforcement and co-operation among supervisory authorities.
After common preparatory work by all participating supervisory authorities, the CEF will be implemented nationally in ‘one or several’ of the following ways: fact-finding exercise; questionnaire to identify if a formal investigation is warranted; start of a formal investigation; follow-up of ongoing formal investigations.
The results will be analysed in a co-ordinated manner and the supervisory authorities will decide on possible further national supervision and enforcement actions. In addition, results will be aggregated, ‘generating deeper insight into the topic and allowing targeted follow-up at EU level’. The EDPB will publish a report on the outcome of this analysis before the end of 2022.
The EDPB – which was established by the GDPR and whose secretariat is in Brussels – announced plans for this first co-ordinated action in October last year. The EEA includes the 27 EU member states, as well as Iceland, Liechtenstein and Norway.
The EDPS itself launched two investigations in May 2021: one regarding the use of cloud services provided by Amazon Web Services and Microsoft under what are known as ‘Cloud II’ contracts by EU institutions; and one regarding the use of Microsoft Office 365 by the European Commission.
Public sector must ‘lead by example’
“It is important that organisations within the public sector at national and EU level lead by example when it comes to outsourcing services and transferring personal data within and outside the EEA, by continuously putting in place effective measures to protect individuals’ personal data according to EU standards,” said Wojciech Wiewiórowski in a EDPS statement on 18 February.
Wiewiórowski made reference to the EDPS’s Strategy, published in October 2020, for EU institutions to comply with the ‘Schrems II’ ruling in relation to transfers of personal data to third countries, in particular the United States.
“A co-ordinated action at national and EU level, launched by the European Data Protection Board, plays an important role in ensuring that cloud-based services are fully compatible with EU data protection laws. I look forward to co-operating with other supervisory authorities, by building on the experience set out in the EDPS’s Schrems II Strategy.”
CISPE (Cloud Infrastructure Service Providers in Europe – a trade association) last week published the second edition of guide designed to promote best practice in how public sector organisations procure cloud services. It is an update on a 2019 version, including new sections on codes of conduct for data protection and improved cyber security.
“The public sector is not only a significant user of IT services, but a key influencer. In pursuing cloud-first procurement it can significantly accelerate the use of the cloud, more efficient, innovative and cost-effective digital services, and a smaller environmental footprint,” said CISPE’s president, Alban Schmutz.
‘European data alliance to tackle public procurement of cloud services’ – our news story (7 January 2022) on the European Alliance for Industrial Data, Edge and Cloud convening for the first time during an online event chaired by the EU’s internal market commissioner Thierry Breton