Insights European Data Protection Board launches co-ordinated investigation into use of cloud-based services by public sector

Over the next few months, 22 national supervisory authorities across the EEA (including the European Data Protection Supervisor (EDPS)) will launch investigations into the use of cloud-based services by the public sector.

This follows the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2021-2023 Strategy, together with the creation of a Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among Supervisory Authorities (SAs).

According to EuroStat, the cloud uptake by enterprises has doubled across the EU in the last 6 years. The COVID-19 pandemic has sparked a digital transformation, with many public sector organisations turning to cloud technology. However, in doing so, public bodies at national and EU level may face difficulties in obtaining Information and Communication Technology products and services that comply with EU data protection rules. Through coordinated guidance and action, the SAs aim to foster best practices and ensure the adequate protection of personal data.

Over 80 public bodies in total will be addressed across the EEA, including EU institutions, covering a wide range of sectors (such as health, finance, tax, education, central buyers or providers of IT services). The CEF will be implemented at national level through fact-finding exercises, questionnaires to ascertain whether an investigation is warranted, commencement of a formal investigations and follow-up of ongoing formal investigations. In particular, SAs will explore the challenges that public bodies face in complying with the GDPR when using cloud-based services, including the process employed and the safeguards implemented when acquiring cloud services, challenges in relation to international transfers, and provisions governing the controller-processor relationship.

The results will be analysed in a coordinated manner and the SAs will decide on possible further national supervision and enforcement action. In addition, results will be aggregated, generating deeper insight into the subject and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis before the end of 2022. To read the EDPB’s press release in full, click here. To read the EDPS’s press release in full, click here.