A report detailing EU government cloud use will be published by the end of the year
Do European Union (EU) member states comply with data privacy laws? This is a question the European Data Protection Board (EDPD) hopes to answer. The agency announced last week the start of its “public sector usage surveys of cloud-based services”.
The report on cloud usage in the public sector is part of a series of actions aimed at aligning and enforcing data protection standards between EU supervisory authorities. The Brussels-based group was created by the EU’s General Data Protection Regulation (GDPR). It contributes to the consistent application of GDPR rules across the EU.
The announcement that the government cloud investigation was underway came four months after the EDPB first announced its intention to investigate public sector cloud use. The independent agency said that in the coming months, 22 supervisory authorities will gather information for its report, which will be published before the end of the year.
The group acknowledged that digital transformation has created pressure on public sector organizations to find cloud-based solutions that comply with EU data protection rules.
“The COVID-19 pandemic has triggered a digital transformation of organizations, with many public sector organizations turning to cloud technology. However, in doing so, public bodies at national and European level may encounter difficulties in obtaining information and communication technology products and services that comply with EU data protection rules,” said the EDPD in a statement.
“Through coordinated guidance and actions, SAs aim to foster best practices and thereby ensure adequate protection of personal data,” he said.
The EDPD said the discovery process will provide insights to help EU member states implement government cloud safeguards and consistent policies. The information-gathering process will identify areas requiring further investigation and stronger policy enforcement. The EDPD said more than 80 public bodies across the EU will be investigated, including in the areas of health, finance, taxation, education and central purchasing of services computers.
“Specifically, [Supervisory Authorities] explore the GDPR compliance challenges for public bodies when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges with international transfers and the provisions governing the controller-processor relationship,” the agency said.
The group plans to aggregate the data collected by regulatory authorities before deciding what to do next.