Coordinated enforcement action focusing on the use of cloud services by public sector bodies is launched across the European Union.
More than 80 public bodies across a wide range of sectors, including health, finance, tax, education and the provision and procurement of IT services, will be contacted by local data protection authorities – ranging from from investigative exercises and questionnaires to – potentially – formal investigations if confidentiality issues are identified.
The European Data Protection Board (EDPB) has announced its intention to target the use of public sector cloud services last october but today marks the start of the national-level action he expects to take the better part of this year – with a ‘state of play’ report set to be released by the Council before the end of 2022, according to a spokeswoman.
âIn 2021, EDPB members considered a list of possible options for the first CEF [coordinated enforcement framework] action: they prioritized the use of cloud services by utilities,â she also said, adding, âIt was a collective choice. Individual members may have prioritized this topic for a variety of reasons, including the fact that they have already initiated work on this topic or were planning to do so in the near future.
The EDPB said the aim of the CEF is to harmonize the approach taken by individual supervisory authorities to ensure a more consistent application of EU data protection law.
âIntense preparatory work has been carried out since October and the EDPS is now implementing the actions at national level,â added the spokesperson. âNational ASes [supervisory authorities] will in particular study the safeguards put in place when acquiring cloud services, including questions relating to international transfers.
The EDPS says 22 national authorities are joining the sweep of the European Economic Area, including the European Data Protection Supervisor (EDPS) â which last year opened its own investigation into contracts between EU institutions and US cloud giants AWS and Microsoft as part of its oversight of their compliance with the bloc’s data protection rules.
The CEF action starting today does not replace these individual investigations – and a number of existing probes are likely still ongoing – rather it complements all targeted probes and may lead to new ones being opened as it will attract attention to the use of the cloud by public sector services and to the detail of the contracts which often involve data transfers outside the EU.
Cloud contacts with US giants, in particular, have come under scrutiny in the EU since a July 2020 ruling by the bloc’s top court – which struck down a landmark deal to transfer data between the EU and the United States, increasing legal uncertainty around transatlantic flows of personal data.
In recent weeks, we have also seen an increase in data protection measures on the issue of data transfer.
This year, a number of authorities have identified breaches of the EU General Data Protection Regulation (GDPR) associated with consumer tools such as Google Analytics due to the export of personal data to Member States. -United. (See, for example, recent decisions by the EDPS, as well as in Austria and France â all of which concluded that EU user data was not sufficiently protected.)
Such enforcement actions mean that GDPR compliance may require EU entities to stop using certain US-based cloud tools entirely, unless or until robust additional measures (or a new legal framework) can be applied to protect citizens’ data.
The overarching problem is not only that the US does not have a legal standard equivalent to the EU’s GDPR protecting people’s data, but also that it has extensive surveillance laws – which means that people’s information can be sucked out en masse or by targeted searches by government agencies using scanning. power to exploit commercial platforms and Internet infrastructure in the context of interception programs focused on a national security of “collect everything” via a philosophy of mass surveillance.
This clash between US surveillance powers and EU data protection and privacy rights has resulted in major commercial collateral damage in the form of a multi-year legal drama for companies wishing to export. user data from the EU to the US for processing – with only a very brief respite via the EU-US Privacy Shield data transfer agreement (which only lasted four years, from 2016 to 2021, before being deemed illegal).
This continuing uncertainty means that each proposed data transfer between the EU and the US must now be assessed on a case-by-case basis and, where risks are identified, data exports can only take place if adequate additional measures can be taken. be applied to raise the level of protection to the EU legal standard.
This is especially a problem when it comes to cloud services, since many mainstream platforms are based in the United States.
For some data mining services (hello Facebook!), applying adequate additional measures to protect transfers may simply not be possible.
For others, for example where a US-based cloud platform does not itself need to access user data in the clear, it may be possible to apply a technical measure, such as end-to-end encryption, to adequately reduce the risks of a transfer. However, determining what can work is itself complex. (The EDPB has previously issued detailed guidance on data transfers which discusses a range of possible contractual, technical and organizational measures, and some example scenarios of what might and won’t work.)
Absent a replacement of the EU-US Privacy Shield – which is the subject of ongoing negotiations between the EU and the US – each transfer of EU users’ personal data to a third countries must be assessed on the merits – creating ongoing costs and friction for businesses on both sides. sides of the Atlantic.
On the other hand, EU data protection agencies are concerned about the growing risks to citizens’ privacy resulting from a surge in the use of cloud services. The EDPB cites a EuroStat finding that enterprise cloud adoption has doubled in the EU over the past six years.
âThe COVID-19 pandemic has triggered a digital transformation of organizations, with many public sector organizations turning to cloud technology. However, in doing so, public bodies at national and European level may encounter difficulties in obtaining information and communication technology products and services that comply with EU data protection rules,â he writes, adding: âThrough coordinated guidance and actions, SA aims to foster best practices and thus ensure adequate protection of personal data.
âIn particular, SAs [supervisory authorities] explore the GDPR compliance challenges for public bodies when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges with international transfers and the provisions governing the controller-processor relationship.
According to the Council, the results of the CEF will also be analyzed in what it describes as “in a coordinated manner”.
Regarding the possibility of other national control and enforcement measures, it only indicates that it will be up to the data protection agencies to decide. But the hope is clearly to use joint action and investigation to reduce fragmentation and avoid a patchwork of compliance by harmonizing enforcement and guidance.
It also means that once we start to see enforcement actions in the sector, it is likely that more similar actions are on the way.
The EDPB said the CEF findings on cloud usage in the public sector will be aggregated, generating “a deeper insight into the topic and enabling targeted follow-up at EU level”. His spokeswoman also called the forthcoming report a “stocktaking exercise”.
In response to questions, she also confirmed that the timeline for the release of the report (by the end of 2022) should not be interpreted to mean that no action will be taken in the meantime or that all enforcement actions will be finalized by the end of the year, noting that it usually takes longer to finalize a sanction decision than to send a letter with recommendations.
We have also contacted the EDPS to ask him about the investigation into European institutions’ cloud contracts with AWS and Microsoft that he announced last year and we will update this report with any response. Update: The EDPS said that tomorrow he will issue his own statement on CEF.
A spokesperson for the EDPS also confirmed that the aforementioned cloud contract investigations are ongoing: âOur specific EUI investigations [EU institutionsâ] use of MS [Microsoft] and AWS cloud services are still ongoing. I can’t give you a specific timeframe yet.
Update: In one statement today on its 2022 priorities, the French data protection watchdog, the CNIL, also writes that it believes cloud services deserve “particular attention” from EU regulators because these technologies have become “essential”.
He further confirms his participation in the CEF working group – including through “monitoring procedures” which he says will target five ministries this year.
“Throughout the year, the CNIL will look further into questions relating to data transfers and the management of contractual relations between data controllers and cloud solution providers”, also writes the CNIL, adding: “This [CEF] is a key action of the EDPS strategy for the years 2021-2023, which aims to harmonize the effective application of the GDPR and the coordination between supervisory authorities.