The European Data Protection Board (EDPB) has kicked off its first coordinated enforcement action, taking a long, hard look at the use of cloud-based services by the public sector.
It’s going to be a big one, involving the launch of investigations by 22 national authorities across the European Economic Area (EEA) and encompass more than 75 public bodies including EU institutions. A wide range of services are to be examined including health, finance, tax, and central buyers or providers of IT services.
As for how it will work, at national level a questionnaire will be handed out. A formal investigation might then begin depending on the answers.
The action comes amid expansion by the cloud giants over the last few years and the jump in cloud uptake by both the private and public sector during the COVID-19 pandemic. The outbreak, according to the EDPB, “has sparked a digital transformation of organisations, with many public sector organisations turning to cloud technology.”
The EDPB is concerned that the services obtained might not comply with rules concerning the protection of personal data. Hence the requirement that Supervising Authorities (SA) “explore public bodies’ challenges with GDPR compliance when using cloud-based services.”
Alexander Egerton, a partner and GDPR lawyer at Seddons, told The Register: “Using the cloud is likely to involve appointing a data processor so any privacy policy has to reflect that; there has to be thorough due diligence on the processor. A data processor contract will be needed setting out responsibilities and what happens if there is a breach.
“Regardless of whether the cloud provider is a processor or independent data controller If the cloud is outside the UK or EEA then the data transfer provisions of the GDPR need to be followed through. The French regulator, CNIL, has begun enforcement action against Google Analytics.”
CNIL noted that it considered the transfer of data of European citizens to the US as illegal, effectively blowing a hole through the usage of Google Analytics in France at least.
The EU is getting ever more jumpy about what might become of the data of its citizens, with buzzword of the day “sovereignty” being bandied around and a two-day conference on the topic run last week by current holders of presidency of the European Council of Ministers, France.
The Register approached Google, AWS, and Microsoft for their thoughts on the action, but we have yet to receive a response.
The EDPB is due to report by the end of 2022. ®
Source link