EU Data Protection Board probes public sector use of cloud

Updated The European Data Protection Board (EDPB) has kicked off its first coordinated enforcement action, taking a long, hard look at the use of cloud-based services by the public sector.

It's going to be a big one, involving the launch of investigations by 22 national authorities across the European Economic Area (EEA) and encompass more than 75 public bodies including EU institutions. A wide range of services are to be examined including health, finance, tax, and central buyers or providers of IT services.

As for how it will work, at national level a questionnaire will be handed out. A formal investigation might then begin depending on the answers.

The action comes amid expansion by the cloud giants over the last few years and the jump in cloud uptake by both the private and public sector during the COVID-19 pandemic. The outbreak, according to the EDPB, "has sparked a digital transformation of organisations, with many public sector organisations turning to cloud technology."

The EDPB is concerned that the services obtained might not comply with rules concerning the protection of personal data. Hence the requirement that Supervising Authorities (SA) "explore public bodies' challenges with GDPR compliance when using cloud-based services."

Alexander Egerton, a partner and GDPR lawyer at Seddons, told The Register: "Using the cloud is likely to involve appointing a data processor so any privacy policy has to reflect that; there has to be thorough due diligence on the processor. A data processor contract will be needed setting out responsibilities and what happens if there is a breach.

• France says Google Analytics breaches GDPR when it sends data to US
• EU directs €11bn toward European Chips Act to build homegrown semiconductor industry
• EU digital sovereignty project Gaia-X hands out ID tech contracts
• Privacy Shield: EU citizens might get right to challenge US access to their data

"Regardless of whether the cloud provider is a processor or independent data controller If the cloud is outside the UK or EEA then the data transfer provisions of the GDPR need to be followed through. The French regulator, CNIL, has begun enforcement action against Google Analytics."

CNIL noted that it considered the transfer of data of European citizens to the US as illegal, effectively blowing a hole through the usage of Google Analytics in France at least.

The EU is getting ever more jumpy about what might become of the data of its citizens, with buzzword of the day "sovereignty" being bandied around and a two-day conference on the topic run last week by current holders of presidency of the European Council of Ministers, France.

The Register approached Google and Microsoft for their thoughts on the action, but we have yet to receive a response.

The EDPB is due to report by the end of 2022. ®

Updated to add:

Amazon has been in touch to say: "All AWS customers, including public bodies and EU institutions, are able to use our cloud services in compliance with EU data protection rules and the Schrems II judgement. We are happy to support our customers as they demonstrate this to the European Data Protection Board and Supervisory Authorities."

Yann Lechelle, CEO at Scaleway, said of the move: "Modern cloud computing delivers true digital transformation at scale and as-a-service. While this model disrupts the old model in terms of distribution and acceleration, it deprives clients of the ownership and sovereignty that they used to enjoy in the older licensing model.

"To lead by example, the public sector needs strong and transparent guidance, for instance, in terms of technical or financial guarantees for data portability, energy efficiency or compliance with the EU's fiscal regimes, to steer away from providers that create extra-territorial dependencies that violate our regional laws, or deprive us of strategic autonomy in matters that affect the core of our European democracies."