Challenges and recommendations when moving to the cloud

On 18 January 2023, the EDPB published on its website two interesting documents about  the use of cloud-based services by the public sector. These two documents are connected to the Coordinated Enforcement Framework under Regulation 2016/679 (CEF), which was adopted by the EDPB on the 20^th  October 2020. Both documents are the result of the coordinated investigations, launched by 22 Supervisory Authorities (SAs),  regarding the use of cloud-based services by the public sector. 

• The first document (Document 1: 2022 Coordinated Enforcement Action Use of cloud-based services by the public sector Adopted on 17 January 2023), is a Joint Report which aggregates the findings of all the Supervisory Authorities participating in the CEF. The first part of the report focuses on the provision of inputs on the stakeholders addressed, while the second part focuses on the challenges faced by the public bodies when procuring cloud services; specifically, those connected to the GDPR/EUDPR compliance when using cloud-based services. 

The second document (Document 2: Annex: National Reports on the CEF cloud action) outlines the National Reports on the CEF cloud action. 

This article aims to explain, from a practical point of view, findings arising from the investigation developed by the SAs as well as the outputs, advice and suggestions provided by the EDPB in response. The article outlines suggestions on how to approach International Transfers and other complexities arising when negotiating with the CSPs.  

The reasons behind these investigations: 

As explained in Document 1: 2022 Coordinated Enforcement Action Use of cloud-based services by the public sector Adopted on 17 January 2023, the EDPB selected the use of cloud in the public sector for the 2022 Coordinated Enforcement Action due to 3 main reasons: 

• it is essential that the fundamental right to the protection of personal data is guaranteed by all public administrations. 
• public authorities are processing large amounts of personal (and sometimes sensitive) data, and  
• the rapid development of cloud technology in all sectors is creating new risks that need to be dealt with appropriately.  

It is important to clarify that the concept of “Cloud services” used in these documents is understood as one or more capabilities offered via cloud computing invoked using a defined interface.  

The use of these technologies has increased in the last years, especially after COVID 19 pandemic, which has played a significant role in the digital transformation of organisations. Considering this intensification of the use of clouds services, the EDPB recognises the complexity for EU Bodies to obtain IT products and services that comply with the EU data protection rules. This aspect is specifically relevant due to the fact of the nature and, potentially, large amount of personal data under processing by these entities. The EDPB explicitly mentions the “trust” of citizens and persons working for public services as a key point to be considered within this context.  

How the investigations were carried out and what to expect from them in the next months: 

The investigations were developed under the following lines: 

• A questionnaire was drafted by the SAs and the first results of their investigations were also discussed. It is to be noted that some elements, such as the corrective measures they could decide at national level, are still under discussion; so, some updates are expected in the next months. 
• Around 100 public bodies in total were addressed across the EEA (including EU institutions) covering a wide range of sectors.  
• The investigation identified the most commonly used Cloud Service Providers (hereafter ‘CSPs or CSP’): including, but not limited to, companies such as Microsoft, Amazon, Citrix, IBM, and Google, which provide services by themselves or are involved because some services use their infrastructure. 

Key aspects and elements of the findings of all the Supervisory Authorities related to the use of cloud-based services by the public bodies:  

In this Section of the article, we will outline the main challenges identified during the CEF action, with the aim to explain the key aspects to be considered when using CSPs, as recommended by the EDPB.  

The challenges identified during the CEF action are:  

1. The development of Data Protection Impact Assessments (DPIAs). 

2. The definition of the Data Protection Role of the parties. 

3. The aspects related to the complexity of negotiating tailored contracts between public bodies and cloud service providers. 

4. Sub-processors.  

5. International transfers.  

6. Risk of access by foreign governments when using non-EU CSPs storing data in the EEA. 

7. Telemetry/diagnostic information.  

8. Auditing.

1. The development of Data Protection Impact Assessments (DPIAs).

The report outlines that many public sector processing operations relying on cloud services would be likely to result in a high risk to the rights and freedoms of natural persons, due to factors such as: the processing of sensitive data or data of a highly personal nature (like health data or personal data relating to criminal convictions and offences) and/or the processing of personal data in a large scale.  

Interesting points:

• Only 32 out of the 86 stakeholders that use CSPs confirmed that they conducted a DPIA before the intended processing, and only 21 of them specifically analysed the occurrence of International Transfers. 
• Some stakeholders carried out an initial DPIA only after the processing commenced. 
• Aspects related to the security of the processing: 
  • Some stakeholders have relied completely on the security measures implemented by the CSPs.   
  • The controllers need to consider that, usually, the risk assessments provided by the CSPs are usually information security risk assessments and not data protection related ones.   
  • The main reason behind this is because, in general, the CSPs are generally blind regarding the lines of the processing activity to be developed by the controller by using the CSPs, such as:  
    • what and how specific processing activities are taking place,   
    • the purposes of the processing and,   
    • the risks that this processing imposes on the rights and freedoms of natural persons (rather than the risks on the public body itself).  
• Lack of DPO involvement 
  • The data protection officer (DPO) of the controller, in most cases, was not closely involved in the process to develop a DPIA.  

Outputs:

• As the EDPB points out, a switch to cloud services may lead to a change of the risk which means that a review of the DPIA could be needed (or, even, developed if that has not happened before), and a periodic review may be necessary.  
• The controller needs to be aware of the need to develop and perform the assessment of the data protection risks, which is different from the pure information security risk assessment usually provided by the CSPs.   
• Close involvement of the DPO can in fact aid public bodies to implement cloud applications in a way that is compliant with the data protection regulations. 

2. The definition of the Data Protection Role of the parties. 

The report outlines the importance of the assessment and clear delineation of the Data Protection roles when using CSPs. This will depend on the specific processing and will have certain relevance regarding the allocation of responsibilities (i.e., in case data subjects exercise any of the Data Protection Rights). If this is not clear, it can lead to situations in which a public body enables the processing of personal data from civilians and employees entrusted to the public body by a commercial enterprise for its own purposes in violation of the data protection regulations. 

Interesting points: 

• In some cases, the CSPs may contractually envisage data processing activities for which it acts as a controller (i.e. regarding the processing of telemetry/diagnostic data).  
• In those cases, it is to be noted that a legal basis for handing over of personal data by the public body to the CSPs is needed.  

Outputs: 

• The assessment of the data protection roles will require the concrete determination of all (and subsequent) processing activities. For more information about how to do it: How to deal with Processors: Facts and hints to do it in an efficient way. 

3. The aspects related to the complexity of negotiating tailored contracts between public bodies and cloud service providers.

Connected to Challenge 2, the lack of a contract or other legal act in terms of the Data Protection Regulations seems to be one of the difficulties in this context. Sometimes the processing is ongoing without having a proper document in place, and the reasons provided by the stakeholders were related to the difficulties in the negotiation with the CSPs, mostly connected to the imbalance of power (take it or leave it).   

Interesting points: 

• The EDPB recognises this complexity, but it also invites the public bodies in the EEA, among other actions, to join forces to counter the mentioned imbalance of power.  
• The use of freely available information related to similar cases becomes a useful resource for these cases.  

Outputs: 

• When a public body decides to use CSPs, the agreement should be aligned with the lines of the processing in scope. Specifically:  
  • A bespoke contract may need to be negotiated and the terms of each processor agreement need to be tailored to the processing operation(s) or  
  • If a standard contract is used as a template, the specifics of the processing on behalf of the public body will always need to be included as part of the contract or its annexes.  

4. Subprocessors. 

The complexity of negotiating is also present regarding the use of subprocessors which is usually a space where the controller lacks visibility. Therefore, in most cases, the negotiation ends with a “it is not possible to provide the services in a different way.” The arising consequences of this lack of control are, among others, the potential occurrence of International Transfers that are not properly addressed by the controller in those cases.  

Interesting point: 

• Generally, the information about subprocessors provided by the CSPs is limited to the provision of an online list (which, in essence, implies that the list of subprocessors and their replacement are, again, under a take it or leave it situation).  

Outputs: 

• The EDPB emphasised that the factual lack of control does not exonerate the controllers from their responsibilities regarding the processing. Controllers must be offered a way to either authorise or object to the addition or replacement of other processors. The risk of not having a meaningful way to object should be assessed prior to choosing a CSP. 

5. International transfers. 

Interesting points: 

• The use of a central buyer for choosing a CSP is a common context in the case of public administrations. 
• One of the most common situations detected during the CEF action is related to the use of public bodies in the EEA of hyper-scale cloud- based services, in particular software as a service (SaaS), provided by non-EU-based (including US based companies). As some of these companies are based, or are operating in, third countries that do not offer a level of protection that was recognised as adequate according to Article 45 of the GDPR, the situation may imply the occurrence of International Transfers during the processing.  
• In the context of some SaaS services, the identification of effective supplementary measures could be extremely challenging.  

Outputs: 

• The controller should, before engaging with the CSP:  
  • Carefully assess the situation: identifying the categories of personal data transferred, the purposes, the entities to which data may be transferred and the third country involved;  
  • Provide instructions to the processor to identify the proper transfer tool;  
  • If needed, identify supplementary measures to be applicable, to ensure that the level of protection required by the data protection regulation is not undermined because of the transfer/s.  

6. Risk of access by foreign governments when using non-EU CSPs storing data in the EEA. 

The confidentiality and protection of the personal data are key obligations to be considered at any stage of the processing, especially when processors are involved.   

Interesting points: 

• The issue of access by third country authorities to data processed within the EEA has been identified by several controllers but these are often not approached effectively enough by them, both from the legal and technical point of view.  
• The sole use of a CSP that is part of a multinational group subject to third country laws may result in the concerned third country laws also applying to data stored in the EEA.   
• Access requests by third country authorities appear to be envisaged by multiple CSPs who are part of multinational groups. The situation is usually reflected in the form of two typical standard clauses within their processing agreements, which are cited in the EDPB document in scope of this post.  

Output: 

• Before the conclusion of the contract with the CSPs, a thorough analysis should be made where the application of the legislation of the third country would lead to the possibility to address access requests to data stored by the CSPs in the EEA.  

7. Telemetry/diagnostic information.

Examples of telemetry data are tags, security and access roles, rules, usage policies, permissions, usage statistics by different kinds of users. As these data could potentially be in scope of the definition of personal data, they should be in scope of the data protection assessment.  

Interesting points: 

• The processing of telemetry data is usually developed by the CSPs during the provision of services to the controller.  
• Many stakeholders seem to lack specific knowledge about this situation, including regarding the occurrence of International Transfers in scope of this processing.   

Outputs: 

• The controller should clarify whether in the context of the processing of telemetry data, any personal data may be involved. If that is the case, then:  
  • Analyse and define the data protection roles of the controller and the CSPs regarding this processing. Precise information about this processing will be needed from the CSPs.  
  • Develop a careful assessment to confirm that adequate data protection clauses, also covering telemetry data, are in scope of the DPA (Data Protection Agreement) with the CSPs. 

8. Auditing. 

These checks are usually developed annually, through the annual verification of certification reports and the documentation made available by the CSPs publicly on their website.  

Recommendations:  

Considering the above, the use of CSPs entails some challenging situations for controllers to ensure an appropriate level of data protection compliant processing. The main considerations are the following: 

• For those public bodies that have not (yet) conducted a DPIA (Data Protection Impact Assessment) when deploying cloud services, to (re)evaluate in the short term whether a DPIA should be conducted and document this evaluation. For those cases in which a DPIA would not be legally required, at least, a risk assessment should be carried on. Establish processes to regularly review the DPIA, as the use of cloud services implies a clear dynamic context.  
• Define the data protection roles of the parties and ensure that, when the CSPs act as processor, it follows the instructions of the controller to develop the processing.  
• Ensure that the controller can meaningfully object to new subprocessors.  
  • For example: consider providing specific criteria that any new subprocessor must meet and to define the information required from the CSPs when proposing a new subprocessor. 
• Ensure that the lines of the processing are clear and aligned with the purposes, and that the personal data are not processing for further incompatible purposes (including by the CSPs). 
  • Pay specific attention to the processing of Telemetry Data. 
• Involve the DPO in the process of the procurement of a CSP and seek for his/her analysis and advice regarding contracts with the CSPs. 
• To compensate/reduce the imbalance of power regarding the negotiation with the CSPs, increase cooperation with other public bodies. 
  • Examine and renegotiate the contract with the CSPs. 
• Pay close attention to the potential occurrence of International Transfers and the potential access requests to personal data by third countries’ authorities. 
  • Cooperation should be established with the CSPs in order to provide instructions regarding the transfer tool and the implementation of appropriate supplementary measures. 
  • The legislation of third countries could also apply to the processing, so a proper analysis needs to be carried out in this regard. 
• Ensure and verify with the CSPs the lines related to the development of audits and inspections. 

Trilateral’s Data Governance and Cyber-Risk Team have significant experience helping our clients achieve compliance with the latest Data Protection and ePrivacy regulations. We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, review your current systems and undertake the transfer impact assessment if your organisation is looking to rely on SCCs for transfers to countries such as the U.K. and the USA. 

Our support services will help your business protect individuals’ fundamental rights, building trust among your website users and, ultimately, your customers. Please get in touch with our advisors, who would be more than happy to help.