The adoption of cloud services by public authorities has doubled in the past six years and has further accelerated during the pandemic. In response to this, the European Data Protection Board (EDPB) announced the kick-off its first coordinated enforcement action. The EDPB initially foreshadowed this coordinated action in its decision to establish a Coordinated Enforcement Framework (CEF) in October 2020. The objective of the CEF is to put in place an overarching framework to supplement Article 62 GDPR and enable recurring annual joint actions to raise awareness on relevant data-protection topics and issues, as well as to assist in gathering information resulting in enforcement sweeps and joint investigations by national authorities and the EDPS.
The announcement states that the EDPB, along with 22 Supervisory Authorities (SA), will commence investigations into the use of could services by public authorities across the European Union (EU) and the European Economic Area (EEA).
Initially, the SAs across the EU/EEA will assess cloud practices in use by approximately 75 public authorities (government departments, national agencies and EU institutions) from various sectors including health, finance, tax, and education.
The implementation of this action will be structured in two steps:
- First, SAs will develop a best-practices approach to ensure adequate protection to personal data processed by means of could services.
- Second, at a national level, a fact-finding exercise will be launched to assess whether investigations are required and, if so, formal investigations will be conducted by the competent SA.
The above-mentioned two-step structure is a clear indicator of the impending enquiries, audits and investigations that will be conducted by SAs and other competent authorities on the use of cloud services. Therefore, to prepare for the envisioned coordinated scrutiny, we recommend that public authorities undertake the following exercises:
- Conduct a due diligence exercise and maintain a record while acquiring cloud services; conduct a due diligence exercise on previously-onboarded service providers if this has not been done; a part of the due diligence should be dedicated to a Transfer Impact Assessment where necessary;
- Where data transfers take place with countries with a concerning level of personal-data protection, consider renegotiating data storage location or alternative service providers with hosting in the EU/EEA to mitigate the risks;
- Ensure appropriate and updated controller-to-processor agreements are in place with the cloud service providers;
- Evaluate the technical and organisational safeguards to ensure the risks are sufficiently mitigated;
- Consult relevant SA guidance on implementing cloud services, (e.g., the Irish Data Protection Commission’s Checklist, CNIL’s recommendations and European Data Protection Supervisor’s guidance as well as others).
Trilateral’s Data Governance and Cyber Risk Team have data protection specialists with extensive expertise and experience in assessing cloud service providers catering to both public and private sector organisations. Our support services will help your organisation navigate and prepare for investigations and forthcoming compliance checks in regards to the coordinated enforcement actions. Please feel free to contact us, as we would be more than happy to help.