The European Data Protection Board (“EDPB”) has published a report about the use of cloud-based services in the public sector, highlighting the importance of compliance with GDPR at all stages of procurement and active use of cloud-based products and services. The report (and underlying investigation) is the first coordinated enforcement action under the EDPB’s Coordinated Enforcement Framework (“CEF”), a key element of its 2021-2023 Strategy which aims to streamline enforcement and cooperation between supervisory authorities.

Background

The EDPB set up the CEF in October 2020 to structure and coordinate each annual coordinated enforcement action (“CEA”) - the exploration of a pre-determined data privacy topic chosen by the EDPB. The EDPB has already announced its next CEA for 2023, which will focus on the data protection officer designations.  

The EDPB chose to focus its first CEA on cloud services in the public sector partly due to the rise in digital transformation projects by an increasing number of organisations (including those in the public sector), further enhanced by the Covid-19 pandemic. Furthermore, due to the nature of data processed by public bodies being more likely to be sensitive and on a larger scale, it is important that citizens can trust public bodies to guarantee adequate protection when handling their personal data. 

The CEA for 2022 involved 22 national supervisory authorities (including those in Belgium, Italy and Germany) launching coordinated investigations to explore the particular challenges associated with the use of cloud services in the public sector. Just under 100 public bodies across a range of sectors (including finance, education and health) were involved in the investigations and actions included fact-finding exercises, questionnaires to identify needs for formal investigations and follow-ups of any ongoing formal investigations.

The report consolidates and collates the findings of all 22 supervisory authorities, within which recommendations are proposed, as well as follow-up actions on both a national and EDPB-level.

Key takeaways

The overarching message from the report is that those in the public sector who are using cloud-based products or are engaging cloud service suppliers (“CSP”) must ensure compliance with GDPR at all stages (including, and importantly, at the pre-contractual stage). We have highlighted some of specific points raised for the attention of stakeholders in the report:

  • Carry out a data protection impact assessment (DPIA) or other risk assessment: this is especially important where processing is done on a large scale, involves ‘special category’ data or where personal data relates to criminal convictions, as the scope of risk to individual rights is much higher. This also requires identifying categories of personal data, the purposes of processing and the entities to which data is being transferred.
  • Ensure that the roles of data ‘controller’ and ‘processor’ are clearly and unequivocally determined: this will enable proper allocation of responsibilities for compliance with GDPR between the public body and a cloud services provider and these should be carefully considered and clearly reflected in contracts.
  • Involve DPOs or other privacy professionals to assess compliance with GDPR requirements and to assist in the analysis and negotiation of contracts with cloud-based service providers: DPOs may be in a better position to identify any potential compliance issues early on which will allow public bodies to better navigate negotiations with CSPs.
  • Ensure a meaningful way to object to new sub processors: as a controller (who is ultimately responsible for processing), public bodies should ensure that they have control over the use of sub-processors, particularly where data is transferred to third countries. This could involve ensuring contractual rights to be informed about and review any changes to sub-processors and a list of criteria for new sub-processors.
  • Assess international transfers: the report found that public authorities in the EEA were often engaging CSPs based in third countries (such as the US) which did not offer the adequate level of protection as set out in Article 45 GDPR. Therefore, it is especially important for public bodies, as controllers, to (1) assess international transfers of personal data prior to engaging CSPs (2) instruct processors to use proper transfer tools and (3) implement appropriate supplementary measures to ensure safeguards are complied with.
  • Consider the potential of access requests by third country public authorities to data stored by CSPs in the EU; the report found that the many CSPs were part of multinational groups which were subject to third country laws in relation to data being stored. It is therefore important that public bodies thoroughly analyse the possibility of such requests prior to concluding any contracts with providers.

What does this mean for businesses? 

The key takeaway from the EDPB report is that data protection compliance should be prioritised at all points of cloud service implementation and that public sector organisations have a responsibility to assess the compliance of any services they are looking to engage at an early stage. This means that businesses should consider investing time and resources to closely identify and analyse any compliance issues that may arise prior to engaging any CSPs and to take steps to address these. This key takeaway is as applicable to UK public sector organisations as it is to EU public sector organisations.

The EDPB’s work and any subsequent guidelines are no longer directly relevant to the UK but as indicated by the ICO, they may still provide helpful guidance on certain issues.

Notwithstanding this, the specific points highlighted in the EDPB’s report are key for UK public and private sector organisations contracting with cloud service providers. Given that UK GDPR substantially reflects EU GDPR, any moves by cloud service providers to address concerns raised at an EU level are likely to be of benefit to UK based organisations.

Next steps 

The EDPB notes that it may update its report during the course of 2023 to take into account further information and that, given the issues identified during its work, further work on general recommendations to public sector organisations is likely.

If you’d like to discuss the use of cloud services in the public sector, please contact Lucy Pegler, Patrick Parkin or another member of the Technology team.