Public sector bodies’ use of cloud services probed in joint EU data protection enforcement

A coordinated enforcement action focused on public sector bodies’ use of cloud services is kicking off across the European Union.

More than 80 public bodies in a wide range of sectors, including health, finance, tax, education and IT service supply and procurement, will face contact from local data protection authorities — ranging from fact-finding exercises and questionnaires to — potentially — formal investigations if privacy concerns are identified.

The European Data Protection Board (EDPB) announced the plan to target public sector cloud services use last October but today marks the start of action at a national level which it expects to take the best part of this year — with a “state of play” report slated to be published by the Board before the end of 2022, per a spokeswoman.

“In 2021, EDPB members examined a list of possible options for the first CEF [coordinated enforcement framework] action: they prioritised the use of cloud services by public services,” she also said, adding: “This was a collective choice. Individual members may have prioritised this topic for various reasons, including the fact that they have already launched some work on that topic or that they were planning to do so in the near future.”

The EDPB said the goal for the CEF is to harmonize the approach taken by individual supervisory authorities to ensure a more consistency application of EU data protection law.

“Intense preparatory work has been done since October and the EDPB is now implementing the actions at national level,” the spokewoman added. “National SAs [supervisory authorities] will study, in particular, the safeguards implemented when acquiring cloud services, including issues relating to international transfers.”

The EDPB said 22 national authorities are joining in the sweep across the European Economic Area, including the European Data Protection Supervisor (EDPS) — which last year opened its own investigation of contracts between EU institutions and US cloud giants, AWS and Microsoft, as part of its oversight of their compliance with the bloc’s data protection rules.

The CEF action kicking off today does not supplant such individual investigations — and a number of extant probes are likely still ongoing — rather it supplements any targeted probes and may lead to fresh ones being opened since it will dial up attention on public sector use of cloud services and onto the detail of contracts which often involve data transfers out of the EU.

Cloud contacts with US giants especially have been facing extra scrutiny in the EU since a July 2020 ruling by the bloc’s top court — which invalidated a flagship data transfer agreement between the EU and the US, ramping up the legal uncertainty around transatlantic personal data flows.

In recent weeks we’ve also seen an uptick in data protection enforcements on the data transfer issue.

This year a number of authorities have identified breaches of the EU’s General Data Protection Regulation (GDPR) attached to mainstream tools like Google Analytics on account of personal data being exported to the US. (See, for example, recent decisions by the EDPS, and in Austria and France — which all found that EU users’ data was not adequately protected.)

Such enforcements imply that GDPR compliance may require EU entities to cease use of certain US-based cloud tools entirely — unless or until robust supplementary measures (or a new legal framework) can be applied to protect citizens’ data.

The overarching issue is not only that the US does not have an equivalent legal standard as the EU’s GDPR protecting people’s data but also that it has extensive surveillance laws — meaning people’s information may be sucked up in bulk or through targeted searches by government agencies using sweeping powers to tap into commercial platforms and Internet infrastructure as part of intercept programs geared towards a ‘collect it all’ national security via mass surveillance philosophy.

This clash between US surveillance powers and EU data protection and privacy rights has led to major commercial collateral damage in the form of a multi-year legal drama for businesses wishing to export EU users’ data to the US for processing — with only a very brief respite via the EU-US Privacy Shield data transfer deal (which lasted just four years, 2016 to 2021, before being shot down as illegal).

This ongoing uncertainty means each proposed EU-US data transfer must now be assessed on a case by case basis and, where risks are identified, data exports may only taken place if adequate supplementary measures can be applied to raise the level of protection to the EU’s legal standard.

This is especially a problem where cloud services are concerned since so many dominant platforms are US-based.

For some data-mining services (hi Facebook!) applying adequate supplementary measures to protect transfers simply may not be possible.

For others — say where a US-based cloud platform does not itself require access to user data in the clear — it may be possible to apply a technical measure, such as end-to-end encryption, to adequately de-risk a transfer. However figuring out what may work is itself complex. (The EDPB previously put out detailed guidance on data transfers which discusses a range of possible measures, contractual, technical and organizational, and some example scenarios of what might work and what won’t.)

Failing a replacement EU-US Privacy Shield — which is the focus of continued negotiations between the EU and US — every transfer of EU users’ personal data to a third country must be assessed on the merits — creating ongoing cost and friction for businesses on both sides of the Atlantic.

On the flip side, EU data protection agencies are concerned about the rising risks to citizens’ privacy flowing from a sharply increasing uptake of cloud services. The EDPB cites a EuroStat finding that the cloud uptake by enterprises doubled across the EU in the last six years.

“The COVID-19 pandemic has sparked a digital transformation of organisations, with many public sector organisations turning to cloud technology. However, in doing so, public bodies at national and EU level may face difficulties in obtaining Information and Communication Technology products and services that comply with EU data protection rules,” it writes, adding: “Through coordinated guidance and action, the SAs aim to foster best practices and thereby ensure the adequate protection of personal data.

“In particular, SAs [supervisory authorities] will explore public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship.”

Per the Board, the results of the CEF will also be analyzed in what it describes as “a coordinated manner”.

On the potential for further national supervisory and enforcement actions, it says only that it will be up to the data protection agencies to decide. But the hope is clearly to use joint action and investigation to shrink fragmentation and avoid a patchwork of compliance by harmonizing enforcement and guidance.

That does also mean that once we start to see enforcements in the sector there are likely to be other similar actions looming.

The EDPB said the results of the CEF on public sector cloud usage will be aggregated — generating “deeper insight into the topic and allowing targeted follow-up at EU level”. Its spokeswoman also described the forthcoming report as “a stock-taking exercise”.

In response to questions, she also confirmed that the report publication timeline (of by the end of 2022) should not be interpreted as either meaning that no action will be taken in the meanwhile nor that all enforcement actions will be finalised by the end of the year, noting it typically takes more time to finalise a sanction decision vs sending a letter with recommendations.

We also contacted the EDPS with questions about the probe of EU institutions’ cloud contracts with AWS and Microsoft that it announced last year and will update this report with any response. Update: The EDPS said it will be issuing its own statement on the CEF tomorrow.

An EDPS spokesman also confirmed that the aforementioned cloud contract investigations are ongoing: “Our specific investigations into the EUIs [EU institutions’] use of MS [Microsoft] and AWS cloud services are still ongoing. I cannot give you a precise deadline yet.”

Update 2: In a statement today on its 2022 priorities, the French data protection watchdog, CNIL also writes that it believes cloud services deserve “special attention” from EU regulators as these technologies have become “essential”.

It further confirms its participation in the CEF working group — including via “control procedures” it says will be targeting five ministries this year.

“Throughout the year, the CNIL will be looking in greater detail at issues relating to data transfers and the framework for contractual relations between data controllers and cloud solution providers,” CNIL also writes, adding: “This [CEF] is a key action in the EDPB strategy for the years 2021-2023, which aims at harmonising the effective application of the GDPR and the coordination between supervisory authorities.”

Update 3: The full EDPS communication can now be found here.

It includes this statement by the European Data Protection Supervisor, Wojciech Wiewiórowski:

“It is important that organisations within the public sector at national and EU level lead by example when it comes to outsourcing services and transferring personal data within and outside the EEA, by continuously putting in place effective measures to protect individuals’ personal data according to EU standards. A coordinated action at national and EU level, launched by the European Data Protection Board, plays an important role in ensuring that cloud-based services are fully compatible with EU data protection laws. I look forward to cooperating with other supervisory authorities, by building on the experience set out in the EDPS’ Schrems II Strategy”.