On January 18, 2023, the European Data Protection Board (“EDPB”) published a report on the outcome of its investigation into the use of cloud-based services by the public sector.
The EDPB prepared the report as part of its first coordinated enforcement action under the Coordinated Enforcement Framework (“Framework”), a key part of the EDPB’s 2021-2023 strategy. The Framework facilitates coordinated actions between the EDPB and national data protection authorities to (i) share information and best practices on a topic related to data privacy, and (ii) provide recommendations to better support compliance with data protection laws. Through the Framework, the EDPB and national authorities investigate compliance with a specific data protection topic each year; in 2023, the EDPB will investigate the designation and role of data protection officers (“DPOs”).
This blog summarizes the main takeaways of the 2022 Coordinated Enforcement Action, and highlights its most relevant data privacy concerns.
According to the report, public bodies using cloud-based services should:
- Conduct a risk assessment or data protection impact assessment (“DPIA”) to ensure adequate knowledge about the data provided to the cloud-based service (and potentially third parties), including identifying the categories of data, the processing purposes, the entities to which the data is transferred, and the third countries involved;
- Ensure that cloud-based services operators implement adequate technical and organizational measures to protect personal information processed through their services. This includes implementing security measures to reduce the risk of unlawful access to personal information and personal data breaches;
- Involve data privacy professionals, such as DPOs, to assess compliance with GDPR requirements and to assist in the analysis and negotiation of contracts with cloud-based service providers;
- Ensure that the role (i.e., ‘controller’ or ‘processor’) of the parties are clearly and unequivocally defined in the contract with the cloud-based service provider; and
- Verify that cloud-based service providers provide transparent information on the way they process personal data and ensure that they only process such data and share this personal data with third parties if authorized by the public body.
In addition to these recommendations, the EDPB noted that the use of cloud-based services by the public sector has created concerns over potential violations of the GDPR following the CJEU Schrems II ruling on international data transfers (i.e., transfers to countries outside the EEA – as explained in our blogpost). The EDPB’s report emphasized public bodies’ responsibility to assess data transfers that may be carried out by the cloud-service providers, and to take steps to carefully determine whether these transfers are in compliance with the GDPR, before engaging with such providers. The report also encourages the use of appropriate supplemental measures to ensure that all data transfers are compliant with EU data protection rules, especially if transferred to a third country.
Covington’s Data Privacy and Cybersecurity Team regularly advises companies, including those adopting cloud-based services, on their most challenging regulatory compliance issues in the EU and other major markets. Our team is happy to assist with any inquiries relating to cloud-based services, and other tech regulatory matters.