A joint investigation was launched by 22 national data protection authorities on Tuesday (15 February) on how the public sector uses cloud services.
The initiative is the first under the Coordinated Enforcement Framework of the European Data Protection Board (EDPB), the EU body that gathers all European data watchdogs to ensure coordinated enforcement of the GDPR privacy rules.
In October 2020, the Board decided to undertake joint probes every year on specific issues that might have cross-border significance as part of its three-year strategy. Last year, the topic was selected among other vital areas such as website security and mobile apps.
“The Coordinated Enforcement Framework will create synergies among the regulators. Coordinated actions around an agreed topic will allow them to learn from each other’s expertise, harmonise their approaches and increase their impact. In the medium term, this will thus level up enforcement,” said Gwendal Le Grand, EDPB’s head of activity for enforcement support and coordination.
The synchronised operations are an upgraded cooperation mechanism but build on an existing methodology developed via issue-specific task forces.
For Charles Helleputte, head of privacy practice at Steptoe, the Coordinated Enforcement Framework was adopted at a time when data protection authorities were feeling the pressure of a lack of enforcement.
“This is act 2, we are now more leading towards coordinated actions, which in EU terms probably means an attempt for a bunch of countries to weigh in and impose the playlist,” Helleputte said.
Eurostat estimates that European companies’ uptake of cloud services has doubled in the last six years. Public institutions have experienced a similar acceleration as they increasingly employ cloud technology to digitalise their services.
According to the EU’s digital compass, all essential public services will be provided online by 2030. In this regard, the European Commission has also presented a proposal for a digital wallet to allow citizens to authenticate and manage official documents electronically.
European Commission proposes ‘digital identity wallet’
The European Commission has introduced a legislative proposal for an EU “digital identity wallet” that would allow numerous services like opening a bank account or filing tax returns to be done purely digitally.
As a result, cloud computing is a top priority for many data protection authorities across the EU. Specific national investigations went as far as considering the compliance of specific tools such as Microsoft Office. International data transfers are of particular concern in this regard.
In the landmark Schrems II ruling, the EU top court declared the transfer of personal data to the United States illegally as the American jurisdiction was deemed not to offer adequate data protection standards compared to the European privacy law.
For Vincenzo Tiani, a partner at Panetta law firm, these kinds of investigations are to be expected.
“A year has passed since the EDPS’ similar investigations on the same issue against the EU institutions and the Schrems II judgment will soon be two years old, without a new adequacy decision having been reached,” Tiani said.
Last month, the European Data Protection Supervisor reprimanded the European Parliament for using an internal website that transferred data to the US.
EU watchdog condemns Parliament over illegal data transfer from COVID website
The European Data Protection Supervisor (EDPS) issued a reprimand to the European Parliament for violating the bloc’s privacy laws on January 5.
The EDPB estimated that over 80 public bodies would be scrutinised due to the joint action, including health, taxation or education. Every authority will independently decide on a case by case basis whether to collect information, launch a new investigation or follow up on an ongoing one.
International data transfers are explicitly mentioned as top concerns the EU authorities will look at, together with the safeguards in place when using cloud services and the legal obligations regarding the control and process of personal data.
“Apart from the difficulty of changing cloud providers, there is always the dilemma of whether a solution other than the one offered by the tech giants is just as functional and secure, and in fact, the European states have kept the door open in private even in the GAIA X project,” Tiani added.
The joint action is expected to identify the general issues and provide a general recommendation for public bodies to use cloud services in a compliant way. For instance, where public procurement is centralised by centralised bodies that provide a catalogue of relevant services, that should result in having the list of services compliant by design.
There are already two codes of conduct at the EU level that operationalise GDPR compliance for cloud services and cloud infrastructure, respectively. In both cases, adherence to the code is certified via independent auditing.
CISPE, the trade association behind the infrastructure code, is set to present its new handbook to the European Commission on Wednesday of its new handbook on buying cloud services in the public sector.
For CISPE’s secretary-general Francisco Mingorance, the handbook “neatly complements the EDPB’s policy initiatives by providing practical advice on implementing data protection codes of conduct in cloud procurement.”
Cloud development in Europe passes by GDPR compliance
The two recently approved Codes of Conduct for the cloud industry, which will be open to everyone willing to subscribe, could foster the uptake of a technology at the heart of the digital economy, following a green light from the European Data Protection Board.