On January 18, 2023, the European Data Protection Board (“EDPB”) published a report on the outcome of its investigation into the use of cloud-based services by the public sector.

The EDPB prepared the report as part of its first coordinated enforcement action under the Coordinated Enforcement Framework (“Framework”), a key part of the EDPB’s 2021-2023 strategy. The Framework facilitates coordinated actions between the EDPB and national data protection authorities to (i) share information and best practices on a topic related to data privacy, and (ii) provide recommendations to better support compliance with data protection laws. Through the Framework, the EDPB and national authorities investigate compliance with a specific data protection topic each year; in 2023, the EDPB will investigate the designation and role of data protection officers (“DPOs”).

This blog summarizes the main takeaways of the 2022 Coordinated Enforcement Action, and highlights its most relevant data privacy concerns.

According to the report, public bodies using cloud-based services should:

  • Conduct a risk assessment or data protection impact assessment (“DPIA”) to ensure adequate knowledge about the data provided to the cloud-based service (and potentially third parties), including identifying the categories of data, the processing purposes, the entities to which the data is transferred, and the third countries involved;
  • Ensure that cloud-based services operators implement adequate technical and organizational measures to protect personal information processed through their services. This includes implementing security measures to reduce the risk of unlawful access to personal information and personal data breaches;
  • Involve data privacy professionals, such as DPOs, to assess compliance with GDPR requirements and to assist in the analysis and negotiation of contracts with cloud-based service providers;
  • Ensure that the role (i.e., ‘controller’ or ‘processor’) of the parties are clearly and unequivocally defined in the contract with the cloud-based service provider; and
  • Verify that cloud-based service providers provide transparent information on the way they process personal data and ensure that they only process such data and share this personal data with third parties if authorized by the public body.

In addition to these recommendations, the EDPB noted that the use of cloud-based services by the public sector has created concerns over potential violations of the GDPR following the CJEU Schrems II ruling on international data transfers (i.e., transfers to countries outside the EEA – as explained in our blogpost). The EDPB’s report emphasized public bodies’ responsibility to assess data transfers that may be carried out by the cloud-service providers, and to take steps to carefully determine whether these transfers are in compliance with the GDPR, before engaging with such providers. The report also encourages the use of appropriate supplemental measures to ensure that all data transfers are compliant with EU data protection rules, especially if transferred to a third country.

***

Covington’s Data Privacy and Cybersecurity Team regularly advises companies, including those adopting cloud-based services, on their most challenging regulatory compliance issues in the EU and other major markets. Our team is happy to assist with any inquiries relating to cloud-based services, and other tech regulatory matters.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Diane Valat

Diane Valat is a trainee who attended IE University.