EU Watchdog Begins Joint Investigation Into Public Sector Cloud Use

European public sector organisations are facing an investigation by multiple regulatory bodies to ensure their cloud-based service usage complies with EU privacy safeguards.

The investigation was announced by the European privacy watchdog, known as the European Data Protection Board (EDPB).

It said that this is the beginning of the “first co-ordinated enforcement action” and will involve 22 national regulators, who will examine the use of cloud-based services by the public sector over the coming months.

Cloud investigation

It comes after the European Data Protection Board had in October 2020 set up a co-ordinated Enforcement Framework (CEF), to streamline enforcement and co-operation among national Supervisory Authorities (SAs).

According to the EDPB, the investigations will cover 75 public bodies in the European Economic Area, spread across a range of industries such as healthcare, finance, tax, and education. It will also cover IT service providers as well.

The EDPB pointed to EuroStat data, that shows that cloud uptake by enterprises doubled across the EU in the last 6 years.

The arrival of the Coronavirus pandemic has also driven a digital transformation of organisations, with many public sector organisations turning to cloud technology and services.

But in doing so, public bodies at national and EU level may face difficulties in obtaining IT products and services that comply with EU data protection rules.

The EDPB said that via co-ordinated guidance and action, the SAs aim to foster best practices and thereby ensure the adequate protection of personal data.

The EDPB will publish a report on the outcome of its analysis before the end of 2022.

Cloud services

Cloud services are a well established operating model for many public sector organisations, as well as commercial businesses.

A wide variety of cloud infrastructure providers, such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and other cloud services from Oracle, IBM etc, have geared their services to the public sector and commercial organisations.

All of these cloud service providers have constructed extensive data centre facilities across the globe.

The EDPB has previously opened investigations into the European Commission and the European Parliament, over their usage of cloud services from the likes of AWS and Azure, and any transfer of personal data to the United States.

Data transfers

The transfer of European personal data to American servers remains a touchy subject on this side of the pond.

Last week Facebook’s Meta, in its annual report, warned there was a risk it could shut down Facebook and Instagram services in Europe, if it is not allowed to transfer, store and process European user data on US-based servers.

Data used to be transferred to the US under the Safe Habour agreement, but the European Court of Justice in 2015 suspended the original Safe Harbour agreement.

It was suspended in the wake of the Edward Snowden revelations about the scale of US and its NSA agency spying on friends and allies.

The European Commission’s Privacy Shield data framework replaced the EU-US Safe Harbour deal which had been in place since 2000, but right from the start it proved controversial with ongoing concerns about US spying.

The Privacy Shield had been designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data transfer rules.

Then in July 2020 the European Court of Justice struck down the transatlantic data transfer deal, due to ongoing concerns about US surveillance of European data by American intelligence agencies.

Since then, the EU and the US have been working on a new or updated version of the treaty.