Data pro­tec­tion for cloud ser­vices in the public sector

Report pre­sen­ted on the coor­di­na­ted audit of the Euro­pean Data Pro­tec­tion Board

Last year, the Euro­pean data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, who are mem­bers of the Euro­pean Data Pro­tec­tion Board (EDPB), con­duc­ted a sur­vey on the use of cloud ser­vices in the public sec­tor. In total, almost 100 aut­ho­ri­ties and public bodies were audi­ted. In this artic­le, we pre­sent the audit report of the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and show the steps requi­red for GDPR-compliant use of cloud ser­vices in the public sector.

Exten­si­ve use of cloud ser­vices by public agencies

Cloud ser­vices have beco­me an indis­pensable part of the public sec­tor: 87 out of 98 agen­ci­es sur­vey­ed said they were alre­a­dy using cloud ser­vices or plan­ned to intro­du­ce them within the past year. The use ran­ges from the inter­nal orga­ni­sa­ti­on of agen­ci­es by means of office sui­tes, inter­nal com­mu­ni­ca­ti­on ser­vices and cloud ser­vices for per­son­nel manage­ment and the ful­fill­ment of admi­nis­tra­ti­ve tasks. The most wide­ly used appli­ca­ti­ons are usual­ly from US ven­dors (esp. Micro­soft, Ama­zon, IBM, Ado­be, or Google).

Aut­ho­ri­ties see num­e­rous short­co­mings in data protection

Alt­hough cloud ser­vices are wide­ly used by public bodies, the EDPB says that com­pli­ance with data pro­tec­tion obli­ga­ti­ons still has room for impro­ve­ment: Only 32 public bodies repor­ted that they had car­ri­ed out a data pro­tec­tion impact assess­ment. Accor­ding to the EDPB, many enti­ties are not able to iden­ti­fy and assess the risks asso­cia­ted with the use of cloud ser­vices. Also cri­ti­cis­ed were miss­ing or faul­ty job data pro­ces­sing con­tracts, unknown or insuf­fi­ci­ent­ly spe­ci­fied sub-processors, miss­ing gua­ran­tees for third-country trans­fers, and insuf­fi­ci­ent­ly defi­ned pro­ces­sing of tele­me­try and dia­gno­stic data by the cloud services.

Signi­fi­cant dif­fe­ren­ces in the mea­su­res taken by data pro­tec­tion super­vi­so­ry authorities

It is note­wor­t­hy that the defi­ci­en­ci­es unco­ver­ed are asses­sed very dif­fer­ent­ly by the respec­ti­ve natio­nal data pro­tec­tion super­vi­so­ry aut­ho­ri­ties: While the Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, for exam­p­le, are extre­me­ly cri­ti­cal of the use of Micro­soft 365 in the decis­i­on of the Ger­man Data Pro­tec­tion Con­fe­rence of 25 Novem­ber 2022, other Euro­pean data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, such as the French Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (CNIL), have not yet taken a clear posi­ti­on. In a let­ter to the Dutch govern­ment, for exam­p­le, the Dutch data pro­tec­tion super­vi­so­ry aut­ho­ri­ty mere­ly cri­ti­cis­ed the fact that the data pro­tec­tion risks asso­cia­ted with the use of cloud ser­vices had not yet been ade­qua­te­ly iden­ti­fied in the cor­re­spon­ding cloud poli­cy and pro­vi­ded infor­ma­ti­on about the data pro­tec­tion obli­ga­ti­ons and respon­si­bi­li­ties. The Danish data pro­tec­tion aut­ho­ri­ty initi­al­ly issued a ban on the use of Goog­le Workspace in muni­ci­pal schools, but lifted it in Sep­tem­ber 2022 to start nego­tia­ti­ons on appro­pria­te reme­dies bet­ween the schools and the pro­vi­der. The Euro­pean bor­der agen­cy Fron­tex, fol­lo­wing a migra­ti­on of its sys­tems to Micro­soft Office 365 and Ama­zon Web Ser­vices, was requi­red by the Euro­pean Data Pro­tec­tion Super­vi­sor in April 2022 to con­duct a pro­per data pro­tec­tion impact assess­ment, to iden­ti­fy risks and sel­ect appro­pria­te miti­ga­ti­on mea­su­res. The use of Micro­soft 365 was not pro­hi­bi­ted, however.

Sum­ma­ry: Data pro­tec­tion com­pli­ant use of cloud ser­vices is possible

The decis­i­ons of the Euro­pean data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, a few of which are lis­ted here as examp­les, under­line that cloud ser­vices can be used by public bodies in the view of many data pro­tec­tion super­vi­so­ry aut­ho­ri­ties in Euro­pe. In almost all cases, it beco­mes clear how important it is to con­duct data pro­tec­tion impact assess­ments and to com­pre­hen­si­ve­ly docu­ment data pro­tec­tion com­pli­ance. Public bodies that use or plan to use cloud ser­vices should see the inves­ti­ga­ti­on by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties as an incen­ti­ve in this respect. With com­pre­hen­si­ve docu­men­ta­ti­on and assess­ment of the risks, as well as appro­pria­te reme­dia­ti­on mea­su­res, GDPR-compliant cloud use by public bodies can be ensu­red. Public bodies then do not have to fear con­tro­ver­si­al deba­tes with the data pro­tec­tion super­vi­so­ry authorities.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.