Report presented on the coordinated audit of the European Data Protection Board
Last year, the European data protection supervisory authorities, who are members of the European Data Protection Board (EDPB), conducted a survey on the use of cloud services in the public sector. In total, almost 100 authorities and public bodies were audited. In this article, we present the audit report of the data protection supervisory authorities and show the steps required for GDPR-compliant use of cloud services in the public sector.
Extensive use of cloud services by public agencies
Cloud services have become an indispensable part of the public sector: 87 out of 98 agencies surveyed said they were already using cloud services or planned to introduce them within the past year. The use ranges from the internal organisation of agencies by means of office suites, internal communication services and cloud services for personnel management and the fulfillment of administrative tasks. The most widely used applications are usually from US vendors (esp. Microsoft, Amazon, IBM, Adobe, or Google).
Authorities see numerous shortcomings in data protection
Although cloud services are widely used by public bodies, the EDPB says that compliance with data protection obligations still has room for improvement: Only 32 public bodies reported that they had carried out a data protection impact assessment. According to the EDPB, many entities are not able to identify and assess the risks associated with the use of cloud services. Also criticised were missing or faulty job data processing contracts, unknown or insufficiently specified sub-processors, missing guarantees for third-country transfers, and insufficiently defined processing of telemetry and diagnostic data by the cloud services.
Significant differences in the measures taken by data protection supervisory authorities
It is noteworthy that the deficiencies uncovered are assessed very differently by the respective national data protection supervisory authorities: While the German data protection supervisory authorities, for example, are extremely critical of the use of Microsoft 365 in the decision of the German Data Protection Conference of 25 November 2022, other European data protection supervisory authorities, such as the French Commission Nationale de l’Informatique et des Libertés (CNIL), have not yet taken a clear position. In a letter to the Dutch government, for example, the Dutch data protection supervisory authority merely criticised the fact that the data protection risks associated with the use of cloud services had not yet been adequately identified in the corresponding cloud policy and provided information about the data protection obligations and responsibilities. The Danish data protection authority initially issued a ban on the use of Google Workspace in municipal schools, but lifted it in September 2022 to start negotiations on appropriate remedies between the schools and the provider. The European border agency Frontex, following a migration of its systems to Microsoft Office 365 and Amazon Web Services, was required by the European Data Protection Supervisor in April 2022 to conduct a proper data protection impact assessment, to identify risks and select appropriate mitigation measures. The use of Microsoft 365 was not prohibited, however.
Summary: Data protection compliant use of cloud services is possible
The decisions of the European data protection supervisory authorities, a few of which are listed here as examples, underline that cloud services can be used by public bodies in the view of many data protection supervisory authorities in Europe. In almost all cases, it becomes clear how important it is to conduct data protection impact assessments and to comprehensively document data protection compliance. Public bodies that use or plan to use cloud services should see the investigation by the data protection supervisory authorities as an incentive in this respect. With comprehensive documentation and assessment of the risks, as well as appropriate remediation measures, GDPR-compliant cloud use by public bodies can be ensured. Public bodies then do not have to fear controversial debates with the data protection supervisory authorities.back