A report detailing EU government cloud use will be released by year’s end
Are the member states of the European Union (EU) compliant with data privacy laws? That’s a question the European Data Protection Board (EDPD) hopes to answer. The agency announced last week the start of its “investigations into the use of cloud-based services by the public sector.”
The public sector cloud use report is part of a series of actions meant to align and enforce data protection standards among EU supervisory authorities. The Brussels-based group was established by the EU’s General Data Protection Regulation (GDPR). It contributes to the consistent application of GDPR rules in the EU.
The announcement the government cloud investigation was underway came four months after the EDPB first announced plans to investigate public sector cloud use. The independent agency said that in the coming months, 22 supervisory authorities will gather information for its report, which will be published before the end of the year.
The group acknowledged the digital transformation has created pressure for public sector organizations to find cloud-based solutions that comply with EU data protection rules.
“The COVID-19 pandemic has sparked a digital transformation of organisations, with many public sector organisations turning to cloud technology. However, in doing so, public bodies at national and EU level may face difficulties in obtaining Information and Communication Technology products and services that comply with EU data protection rules,” said the EDPD in a statement.
“Through coordinated guidance and action, the SAs aim to foster best practices and thereby ensure the adequate protection of personal data,” it said.
The EDPD said the discovery process will yield information to help EU member states implement government cloud safeguards and consistent policies. The information-gathering process will pinpoint areas needing further investigation and more robust policy enforcement. The EDPD said more than 80 public bodies across the EU will be investigated, including health, finance, tax, education and central purchasing of IT services.
“In particular, [Supervisory Authorities] will explore public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship,” said the agency.
The group plans to aggregate data collected by the supervisory authorities before deciding on further action.