The European Union is investigating how public agencies use cloud-based services. Cloud services will be analyzed to determine if they are GDPR compliant.

The investigation follows the decision of the European Data Protection Board to establish a Coordinated Enforcement Framework (CEF) in October 2020. The creation of a Support Pool of Experts (SPE) is also a key action of the EDPB under its 2021-2023 strategy. As a result of these two initiatives, Supervisory Authorities (SAs) focusing on GDPR will be able to improve enforcement and cooperation.

Across the EU, cloud adoption by enterprises has doubled in the last six years, according to EuroStat. In the wake of the COVID-19 pandemic, many public sector organizations have adopted cloud technology. As a result, public bodies at national and EU levels may have difficulty finding ICT products and services that comply with EU data protection standards, the EDPB says in a prepared statement. By coordinating guidance and action, the Supervisory Authorities aim to promote best practices and ensure adequate protection of personal data.

In total, 80 public agencies, including EU institutions, will be addressed, covering a variety of sectors, such as health, finance, tax, education, central buyers, and IT service providers. The SAs will explore public agency’s challenges with GDPR compliance when using cloud-based services, including the processes and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions that govern controller-processor relationships.

Photo credit: Guillaume Périgois