Takea­ways (AI):
  • The EDSA ver­öf­fent­lich­te einen Bericht über die Nut­zung von Cloud-Dien­sten at öffent­li­chen Sek­tor am 17. Janu­ar 2023.
  • Im Jahr 2022 führ­ten 22 Auf­sichts­be­hör­den im EEA koor­di­nier­te Inve­sti­ga­ti­ons zum The­ma Cloud durch.
  • The CEF wur­de 2020 ein­ge­rich­tet, um die Law Enforce­ment und Koope­ra­ti­on zu verbessern.
  • Die häu­fig­sten Pro­vi­der are Micro­soft, Ama­zon, and Goog­le.
  • Sta­ti­sti­ken zei­gen: 32 Behör­den führ­ten Data pro­tec­tion impact assess­ments durch.

On Janu­ary 17, 2023, EDSA, the Euro­pean Data Pro­tec­tion Board, published a report on coor­di­na­ted inve­sti­ga­ti­ve actions in the EU on the use of cloud ser­vices in the public sec­tor (“2022 Coor­di­na­ted Enforce­ment Action – Use of cloud-based ser­vices by the public sec­tor, Adopted on 17 Janu­ary 2023„).

During 2022, 22 super­vi­so­ry aut­ho­ri­ties in the EEA area had laun­ched coor­di­na­ted inve­sti­ga­ti­ons into the use of cloud ser­vices in the public sec­tor, which are still ongo­ing. The EDSA had deci­ded at the end of 2020 to estab­lish a coor­di­na­ted enforce­ment frame­work for this pur­po­se, a “CEF”:

In Octo­ber 2020, the Euro­pean Data Pro­tec­tion Board (EDPB) deci­ded to set up a Coor­di­na­ted Enforce­ment Frame­work (CEF). The CEF is a key action of the EDPB under the second pil­lar of its 2021 – 2023 Stra­tegy, tog­e­ther with the crea­ti­on of a Sup­port Pool of Experts (SPE), aiming at stream­li­ning enforce­ment and coope­ra­ti­on among super­vi­so­ry aut­ho­ri­ties (SAs).

It was main­ly about the most com­mon pro­vi­ders, Micro­soft, Ama­zon, Citrix, IBM, OVH, Fuji­tsu, Ora­cle, Ado­be and Google.

The report con­ta­ins a chro­no­lo­gi­cal account of the inve­sti­ga­ti­ve actions in Euro­pe in con­nec­tion with cloud ser­vices and with recom­men­da­ti­ons for the atten­ti­on of the aut­ho­ri­ties. Some of the sta­tis­tics are inte­re­st­ing, even though they say litt­le wit­hout fur­ther context:

  • 32 of the 87 aut­ho­ri­ties had car­ri­ed out a data pro­tec­tion impact assessment;
  • 21 had par­ti­cu­lar­ly ana­ly­zed trans­fers to third count­ries (some­ti­mes refer­red to as “DTIA” for Data “Trans­fer Impact Assessment”);
  • 36 moni­tor pro­vi­der TOMs;
  • 25 had indi­ca­ted that they have taken TOMs and are moni­to­ring as chan­ges in the law occur;
  • 35 con­duc­ted regu­lar risk assessments.

AI-gene­ra­ted takea­ways can be wrong.