EDSA: Report on coor­di­na­ted inve­sti­ga­ti­ve actions on the use of cloud ser­vices in the public sector.

On Janu­ary 17, 2023, EDSA, the Euro­pean Data Pro­tec­tion Board, published a report on coor­di­na­ted inve­sti­ga­ti­ve actions in the EU on the use of cloud ser­vices in the public sec­tor (“2022 Coor­di­na­ted Enforce­ment Action – Use of cloud-based ser­vices by the public sec­tor, Adopted on 17 Janu­ary 2023„).

During 2022, 22 super­vi­so­ry aut­ho­ri­ties in the EEA area had laun­ched coor­di­na­ted inve­sti­ga­ti­ons into the use of cloud ser­vices in the public sec­tor, which are still ongo­ing. The EDSA had deci­ded at the end of 2020 to estab­lish a coor­di­na­ted enforce­ment frame­work for this pur­po­se, a “CEF”:

In Octo­ber 2020, the Euro­pean Data Pro­tec­tion Board (EDPB) deci­ded to set up a Coor­di­na­ted Enforce­ment Frame­work (CEF). The CEF is a key action of the EDPB under the second pil­lar of its 2021 – 2023 Stra­tegy, tog­e­ther with the crea­ti­on of a Sup­port Pool of Experts (SPE), aiming at stream­li­ning enforce­ment and coope­ra­ti­on among super­vi­so­ry aut­ho­ri­ties (SAs).

It was main­ly about the most com­mon pro­vi­ders, Micro­soft, Ama­zon, Citrix, IBM, OVH, Fuji­tsu, Ora­cle, Ado­be and Google.

The report con­ta­ins a chro­no­lo­gi­cal account of the inve­sti­ga­ti­ve actions in Euro­pe in con­nec­tion with cloud ser­vices and with recom­men­da­ti­ons for the atten­ti­on of the aut­ho­ri­ties. Some of the sta­tis­tics are inte­re­st­ing, even though they say litt­le wit­hout fur­ther context:

  • 32 of the 87 aut­ho­ri­ties had car­ri­ed out a data pro­tec­tion impact assessment;
  • 21 had par­ti­cu­lar­ly ana­ly­zed trans­fers to third count­ries (some­ti­mes refer­red to as “DTIA” for Data “Trans­fer Impact Assessment”);
  • 36 moni­tor pro­vi­der TOMs;
  • 25 had indi­ca­ted that they have taken TOMs and are moni­to­ring as chan­ges in the law occur;
  • 35 con­duc­ted regu­lar risk assessments.




Rela­ted articles