On January 17, 2023, EDSA, the European Data Protection Board, published a report on coordinated investigative actions in the EU on the use of cloud services in the public sector (“2022 Coordinated Enforcement Action – Use of cloud-based services by the public sector, Adopted on 17 January 2023„).
During 2022, 22 supervisory authorities in the EEA area had launched coordinated investigations into the use of cloud services in the public sector, which are still ongoing. The EDSA had decided at the end of 2020 to establish a coordinated enforcement framework for this purpose, a “CEF”:
In October 2020, the European Data Protection Board (EDPB) decided to set up a Coordinated Enforcement Framework (CEF). The CEF is a key action of the EDPB under the second pillar of its 2021 – 2023 Strategy, together with the creation of a Support Pool of Experts (SPE), aiming at streamlining enforcement and cooperation among supervisory authorities (SAs).
It was mainly about the most common providers, Microsoft, Amazon, Citrix, IBM, OVH, Fujitsu, Oracle, Adobe and Google.
The report contains a chronological account of the investigative actions in Europe in connection with cloud services and with recommendations for the attention of the authorities. Some of the statistics are interesting, even though they say little without further context:
- 32 of the 87 authorities had carried out a data protection impact assessment;
- 21 had particularly analyzed transfers to third countries (sometimes referred to as “DTIA” for Data “Transfer Impact Assessment”);
- 36 monitor provider TOMs;
- 25 had indicated that they have taken TOMs and are monitoring as changes in the law occur;
- 35 conducted regular risk assessments.