EDSA: Report on coor­di­na­ted inve­sti­ga­ti­ve actions on the use of cloud ser­vices in the public sector.

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

Topics

Take-Aways (AI)
  • EDSA-Bericht (17. Jan 2023) doku­men­tiert koor­di­nier­te Unter­su­chun­gen von 22 Auf­sichts­be­hör­den zur Nut­zung von Cloud-Dien­sten im öffent­li­chen Sektor.
  • CEF und Sup­port Pool of Experts wur­den ein­ge­rich­tet, um Durch­set­zung und Zusam­men­ar­beit der Auf­sichts­be­hör­den im EWR zu stärken.
  • Sta­ti­sti­ken zei­gen unter­schied­li­che Compliance‑Massnahmen: Daten­schutz-Fol­gen­ab­schät­zun­gen, Drittland‑Überprüfungen, TOM‑Überwachung und regel­mä­ssi­ge Risikobewertungen.

On Janu­ary 17, 2023, EDSA, the Euro­pean Data Pro­tec­tion Board, published a report on coor­di­na­ted inve­sti­ga­ti­ve actions in the EU on the use of cloud ser­vices in the public sec­tor (“2022 Coor­di­na­ted Enforce­ment Action – Use of cloud-based ser­vices by the public sec­tor, Adopted on 17 Janu­ary 2023„).

During 2022, 22 super­vi­so­ry aut­ho­ri­ties in the EEA area had laun­ched coor­di­na­ted inve­sti­ga­ti­ons into the use of cloud ser­vices in the public sec­tor, which are still ongo­ing. The EDSA had deci­ded at the end of 2020 to estab­lish a coor­di­na­ted enforce­ment frame­work for this pur­po­se, a “CEF”:

In Octo­ber 2020, the Euro­pean Data Pro­tec­tion Board (EDPB) deci­ded to set up a Coor­di­na­ted Enforce­ment Frame­work (CEF). The CEF is a key action of the EDPB under the second pil­lar of its 2021 – 2023 Stra­tegy, tog­e­ther with the crea­ti­on of a Sup­port Pool of Experts (SPE), aiming at stream­li­ning enforce­ment and coope­ra­ti­on among super­vi­so­ry aut­ho­ri­ties (SAs).

It was main­ly about the most com­mon pro­vi­ders, Micro­soft, Ama­zon, Citrix, IBM, OVH, Fuji­tsu, Ora­cle, Ado­be and Google.

The report con­ta­ins a chro­no­lo­gi­cal account of the inve­sti­ga­ti­ve actions in Euro­pe in con­nec­tion with cloud ser­vices and with recom­men­da­ti­ons for the atten­ti­on of the aut­ho­ri­ties. Some of the sta­tis­tics are inte­re­st­ing, even though they say litt­le wit­hout fur­ther context:

  • 32 of the 87 aut­ho­ri­ties had car­ri­ed out a data pro­tec­tion impact assessment;
  • 21 had par­ti­cu­lar­ly ana­ly­zed trans­fers to third count­ries (some­ti­mes refer­red to as “DTIA” for Data “Trans­fer Impact Assessment”);
  • 36 moni­tor pro­vi­der TOMs;
  • 25 had indi­ca­ted that they have taken TOMs and are moni­to­ring as chan­ges in the law occur;
  • 35 con­duc­ted regu­lar risk assessments.