On February 15, 2022, the European Data Protection Board (EDPB) announced that it has launched its first coordinated enforcement action on the use of cloud services in the public sector across the EU and the EEA. 22 national supervisory authorities including the Belgian DPA, CNIL, and the European Data Protection Supervisor (EDPS) will launch investigations with the results being used to better understand the difficulties that public bodies are facing through their use of cloud services at a national and European level.
The EDPB highlighted its decision to launch the coordinated action following the introduction of the Coordinated Enforcement Framework (CEF) in October 2020 – a key component of the EDPB’s 2021-2023 Strategy which aims to streamline cooperation between supervisory authorities.
How will the EDPB’s coordinated enforcement action work?
The EDPB’s press release highlighted that the coordinated enforcement action will report on more than 75 public bodies in the EEA and will cover a broad range of sectors including health, finance, education, and IT services.
All participating supervisory authorities will build upon common preparatory work to implement the CEF, which includes:
- Fact-finding exercises
- Questionnaires identifying if a formal investigation is warranted
- Commencing a formal investigation
- Following up with ongoing formal investigations.
Additionally, the EDPB outlined that this preparatory work will be used by the participating supervisory authorities to explore the challenges faced by the public bodies when using cloud-based services and maintaining compliance with the General Data Protection Regulation (GDPR). The challenge that participating supervisory authorities are encouraged to explore include:
Results from the initial work carried out by supervisory authorities will be analyzed and used to decide on the possibility of further national supervision and enforcement actions against public bodies.
What are the next steps for the EDPB’s coordinated enforcement action?
Following the release of the EDPB’s press release, supervisory authorities across the EU have been publishing their own positions within the coordinated enforcement action.
The Belgian Data Protection Authority (BE DPA) has stated that it will initially proceed with a fact-finding exercise that includes a questionnaire. This will be sent to two types of bodies including two important ICT service providers for public bodies and five public bodies that process large volumes of health data and that have played crucial roles in the context of the COVID-19 crisis.
In France, the CNIL has also published its priority topics for investigations in 2022. The CNIL highlighted one of its main focuses will be the use of cloud computing that the CNIL’s efforts in this respect will form part of the EDPB’s coordinated enforcement action. The CNIL has also outlined that it will be investigating issues relating to data transfers and the framework for contractual relations between data controllers and cloud solution providers.
Other supervisory authorities have published statements, including:
On the findings, the EDPB stated that the outcomes of the different supervisory authority investigations will be aggregated to build greater insight into the topic as well as opening the possibility of targeted actions to follow up on the results at an EU level. The EDPB will publish a report on the outcomes of the coordinated enforcement action before the end of 2022.
Further resources on the coordinated enforcement action: