EDPB Launches Coordinated Enforc...
EDPB Launches Coordinated Enforcement Ac...

EDPB Launches Coordinated Enforcement Action into Use of Cloud Services by Public Bodies

The EDPB coordinated enforcement action is the first of its kind following the introduction of the Coordinated Enforcement Framework in 2020.

clock4 Min Read

Featured Image

On February 15, 2022, the European Data Protection Board (EDPB) announced that it has launched its first coordinated enforcement action on the use of cloud services in the public sector across the EU and the EEA. 22 national supervisory authorities including the Belgian DPA, CNIL, and the European Data Protection Supervisor (EDPS) will launch investigations with the results being used to better understand the difficulties that public bodies are facing through their use of cloud services at a national and European level.

The EDPB highlighted its decision to launch the coordinated action following the introduction of the Coordinated Enforcement Framework (CEF) in October 2020 – a key component of the EDPB’s 2021-2023 Strategy which aims to streamline cooperation between supervisory authorities.

How Will the EDPB’s Coordinated Enforcement Action Work?

The EDPB’s press release highlighted that the coordinated enforcement action will report on more than 75 public bodies in the EEA and will cover a broad range of sectors including health, finance, education, and IT services.

All participating supervisory authorities will build upon common preparatory work to implement the CEF, which includes:

  • Fact-finding exercises
  • Questionnaires identifying if a formal investigation is warranted
  • Commencing a formal investigation
  • Following up with ongoing formal investigations.

Additionally, the EDPB outlined that this preparatory work will be used by the participating supervisory authorities to explore the challenges faced by the public bodies when using cloud-based services and maintaining compliance with the General Data Protection Regulation (GDPR). The challenge that participating supervisory authorities are encouraged to explore include:

  • The process and safeguards implemented when acquiring cloud services
  • The challenges related to international transfers
  • The provisions governing the controller-processor relationship

Results from the initial work carried out by supervisory authorities will be analyzed and used to decide on the possibility of further national supervision and enforcement actions against public bodies.

What Are the Next Steps for the EDPB’s Coordinated Enforcement Action?

Following the release of the EDPB’s press release, supervisory authorities across the EU have been publishing their own positions within the coordinated enforcement action.

The Belgian Data Protection Authority (BE DPA) has stated that it will initially proceed with a fact-finding exercise that includes a questionnaire. This will be sent to two types of bodies including two important ICT service providers for public bodies and five public bodies that process large volumes of health data and that have played crucial roles in the context of the COVID-19 crisis.

In France, the CNIL has also published its priority topics for investigations in 2022. The CNIL highlighted one of its main focuses will be the use of cloud computing that the CNIL’s efforts in this respect will form part of the EDPB’s coordinated enforcement action. The CNIL has also outlined that it will be investigating issues relating to data transfers and the framework for contractual relations between data controllers and cloud solution providers.

Other supervisory authorities have published statements, including:

On the findings, the EDPB stated that the outcomes of the different supervisory authority investigations will be aggregated to build greater insight into the topic as well as opening the possibility of targeted actions to follow up on the results at an EU level. The EDPB will publish a report on the outcomes of the coordinated enforcement action before the end of 2022.

Further resources on the coordinated enforcement action:

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest privacy and security news.

You Might Also Be Interested In


JUN 08, 2022

The New Digital and Data Strategy in the EU and UK: DMA, DSA and the UK Online Safety Bill

MAY 18, 2022
Consent and Preferences

IAB TCF 2.0 Checklist for Publishers

JUN 01, 2022
Privacy Automation

From Data Compliance to Data Intelligence

JUN 01, 2022

7 Ways Trusted Brands Promote Their Security, Privacy, Ethics, and ESG Programs

JUN 01, 2022
Regulations

Thailand Personal Data Protection Act Takes Effect

MAY 16, 2022
Third-Party Risk

OneTrust is a Leader in Third-Party Risk Management Platforms

MAY 26, 2022
GRC

How successful security teams manage risk to build trust and drive growth

JUN 02, 2022
Privacy Automation

OneTrust and Microsoft Come Together to Automate Employee Rights Requests

BackToTop
Onetrust All Rights Reserved