The BE DPA participates in the first European annual coordinated action on the use of cloud by the public sector
Today marks the kick-off of the first coordinated enforcement action of the European Data Protection Board (an independent European body composed of representatives of the EU national data protection authorities). In the coming months, 22 national supervisory authorities across the EEA (including EDPS) will launch investigations into the use of cloud-based services by the public sector, the Belgian DPA participates in this project.
This series of actions follows the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2021-2023 Strategy, together with the creation of a Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among Supervisory Authorities (SAs).
According to EuroStat, the cloud uptake by enterprises doubled across the EU in the last 6 years. The COVID-19 pandemic has sparked a digital transformation of organisations, with many public sector organisations turning to cloud technology. However, in doing so, public bodies at national and EU level may face difficulties in obtaining Information and Communication Technology products and services that comply with EU data protection rules. Through coordinated guidance and action, the SAs aim to foster best practices and thereby ensure the adequate protection of personal data.
Over 80 public bodies in total will be addressed across the EEA, including EU institutions, covering a wide range of sectors (such as health, finance, tax, education, central buyers or providers of IT services). Building on common preparatory work by all participating SAs, the CEF will be implemented at national level in one or several of the following ways: fact-finding exercise; questionnaire to identify if a formal investigation is warranted; commencement of a formal investigation; follow-up of ongoing formal investigations. In particular, SAs will explore public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship.
For its part, the Belgian Data Protection Authority (“BE DPA”) has decided to proceed in first instance with a fact-finding exercise by sending the questionnaire to two types of bodies.
In order to obtain a helicopter view of the use of cloud based services by the public sector in Belgium, the questionnaire will be sent to two important ICT service providers for public bodies. In addition, the questionnaire will be sent to five public bodies that process large volumes of health data and that have played crucial roles in the context of the COVID-19 crisis.
The results will be analysed in a coordinated manner and the SAs will decide on possible further national supervision and enforcement actions. In addition, results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis before the end of 2022.