European Data Protection Board (EDPB) Report on the use of cloud-based services by the public sector

On 17 January 2023, the EDPB published a report on the findings of its first coordinated enforcement action on the use of cloud-based services by the public sector. This action follows the launch of the Coordinated Enforcement Framework (“CEF”) in October 2020, an initiative which aims to streamline enforcement and co-operation among Supervisory Authorities (“SAs”).  The report aggregates the findings of the 22 participating SAs across the European Economic Area (‘EEA’) who undertook coordinated investigations into the use of Cloud Service Providers (“CSPs”) by public services from various sectors including health, finance, tax and education. Notably, the report provides useful recommendations on how public sector bodies should approach cloud services contracts and the particular data protection considerations that may arise.

The Challenges

There has been a significant increase in the use of CSPs by the public sector, particularly following the COVID-19 pandemic, however, this increased use has not been without difficulties. In particular, the report outlines a number of challenges faced by public bodies in ensuring that the IT products services are compliant with the General Data Protection Regulation (“GDPR”). These challenges include issues relating to the performance of a Data Protection Impact Assessment (“DPIA”) at the pre-contractual phase, the lack of a contract and difficulty negotiating a tailored contract and the lack of knowledge or control over sub-processors by public bodies.

Recommendations (“Points of Attention”) 

Following an analysis of the challenges, the EDPB lists points of attention for public bodies to take into account when concluding agreements with CSPs.  We have discussed some of these below:

  • Carry out a DPIA

    A significant finding of the CEF was that only thirty-two out of the eight-six stakeholders using CSPs indicated that a DPIA had been conducted prior to the processing. The EDPB commented that the deployment of cloud services by public bodies often triggers ‘high risk processing’ for which a DPIA is required under the GDPR. The CEF also observed that many public bodies have relied completely on the CSP’s security measures or may have considered that a DPIA was neither necessary nor mandatory. The EDPB, however, pointed out that the provision of a risk assessment by a CSP is usually an information security risk assessment, which often does not take into account data protection risks. As such, it reiterated the importance of carrying out a DPIA where this is required under Article 35 GDPR. The EDPB recommended that where a DPIA has not been performed prior to processing, it should be performed as soon as possible “ex post”.

    Where a DPIA is not legally required, the EDPB recommends that a risk assessment should at the very least be undertaken. The EDPB further advises that a review should be carried out to assess if processing is performed in accordance with the DPIA at least when there is a change of the risk presented by processing operations, as provided for by Article 35(11) GDPR. The EDPB also encourages the close involvement of a public body’s Data Protection Officer (“DPO”) as this can aid public bodies in implementing cloud applications in a way that is compliant with the GDPR.
  • Clearly and unequivocally determine the roles of the involved parties  

    The EDPB note that if roles and responsibilities (e.g. controller / processor) are not correctly determined then compliance with the respective obligations of the CSP and of the public bodies under the GDPR becomes difficult. This is because it is unclear the extent to which a CSP should for example, help the public body to perform a DPIA, or who data subjects should exercise their rights against. It is recommended that the data protection roles of the parties are established (possibly through an internal assessment or as part of the DPIA) and precisely defined in the contract.
  • Ensure there is a meaningful way to object to new sub-processors

    The EDPB was also critical of public bodies’ approach to the engagement of sub-processors. The CEF observed that, in many cases, it appeared that public bodies’ knowledge or control over sub-processors was quite limited. In this regard, the public body may not know exactly which sub-processors are involved for which purposes and the information is limited to being told general information that the CSP makes publicly available (e.g. a list of sub-processors available on the CSP’s website). Another criticism was that public bodies often could not meaningfully object to the use of or change in sub-processors including due to a lack of an efficient objection procedure. Another challenge was that public bodies were often restrained from objecting to the use of a sub-processor or a change in such because their only contractual option is to terminate and thus this could result in a loss of critical service. The EDPB recommended that the risk of not having a meaningful way to object should be assessed before choosing a CSP.

    In order to comply with the GDPR, the EDPB recommend that public bodies should ensure that there is a meaningful way to object to new sub-processors, for instance, by proposing a meaningful right to review any change to the list of sub-processors and to transmit reasoned objections within a specified period in a way that gives the public body a meaningful right to object. The EDPB added that it is important to review how and when public bodies are informed about the specific sub-processors engaged in the processing activities, the criteria for appointing new/other sub-processors and under which provisions they can exercise their right to object according to Article 28(2) GDPR.
  • Personal data should be sufficiently determined in relation to the purposes for which they are processed

    The EDPB states that public bodies can ensure that personal data is processed and collected for explicit and specified purposes and not further processed for incompatible purposes through the inclusion of clear and exhaustive provisions in a contract concluded pursuant to Article 28(3) GDPR as well as through organisational and technical measures.
  • Cooperate with other public bodies when negotiating with CSPs

    The CEF observed that in the majority of investigated cases, CSPs offered standard pre-determined contracts and it was difficult for public bodies to negotiate a bespoke contract. In these circumstances, public bodies have to either accept the terms and conditions offered in the pre-determined contract or not use the cloud service. The EDPB commented that if the public body accepts the terms and conditions of the contract without having the opportunity to negotiate the terms, it is then difficult for the public body to determine the purposes and means of processing of personal data for the duration of the contract and fulfil their obligations under GDPR. Significantly, the EDPB stated that where some of the purposes and means are defined by the CSP, the service provider will be considered as an autonomous controller, according to Article 28(10) GDPR and will be liable for the violation of the relevant provisions of the GDPR. Further, the public body handing over personal data to the CSP and losing control over that personal data, would infringe the relevant GDPR provisions. Therefore, in order to avoid any potential breaches of the GDPR, it is important that public bodies are in a position to negotiate the terms of the contract with a CSP.
  • Collective power in negotiating with CSPs

    The EDPB reports that when various public bodies negotiate the same services on behalf of several public bodies, the imbalance in negotiation seems to be reduced and thus there’s benefit in harnessing the collective power. The EDPB has also advised that the DPO should play an active role in the analysis and negotiation of contracts offered by CSPs.
  • International Transfers

    The EDPB also acknowledges that the use of cloud services may often involve transfers of personal data outside the European Economic Area (e.g. in cases of ‘round the clock’ services). It noted that the public body, acting as a controller, should carefully assess the transfers that may be carried out by the CSP (e.g. by identifying the categories of personal data transferred, the purposes, the entities to which data may be transferred and the third country involved). The EDPB also reminds public bodies that this assessment should be done prior to engaging with the CSP. It further recommends that public bodies provide instructions to the CSP and, if necessary, identify and use a proper transfer tool, analyse laws and practices relating to circumstances in which government authorities or other third parties may access personal data processed by the CSP, and consider and where necessary adopt supplementary measures to ensure that the safeguards contained in the transfer tool are complied with. The CEF also found that in many cases a central buyer chooses the CSP. As such, the EDPB note that it is important for the central buyer to assess the services in the first place and to only propose to public bodies those services which are GDPR-compliant.

Concluding remarks

In concluding the report, the EDPB recognised the success of the 2022 action in promoting a “detailed and harmonised approach to GDPR compliance” however, it stated that the work is not over and some formal investigations, which were launched in 2022, will continue.  It also serves as useful guidance for approaching the use of CSPs which should be incorporated into procurement and contract negotiation processes.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.