|  Updated: 

EU to probe public sector cloud services following pandemic boom

By: and

European privacy watchdog said today that it will launch joint investigations with 22 national regulators into the use of cloud-based services by the public sector to check if they comply with its privacy safeguards following the digital transformation pandemic boom.

The investigations will cover over 80 public bodies across the European Economic Area, including EU institutions, covering sectors such as health, finance, tax, education and providers of IT services), The European Data Protection Board (EDPB) said.

Big tech cloud computing firms such as Amazon’s AWS, Alphabet’s Google, Oracle and Microsoft’s Azure have been building data centres across Europe in response to growing demand from private- and public-sector organisations.

Public sector organisations may face difficulties in obtaining products and services that comply with EU data protection rules, the EU body said in a statement.

European Union’s General Data Protection Regulation (GDPR) is designed to protect the privacy rights of EU individuals and applies to all companies processing or controlling the personal information of EU residents.

The European Data Protection Supervisor, last year opened investigations on European Commission and European Parliament’s use of cloud computing services provided by Amazon and Microsoft over concerns about the transfer of personal data to the United States.

Both government and private bodies have been increasingly relying on cloud services from large US providers governed by legislation that allows disproportionate surveillance activities by the U.S. authorities.

The EDPB will publish a report on the outcome of this analysis before the end of 2022.

Alexander Egerton, Partner at Seddons, told City A.M.: “Using the cloud is likely to involve appointing a data processor so any privacy policy has to reflect that; there has to be thorough due diligence on the processor. A data processor contract will be needed setting out responsibilities and what happens if there is a breach.”

“Regardless of whether the cloud provider is a processor or independent data controller If the cloud is outside the UK or EEA then the data transfer provisions of the GDPR need to be followed through. The French regulator, CNIL, has began enforcement action against Google Analytics.”

Subscribe

Subscribe to the City AM newsletter to have our top stories delivered directly to your inbox.

Subscribe
By signing up to our newsletters you agree to the Terms and Conditions and Privacy Policy.