EU to probe use of cloud services across EU bodies, overseas data transfers
The European Data Protection Board (EDPB) has announced plans to probe the use of cloud-based services across EU public bodies as part of an effort to investigate GDPR compliance and detect possible data transfers of EU data overseas.
“In the coming months, 22 national supervisory authorities across the EEA [European Economic Area] will launch investigations into the use of cloud-based services by the public sector,” the EDPB said on Tuesday.
“Over 75 public bodies in total will be addressed across the EEA, including EU institutions, covering a wide range of sectors (such as health, finance, tax, education, central buyers or providers of IT services),” the agency added.
The EDPB said the action will take place at a national level and will be led by the local agencies that were tasked by the member states with the safeguarding of citizen data and GDPR compliance.
These supervisory authorities (SAs) will be responsible for investigating EU agencies headquartered within their country, determining their use of cloud-based services, and deciding if a formal investigation is needed.
“In particular, SAs will explore public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship,” the EDPB said.
The EU-wide investigation comes after the EDPB began investigating the use of Amazon and Microsoft-based cloud services by EU public bodies last year, with the agency being concerned about the broad transfer of EU personal data to the United States and how this data could be opened to collection by US intelligence agencies using broad and secret legal mechanisms.
This was particularly concerning to the EDPB because usage of cloud-based services across the EU government apparatus has doubled in the last six years, with adoption skyrocketing primarily because of the recent COVID-19 pandemic and the need for remote working capabilities.
The agency said it expects to publish a final report by the end of the year.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.