Supervisory authorities step up data protection controls in the public sector

SECURITY INSIGHTS | 25 February 2022

Data protection and GDPR compliance in the cloud is a sensitive issue, not least for government agencies – this is where sensitive data is stored and processed. However, the corona pandemic has also brought about accelerated digitalization in the public sector. EU data protection experts are checking whether all regulatory requirements have been complied with.

In cooperation with EU supervisory authorities, the European Data Protection Supervisor has launched an investigation into cloud use in the public sector. This is the first coordinated enforcement effort by the European Data Protection Supervisor (EDPS). As early as last year, the EU Parliament had called for more consistent enforcement of the regulatory requirements from the European General Data Protection Regulation (GDPR).

Corona as the catalyst to digitalization

In addition to the private sector, the public sector has also undergone accelerated digitalization in the wake of the COVID-19 pandemic. Cloud-based services were introduced in many administrative institutions to maintain operations. The compliant use of such services represents a massive challenge against the backdrop of the stringent requirements for the protection of personal data imposed by the GDPR. EU data protection authorities fear that the ability to maintain operations in this exceptional situation has meant that data protection issues have been given a back seat in some instances.

In the sights of the supervisory authority: processes, security precautions, data transfers, and responsibilities

More than 75 public sector institutions in the European Economic Area (EEA) are under scrutiny by the supervisory authorities, including those in the sectors of healthcare, finance, taxes, education, as well as central purchasers or providers of IT services. Their investigations into use of the cloud concentrate on:

  • Implemented processes and safeguards

  • International data transfers

  • Provisions regulating the relationship between controller and processor

Should the data protection experts find glaring deficiencies in their investigations, this may lead to far-reaching consequences for the affected government agency. These include the additional costs incurred in modifying the implemented solution, service outages, and additional expenses for any change of provider.

The supervisory authorities intend to analyze the results of their investigations in a coordinated manner and consult on further enforcement measures. In addition, a report with the aggregated results is scheduled to be published before the end of 2022.

The legacy of Privacy Shield: higher workload and legal uncertainty

The discussion about the legally secure use of cloud services became more highly charged in the summer of 2020. The European Court of Justice (ECJ) ruling on “Schremms II” toughened the prevailing legal situation with the discontinuation of Privacy Shield. Since then, administrative authorities can no longer rely on the adequacy of the level of data protection pursuant to Article 45 of the GDPR when transferring sensitive data for processing to cloud service providers in the U.S. As an alternative, there is still the option of using standard contractual clauses (SCC) or binding corporate rules (BCR) to agree on the legal security of data transfers, but this is extremely difficult in most cases. Thus, the ECJ emphasizes in its ruling that the data exporter bears responsibility for verifying the level of protection. Personal data must essentially enjoy equivalent protection in a third country as under the GDPR. Otherwise, guarantees must be implemented via additional security mechanisms such as pseudonymization and encryption in accordance with Article 46 of the GDPR.

The private sector is also under supervisory authority scrutiny

While the enforcement of applicable data protection regulations in the public sector is only just being ramped up, the private sector has been facing such investigations for quite some time. Since last fall in particular, an increasing number of German companies have been getting letters from the data protection authority asking them to defend their use of a U.S. cloud service provider Companies that are unable to guarantee the legally compliant transfer of sensitive data must immediately terminate the transfer of data or may even be ultimately forced to change their service provider.

Related articles