EU DPAs start coordinated enforcement action on cloud in the public sector

The European Data Protection Board (EDPB) has today launched its first coordinated enforcement action on the use of cloud-based services by the public sector.

The DPAs are concerned about data transfers in light of the Schrems II ruling that invalidated the EU-US Privacy Shield. The DPAs says that the coronavirus pandemic made more public sector organisations start using cloud services. The aim of this initiative is to enhance compliance with the GDPR through coordinated guidance and action, and foster best practice.

The DPAs will send questionnaires to 75 public bodies across EEA countries to identify if a formal investigation is warranted. Any enforcement actions will be decided at the national level.

Two codes of conduct have been adopted at the EU level. The EU CLOUD Code of Conduct is addressed to cloud service providers, and the Cloud Infrastructure Service Providers Europe (CISPE) Code is addressed to cloud infrastructure service providers.

The EDPB will publish its findings on this exercise before the end of 2022.

See: EDPB - Launch of coordinated enforcement on use of cloud by public sector