Investigation launched into use of cloud services by public sector

©CanStockPhoto photochecker

(16 February 2022) EPSU welcomes the launch of a coordinated enforcement action into the use of cloud services by the public sector.

The European Data Protection Board has announced its first coordinated action which will bring 22 national regulators together to ensure privacy safeguard compliance. Over 75 public bodies in total will be addressed across the EEA, including EU institutions, covering a wide range of sectors (such as health, finance, tax, education, central buyers or providers of IT services). The results will be analysed with a coordinated approach with a final report expected towards the end of 2022.

This investigation into cloud-based services is long overdue. According to EuroStat, cloud uptake by enterprises doubled across the EU in the last 6 years. More and more public sector services are now outsourcing data to private cloud services operated by multinational corporations such as Microsoft or Amazon. Such contracts raise questions around data protection – without mentioning these cloud providers’ questionable records on workers’ and trade union rights.

EPSU has previously argued that data should be processed through publicly owned cloud services. It is vital that regulators examine these issues – including on a European level – and seriously consider the alternative of publicly owned cloud services.

The regulators should include in their investigation the role of GAIA-X, the private sector grouping that seeks to write the EU rules for the use of cloud services. This group includes Chinese and US tech companies like Amazon Web Services. The European Data Protection Supervisor already  investigates if the European institutions like the Commission and European Parliament are in compliance with data protection rules when they use cloud services provided by Amazon Web Services and Microsoft and when data is transferred to non-EU countries, in particular to the US. The regulators should be aware of the lobby of the big tech companies in the EU, and resolutely compare with publicly owned options for cloud services.