On February 15, 2022, the European Data Protection Board (“EDPB”) issued a press release announcing the launch of its first coordinated enforcement action, under the Coordinated Enforcement Framework (“CEF”) established in 2020 (see section 3 below). The initiative will focus on the use of Cloud based services by the public sector and will involve 22 national supervisory authorities across the European Economic Area (“EEA”) plus the European Data Protection Supervisor (“EDPS”).
What is happening?
The EDPB has acknowledged that, following a significant increase in the use of cloud based services by public and private sector companies (notably in the context of the pandemic), “public bodies at national and EU level may face difficulties in obtaining Information and Communication Technology products and services that comply with EU data protection rules”. The EDPB thus intends to “foster best practices and thereby ensure the adequate protection of personal data” by public sector entities across Europe when they use cloud based services.
This coordinated action by supervisory authorities across the EEA and the EDPS (which oversees the EU Institutions) will address the activities of over 75 public bodies, including the EU Institutions, across a wide range of sectors (including health, finance, tax, education, central buyers or providers of IT services).
This initiative will be implemented at national level in “one or several of the following ways: fact-finding exercise; questionnaire to identify if a formal investigation is warranted; commencement of a formal investigation; follow-up of ongoing formal investigations. In particular, SAs will explore public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship.”
The EDPB will publish a report on the results of the investigation before the end of 2022, and national supervisory authorities will decide on possible further national supervision and enforcement actions.
Cloud, a priority of the CNIL’s 2022 Investigation program
On the same day as the EDPB’s announcement of the CEF initiative, the French Supervisory Authority (“CNIL”) announced that cloud is one of three top priority topics of its own 2022 investigatory program. The CNIL’s announcement references the growing reliance on cloud-based services by the privacy and public sectors alike and the attendant data protection risks.
The CNIL‘s press release also indicates that it will participate in the CEF initiative in the public sector by investigating the use of cloud by five ministries.
Because the CNIL’s press release mentions the CEF initiative separately, it appears that the CNIL’s investigation will not be limited to the public sector, but is likely to cover the private sector as well. It will explore issues relating to international data transfers (“massive transfers of data outside the European Union to countries that do not provide an adequate level of protection”), data breaches in the event of incorrect configuration and the management of contractual relations between data controllers and cloud solution providers/processors.
What is the CEF?
The Coordinated Enforcement Framework was established by EDPB in October 2020. The EDPB considers that “the CEF is a key action of the EDPB under its 2021-2023 Strategy, together with the creation of a Support Pool of Experts (“SPE”). The two initiatives aim to streamline enforcement and cooperation among Supervisory Authorities (“SA”s).”
The EDPB refers to the CEF as a “rulebook” for coordinating recurring annual activities by EU and national supervisory authorities.
The objective is to “facilitate joint actions in a flexible but coordinated manner, ranging from joint awareness raising and information gathering to enforcement sweeps and joint investigations.”
The CEF provides a schematic overview of the CEF-lifecycle:
The EDPB prioritizes a certain topic for supervisory authorities to work on at the national level using the agreed-upon methodology. Each coordinated action will, in principle and if the resources allow, cover a period of one year.
Each supervisory authority determines the scope of its national involvement. Participation is not mandatory, though the aim is to maximize the participation.
During annual coordinated action, national supervisory authorities will share information and best practices. Following this, the EDPB will issue a report based on national findings and recommendations as to the follow-up (for instance follow-up enforcement action on a national level, or guidance on an EDPB-level).
The one-stop-shop mechanism remains unaffected by the CEF and applies whenever cross-border processing activities are involved.
We will report on further developments as the CNIL and other national supervisory authorities proceed with their CEF investigations, feeding into the EDPB report on public sector cloud concerns, along with any parallel investigations at national level relating to the impact of Schrems II on private sector cloud service providers.