On 18 January 2023, the European Data Protection Board (“EDPB”) published a report about the results of a survey started in 2022 on the use of cloud services by public bodies.
The survey is part of the first coordinated enforcement action under the Coordinated Enforcement Framework (“CEF”), an action promoted by the EDPB in October 2020, in order to enhance enforcement activities and cooperation among the Data Protection Authorities (“DPAs”) in the European Union.
More than 100 public bodies in a wide range of sectors, including healthcare, finance, taxation, IT service provision and procurement, and education, have been contacted by the DPAs involved in the study.
The investigation drew attention to a number of issues that usually occur in contracts with cloud service providers. According to the contractual practice examined by the EDPB, there would be a significant imbalance of contractual power between public authorities and cloud providers, which is already evident in the pre-contractual phase, and likely due to the necessity of the cloud providers to propose their own templates for reasons that lay in the extreme heterogeneity of their customer-base. This circumstances, according to the EDPD would have the effect of limiting the contractual weight of the public administrations.
Further points to be addressed in the relationship between cloud providers and public administrations, include, inter alia: lack of a risk assessment before starting the contract; the difficulty of negotiating a contract tailored to the needs and peculiarities of public administrations; the absence of control over international transfers and access to personal data by foreign public authorities; lack of regulation of telematic data processing; lack of a clear determination of the respective roles of the parties; absence of audit powers on the part of public administrations.
In light of the issues arisen, the EDPB has therefore pointed out a few key points for public bodies to consider when negotiating a contract with cloud providers.
- Need to carry out a Data Protection Impact Assessment (“DPIA”) as from the pre-contractual stage.
Although the processing of personal data by public bodies can easily give rise to a high risk for the rights and freedoms of data subjects, only 32% of the public bodies contacted replied that they had carried out a DPIA.
- Clearly identify the privacy roles of the parties.
Typically, the cloud provider acts as the data processor, while the public body is the data controller. Therefore, it must be ensured that the provider acts on behalf of the client and according to the client's instructions. This does not take away the fact that the service provider may regulate in the contract the possibility of processing the personal data of public bodies for its own purposes, thus acting as a data controller. In this case, the agreement must clearly define any possible processing activity by the cloud provider as a data controller.
- Provide for the right of the public entities to object to sub-processors.
- Ensure that the personal data are sufficiently determined in relation to the purposes for which they are processed and that they are collected for explicit and specified purposes and not further processed for incompatible purposes.
- Promote the participation of the Data Protection Officer when determining or accepting the relevant clauses.
- Cooperate with other public bodies in the negotiation with providers.
It has been found that when several public entities cooperate in the negotiation with cloud service providers, or if one of them negotiates the same services on behalf of several entities, the imbalance in the negotiation is reduced.
- Ensure that the procurement procedure already envisages all the necessary requirements to achieve compliance with the GDPR.
- In relation to the potential transfer of personal data to non-EU countries, (i) promptly identify the relevant legal grounds justifying the transfer, and (ii) verify whether the cloud provider is subject to the legislation of the destination country and whether this would entail an obligation to respond to access requests from the authorities to the data stored by the cloud provider.
While these elements have already been examined in detail in previous EDPB guidelines and opinions, of a more interest seems the point regarding the processing and the consequent regulation of telemetry data.
The EDPB notes that all cloud providers process data on the use of infrastructures and services (i.e., data relating to the use of infrastructures and services, for example, resource identifiers, tags, security and access roles, rules, usage policies, permissions, usage statistics by different kinds of users). This information may in principle be qualified as personal data and should be regulated as such.
The report showed a lack of clarity regarding the role of cloud providers in processing telemetry data. In some cases, providers are attributed the role of data controllers, while in other cases they act as data processors acting on behalf of the data controller. The study revealed that many stakeholders seemed non to be fully unaware of the processing of such data by cloud providers, of the possible transfers to third countries, the risk involved in such processing, if any, and the type of data collected.
To sum up, while the report has highlighted few challenges that arise in the negotiation between cloud service providers and public bodies, the EDPB has provided scant suggestions on how they can be overcome. Once again, everything is left to the data controller and processor's accountability.
