On July 2, 2020, the Strategic Vendor Management Unit of the Dutch Ministry of Justice & Security, and the European Data Protection Supervisor (EDPS) hosted the second The Hague Forum for Cloud Contracting to assess the progress made in implementing the advice.
Following are some of the findings, opinions, and conclusions expressed during the meeting.
The Forum continues to be the information exchange platform to raise awareness that data protection by design and default are legal obligations. Suppliers need to demonstrate this principle to achieve a common approach to reach Europe’s digital data sovereignty.
Cloud services are a reality for Europe; they are here to stay. Therefore, European institutions must embrace the cloud’s innovations to provide the public services that citizens expect and deserve.
There are several cloud-specific challenges, mainly because Europe lacks cloud infrastructures and services of its own. Therefore, Europe is increasingly dependent on non-EU parties in the processing of its sensitive data. The challenge is to ensure that these cloud providers comply with the GDPR and European standards and requirements on cloud security, data portability, and energy efficiency.
In the case of Microsoft, SLM negotiated a GDPR-proof contract and introduced this to the municipalities and educational sector in the Netherlands. The objective is to get this contract available to other public sectors in the Netherlands and EU Institutions. That can only be achieved by a close collaboration of the Forum members and the national data protection agencies, guided by the Irish Data Protection Authority.
The EDPS has issued recommendations stemming from its investigation of the standard Microsoft Online Services Terms (OST), updated in January 2020 based on the work of SLM. The report is available here. The main finding, and concern, of EDPS, is that Microsoft acts as a controller in several aspects. In the report, the organisation offers recommendations to remedy this. The EDPS also made several recommendations to ensure continuity of protection when data is subject to transfer, location, and processing in third countries.
The GDPR and the EUDPR provide the regulations to include in contracts between the public administration as the controller and the external provider as the processor. EDPS, however, found two striking examples that did not sufficiently address these requirements.
First,the information provided was insufficient to object or approve a sub-processor. Secondly, the regulation required that the controller has the right to audit and inspect the processor. EDPS found that, in practice, this was not possible.
The measures EDPS recommends to all administrations: share your practical and professional knowledge, and when you identify data protection issues.
The new agreement between DG DIGIT and Microsoft focuses on several of the recommendations made by EDPS:
The contract groups all clauses relevant to data protection in one document that supersedes any other part of the agreement and cannot be modified unilaterally. The new DPA describes explicitly allowed and excluded processing purposes. It improves control over the deployment of sub-processors. It also includes safeguards that apply to Microsoft operations, particularly for dealing with third-country authorities’ disclosure requests.
A comparison between the version of the contracts by DG DIGIT and SLM brought to light several low, medium, and high risks. SLM has constructed a new appendix and amendment to remedy all these issues. These are available for other Member States or EU institutions, so they have the opportunity to use these, or similar language, in their contracts with Microsoft.
Concerning audits, the new DPA recognises that every controller has an individual audit right. However, Microsoft is open to joint audits, for obvious mutual benefits. This offers the opportunity to create an EU-wide customer audit group with the Member States and other EU institutions, to perform joint audits. These challenges could be met by creating a pool of experts for the European Data Protection Board. The joint audit could be one of the first challenges for such an expert pool to deal with.
European Cloud Federation
The Forum also received an update on the development of a European Cloud Federation to consolidate the current, and scattered, initiatives by the Member States and local cloud providers to lower the dependency on the large hyperscale providers.
The European Cloud Federation builds on, and converges, existing cloud infrastructures and services, such as the Franco-German initiative GAIA-X. Data is stored and processed in common European data spaces. The European Cloud Rule Book clarifies the applicable legislative framework and provides self-regulatory measures, such as codes of conduct on data protection and data portability in the cloud. The Rulebook supports the public procurement of cloud services.
A shared European marketplace, similar to G Cloud in the UK, will give visibility to the supply of cloud infrastructure and services. It is a point of entry for public administrations to procure those services from the European Cloud Federation or other providers.