EDPB determines privacy recommendations for use of cloud services by public sector & adopts report on Cookie Banner Task Force

18 January 2023

Brussels, 18 January - Commissioner for Justice Didier Reynders participated in the Plenary meeting. He presented the draft adequacy decision for the EU-U.S. Data Privacy Framework to the Board and had an exchange of views with its Members. The Board is currently working on its opinion on the draft decision, which will be finalised in the coming weeks.

The EDPB has adopted a report on the findings of its first coordinated enforcement action, which focused on the use of cloud-based services by the public sector. The EDPB underlines the need for public bodies to act in full compliance with the GDPR and includes recommendations for public sector organisations when using cloud-based products or services. In addition, a list of actions already taken by data protection authorities (DPAs) in the field of cloud computing is made available. 

Andrea Jelinek, Chair of the European Data Protection Board said: “The Coordinated Enforcement Framework (CEF) pilots deeper collaboration methods between DPAs to achieve better efficiency and consistency. Across Europe, public sector organisations are turning to cloud services and they face difficulties in obtaining GDPR-compliant services and products. Personal data handled by public services must be treated with utmost care, especially when processed by a third party. The EDPB CEF 2022 report provides a useful yardstick for this and I trust it will become an important point of reference for public bodies looking at sourcing GDPR-compliant cloud services.”

In the course of 2022, 22 DPAs across the EEA (including the EDPS)* launched coordinated investigations into the use of cloud-based services by the public sector.

Around 100 public bodies in total were addressed across the EEA, including European institutions, covering a wide range of sectors (such as health, finance, tax, education, buyers and providers of IT services).

The CEF is a key action of the EDPB under its 2021-2023 Strategy, aimed at streamlining enforcement and cooperation among SAs. The CEF 2023 action will be on the designation and role of the Data Protection Officer (DPO).

In addition, the EDPB adopted a report on the work undertaken by the Cookie Banner Task Force, which was established in September 2021 to coordinate the response to complaints concerning cookie banners filed with several EEA DPAs by NGO NOYB. The Task Force aimed to promote cooperation, information sharing and best practices between the DPAs, which was instrumental in ensuring a consistent approach to cookie banners across the EEA. In the report, the DPAs agreed upon a common denominator in their interpretation of the applicable provisions of the ePrivacy Directive and of the GDPR, on issues such as reject buttons, pre-ticked boxes, banner design, or withdraw icons.

*Further information on national cloud projects: