Expert working group on the use of cloud

Background

Transfers of personal data to and from the EU/EEA is necessary for the expansion of international trade and international cooperation.

However, personal data concerning citizens in Denmark – in line with personal data concerning citizens in other European countries – enjoy a special protection on the basis of European data protection law. One of the fundamentals of data protection law is that the level of data protection ensured by the rules in the EU/EEA must not be undermined by transfers of personal data to countries outside the area – to so-called third countries. In this respect the law contains specific requirements which must be met when transferring personal data to third countries. These requirements aim at ensuring an equivalent level of data protection to that in the EU/EEA for personal data transferred abroad.

In July 2020, the Court of Justice of the European Union clarified in its so-called Schrems II-judgment that the provisions on transfers of personal data to third countries generally presuppose that the level of data protection in the concerned third country must be essentially equivalent to that in the EU/EEA.

One of the most used method for an organisation to ensure an essentially equivalent level of protection and transfer personal data to third countries is by entering into a specific agreement with the organisation in the third country to which personal data will be transferred. This agreement is often designated as the EU Commission’s Standard Contractual Clauses (“SCCs”) and include a number of obligations for both the data importer and data exporter as well as a number of rights for the data subjects which can be enforced against the two parties.

The Schrems II-judgment entails that organisations who transfer personal data to third countries on the basis of the SCCs must examine whether the SCCs themselves can ensure an essentially equivalent level of data protection to that in the EU/EEA. For instance, the SCCs may be inadequate if law enforcement authorities in the concerned third country may access the transferred personal data to a disproportionate extent, e.g. on the basis of surveillance programmes, as public authorities are not party to and bound by the SCCs.

If an essentially equivalent level of data protection cannot be afforded through the use of SCCs alone, the organisation must implement supplementary measures with an aim to bring the collective level of data protection up to European standards.

Such supplementary measures may be both technical, contractual and organisational. In some cases it may – depending on the specific laws and practises in the third country – be adequate to implement contractual and organisational measures. In many cases, however, it will be necessary to implement technical measures. This is, for instance, the case for certain types of transfers to the United States as certain organisations in the US are subject to laws and practises which entail that the organisations must disclose personal data to law enforcement authorities to an extent which is incompatible with fundamental European law.

In the course of the 2nd half of 2020 and 1st half of 2021, the European Data Protection Board has issued a number of concrete recommendations for supplementary measures that organisations may implement in addition to the conclusion of the SCCs.

Notwithstanding, the Danish Data Protection Agency recognises that it may still be a vast and complex task, especially for small and medium-sized organisations, and aim at – to the furthest possible extent – to assist Danish organisations in accomplishing this task.

On this basis, the Danish Data Protection Agency (“the DDPA”) has decided to establish an expert working group on the use of cloud to support the DDPA’s work.

Purpose

The expert working group shall inter alia look into:

  • Challenges associated with the use of cloud services in light of recent legal developments
  • Possible actions and measures that may ensure a responsible and compliant use of cloud services
  • Technical and financial benefits and challenges with respect to the use of state-of-the-art technology and principles
  • Organisational procedures and guidelines that may be implemented by an organisation with respect to the use of cloud services

Task

The expert working group shall contribute to identifying possible, practical solutions and measures that may ensure a use of cloud services in compliance with data protection law as well as support the DDPA’s general knowledge in the area.

On the basis of the expert working group’s output, the DDPA will draw up concrete recommendations and practical guidance to supplement the DDPA’s general guidance on the use of cloud. The DDPA intends for the guidance to be aimed at both organisations who deploy cloud services as controllers and at cloud service providers who develop and offer such services.

Organisation and process

The expert working group shall consist of up to 7 permanent members. Appointment of members to the expert working group will be done on the basis of applications.

The DDPA aims at ensuring that the expert working group is composed of members with a background in and experience from the research community as well as from private and public organisations. Members should have experience with technologies fit for ensuring confidentiality such as encryption and pseudonymisation or with implementation of cloud services more generally. Experience with both is, naturally, an advantage, but not a requirement.

Applicants will be assessed on the basis of their experience with one or more of the following topics and working areas: Cloud service delivery models, cloud infrastructure and architecture, confidential computing, migration to the cloud, information security in the cloud, security of the cloud, cryptography, key management, Public Key Infrastructure, homomorphic encryption, pseudonymisation techniques, multi-party computation, or similar disciplines relevant to cloud computing.

Members will be expected to attend and engage in meetings, which are expected to be held 3-4 times within the next 8-9 months. Additionally, members will also be expected to submit written contributions between the meetings e.g. to clarify former discussions or follow up on additional questions.

The DDPA notes that members will be selected from both this open recruitment call, as well as by direct invitation by the DDPA, which will also occur on the basis of the selection criteria listed above.

If you want to become a member of the expert working group, send your application to the DDPA (dt@datatilsynet.dk) no later than Friday 8 April 2022 and substantiate your interest and qualifications. If you have questions concerning the application process or the expert working group in general, feel free to reach out to Information Security Specialist Allan Frank (afr@datatilsynet.dk), or Senior Legal Advisor Makar Juhl Holst (mjh@datatilsynet.dk).