The European Union starts an investigation of public institutions that purchase services from cloud providers. In the coming months, 22 European privacy and data authorities set out to unveil GDPR violations by cloud providers and their public sector customers.

75 European institutions will be surveyed. These institutions include hospitals, banks, tax authorities and IT providers with governmental ties. The investigation focuses explicitly on providers and institutions. Since both have a stake in the processing of personal data, both require investigation.

Should a provider or institution not comply with the GDPR, the privacy and data authorities determine whether a criminal investigation is necessary. Investigators are not meant to take direct action. The European Data Protection Board (EDPB) wants to understand if and why government agencies and cloud providers are violating the GDPR.

The EDPB will appoint multiple investigation teams. The teams focus on the agreements that cloud providers and customers make, the way government agencies use their cloud services and the way data is exchanged internationally.

Controllers and processors

European criticism of big tech privacy policies has been mounting in the past months. International data transfers of personal data regularly take place illegally. However, the responsibility for data processing seldomly lies with a provider. That’s why the new European investigation subjects both government agencies and providers.

The terms ‘controller’ and ‘processor’ are regularly used in the GDPR. The terms serve to distinguish between organizations that allow data to be processed and organizations that process data. Both groups must abide by rules. Their relationship is similar to that of a construction company (contractor) and housing corporation (client). When a construction company causes massive damage during an assignment for a housing corporation, a housing corporation may be partially liable for the damage.

Clients almost always have responsibilities for the work of contractors. Digital laws are no exception to the rule. Your privacy is in the hands of providers and their customers. With that in mind, the investigators set out.