Dutch DPA warns of privacy risks in US cloud storage

Dutch DPA warns of privacy risks in US cloud storage

The Data Protection Authority (DPA) of the Netherlands sees major privacy risks in the use of US cloud environments among Dutch government agencies. The watchdog warned digitalisation minister Alexandra van Huffelen in a public letter.

The DPA wrote the letter in response to the minister’s plan to allow government agencies to store data in the (public) cloud environments of US providers like AWS, Microsoft Azure and Google Cloud. By allowing storage in large-scale clouds, the minister hopes to benefit government processes in the future.

Risky development

The DPA disagrees with the policy. According to the watchdog, the risks of storing government data in public US cloud environments have not been sufficiently considered. For instance, a clear map of the data collected by providers is missing.

According to the DPA, the policy calls for detailed case-by-case examinations of whether (meta)data is suitable for storage in US public clouds. The watchdog argues that providers could track the crashes and downtime of government applications. Such information could hide personal data, including file names or control texts for spell checkers.

In addition, the DPA says, cloud providers collect metadata to improve security, including information on the logins of officials. The exact information recorded is often undisclosed. These factors must be weighed carefully, the watchdog emphasizes. “If you don’t properly investigate risks, you can’t take measures to eliminate risks”, chairman Aleid Wolfsen said.

Furthermore, according to the DPA, the scope of the minister’s policy is incomplete. The proposed rules don’t apply to semi-independent government agencies that often process sensitive personal data, including the Central Bureau of Statistics (CBS). The watchdog advises the government to instate the conditions for these institutions as well.

GDPR-proof storage

The DPA urges the minister to be mindful of the risks involved in storing data in non-EU countries, as these countries don’t always adhere to the GDPR. When storing data in foreign environments, the government should carefully consider whether the country’s privacy rules are on par with the EU’s standards, the watchdog said.

The DPA advises the minister to give preference to cloud storage with European providers. The watchdog notes that promoting European providers can help them compete with US organizations, which currently have a major market share in the EU.

In a response to the letter, Van Huffelen said she takes the privacy regulator’s concerns to heart.

Tip: Strava’s user location data is up for grabs