Expert working group on the use of cloud

Background

Transfers of personal data to and from the EU/EEA is necessary for the expansion of international trade and international cooperation.

However, personal data concerning citizens in Denmark – in line with personal data concerning citizens in other European countries – enjoy a special protection on the basis of European data protection law. One of the fundamentals of data protection law is that the level of data protection ensured by the rules in the EU/EEA must not be undermined by transfers of personal data to countries outside the area – to so-called third countries. In this respect the law contains specific requirements which must be met when transferring personal data to third countries. These requirements aim at ensuring an equivalent level of data protection to that in the EU/EEA for personal data transferred abroad.

In July 2020, the Court of Justice of the European Union clarified in its so-called Schrems II-judgment that the provisions on transfers of personal data to third countries generally presuppose that the level of data protection in the concerned third country must be essentially equivalent to that in the EU/EEA.

One of the most used method for an organisation to ensure an essentially equivalent level of protection and transfer personal data to third countries is by entering into a specific agreement with the organisation in the third country to which personal data will be transferred. This agreement is often designated as the EU Commission’s Standard Contractual Clauses (“SCCs”) and include a number of obligations for both the data importer and data exporter as well as a number of rights for the data subjects which can be enforced against the two parties.

The Schrems II-judgment entails that organisations who transfer personal data to third countries on the basis of the SCCs must examine whether the SCCs themselves can ensure an essentially equivalent level of data protection to that in the EU/EEA. For instance, the SCCs may be inadequate if law enforcement authorities in the concerned third country may access the transferred personal data to a disproportionate extent, e.g. on the basis of surveillance programmes, as public authorities are not party to and bound by the SCCs.

If an essentially equivalent level of data protection cannot be afforded through the use of SCCs alone, the organisation must implement supplementary measures with an aim to bring the collective level of data protection up to European standards.

Such supplementary measures may be both technical, contractual and organisational. In some cases it may – depending on the specific laws and practises in the third country – be adequate to implement contractual and organisational measures. In many cases, however, it will be necessary to implement technical measures. This is, for instance, the case for certain types of transfers to the United States as certain organisations in the US are subject to laws and practises which entail that the organisations must disclose personal data to law enforcement authorities to an extent which is incompatible with fundamental European law.

In the course of the 2nd half of 2020 and 1st half of 2021, the European Data Protection Board has issued a number of concrete recommendations for supplementary measures that organisations may implement in addition to the conclusion of the SCCs.

Notwithstanding, the Danish Data Protection Agency recognises that it may still be a vast and complex task, especially for small and medium-sized organisations, and aim at – to the furthest possible extent – to assist Danish organisations in accomplishing this task.

On this basis, the Danish Data Protection Agency (“the DDPA”) has decided to establish an expert working group on the use of cloud to support the DDPA’s work.

Purpose

The expert working group shall inter alia look into:

  • Challenges associated with the use of cloud services in light of recent legal developments
  • Possible actions and measures that may ensure a responsible and compliant use of cloud services
  • Technical and financial benefits and challenges with respect to the use of state-of-the-art technology and principles
  • Organisational procedures and guidelines that may be implemented by an organisation with respect to the use of cloud services

Task

The expert working group shall contribute to identifying possible, practical solutions and measures that may ensure a use of cloud services in compliance with data protection law as well as support the DDPA’s general knowledge in the area.

On the basis of the expert working group’s output, the DDPA will draw up concrete recommendations and practical guidance to supplement the DDPA’s general guidance on the use of cloud. The DDPA intends for the guidance to be aimed at both organisations who deploy cloud services as controllers and at cloud service providers who develop and offer such services.

Organisation and process

The DDPA has aimed to put together the expert working group of members who have both practical and theoretical experience with and knowledge of cloud services.

The DDPA's expert group consists of:

  • Paul Ahlgren, Principal Security Strategist, Amazon Web Services
  • Stephen Alstrup, Professor, University of Copenhagen
  • Carsten Baum, Assistant Professor, Aarhus University
  • Bernardo Machado David, Associate Professor, IT University of Copenhagen
  • Frank Bech Jensen, Head of Compliance and Security, itm8
  • Ole Kjeldsen, Director of Technology and Security, Microsoft Denmark
  • Gert Læssøe Mikkelsen, Head of Security Lab, Alexandra Institute
  • Christian Provstgaard, Senior Consultant, Silverbullet
  • Ole Tange, IT policy advisor, PROSA

The DDPA expects to meet with the expert working group 3-5 times during 2022.

On the basis of the expert working group’s output, the DDPA will draw up concrete recommendations and practical guidance to supplement the DDPA’s general guidance on the use of cloud.

The recommendations and guidance will be sent out for public consultation when they are available.