Jakub JirsÃ¡k - stock.adobe.com
GDS reviewing Cloud First policy post-Schrems II
Review seeks to determine the future of government engagement with cloud hosting services as they relate to cross-border data flows
The Government Digital Service (GDS) is conducting a review of cross-government cloud policy and guidance, including the future of the Cloud First policy, in light of the July 2020 Schrems II judgment that struck down the EU-US Privacy Shield arrangement.
The review was confirmed by Lord Agnew in response to written questions from fellow peer Lord Clement-Jones, who was seeking to establish what assessment the government has made of the use of US-based cloud providers to host UK government data in the UK, and what, if any, plans it has to revise its Cloud First policy.
“GDS is currently undertaking a risk assessment of all of its services and products (including Gov.uk) in relation to cross-border data flows,” said Agnew in his response. “The new ECJ judgment will be considered as part of this assessment.
“The assessment will identify relevant data flows and make sure appropriate mitigation is implemented if necessary, following updates and guidance from the Information Commissioner’s Office (ICO) and the European Data Protection Board (EDPB). GDS has engaged with other government departments via data advisory groups and data protection networks to ensure consistent mitigation.
“Ultimately, however, it is a decision for individual government organisations where and how to store their data, provided it is done in a secure way and offers good value for money.”
A previous review of the seven year-old Cloud First policy, which was conducted in 2019 in recognition of the growing appetite for hybrid IT deployments in the public sector, concluded that it was as relevant now as it was at its inception, and that its brand recognition in government was so strong that to make changes would not be beneficial.
The joint review conducted by GDS and the Crown Commercial Service (CCS) did, however, set out the creation of a new working group to explore how users can better balance technical and commercial needs when procuring cloud services to get best value for money while minimising the risk of being locked in with one supplier.
Read more about the Schrems II judgment
- Organisations exporting data to the US under Privacy Shield or overseas generally, whether under standard contractual clauses or binding corporate rules, need to urgently review the legal basis of these transfers.
- The striking down of Privacy Shield has been hailed as a victory for digital rights and privacy campaign groups, but it will have consequences that go beyond transatlantic data transfers.
- Talks begin on a successor to the Privacy Shield EU-US data-sharing agreement declared unlawful in July 2020 – a decision by the European Court of Justice that left thousands of businesses facing legal uncertainty.
The European Schrems II judgement was handed down in July 2020. The case dates back to a complaint against Facebook, filed in 2013 by Austrian activist and writer Max Schrems, over the practice of transferring the personal data of EU citizens to Facebook Inc in the US, breaching both EU data protection and human rights law.
In striking down Privacy Shield, the European courts found that the agreement failed to ensure Europeans have adequate privacy rights under US surveillance laws. Although a victory for privacy and freedom of speech campaigners the decision is causing uncertainty and disruption for organisations that transfer data between the US and the EU. Even though the UK has left the EU, the decision will likely impact data transfers between the two in the future.
The Cabinet Office had not responded for a request for comment at the time of publication.
Read more on Privacy and data protection
US offers concessions on surveillance and privacy as EU and US agree successor to Privacy Shield
Privacy Shield: One year on and companies are still grappling for answers
Irish High Court dismisses legal bid by Facebook over EU-US data transfers
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator