The Dutch data protection authority ('AP') published, on 14 November 2022, a letter requesting the State Secretary of Digitisation, Alexandra van Huffelen, to take action to address privacy risks in the government cloud policy. In particular, the AP highlighted that the privacy risks have not been adequately mapped out in the cloud policy, including the risks associated with storing personal data outside of jurisdictions subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and whether such jurisdictions data protection regimes are deemed adequate.

More specifically, the AP outlined that for cloud providers from jurisdictions where personal data is less well protected, such as the US, the Dutch Government must assess the risks in advance and ensure that personal data is safe. Notably, the AP suggested the carrying out of a Transfer Impact Assessment ('TIA') prior to the deployment of a cloud service, which would allow for the identification of measures to ensure that personal data may be safeguarded. Moreover, the AP noted that changes in the law of third countries must be monitored, in order to ensure that the transfer of personal data remains lawful.

Furthermore, the AP provided that the cloud policy is too non-committal, and that independent administrative bodies are not obliged to follow the same, despite the possession of large volumes of sensitive personal data.

You can read the statement here, the letter here, and the cloud policy here, all only available in Dutch.