To ask Her Majesty's Government whether the Government Digital Service has undertaken a risk assessment of UK Government data being held with US cloud providers following the judgment by the European Court of Justice in the Schrems II case; and what the outcome of any such assessment was.
17 September 2020
The Government Digital Service (GDS) is currently reviewing cross government cloud policy and guidance, including the Cloud First policy. This includes reviewing the cloud hosting market and associated regulatory environment.
GDS is currently undertaking a risk assessment of all of its services and products (including GOV.UK) in relation to cross-border data flows. The new ECJ judgment will be considered as part of this assessment. The assessment will identify relevant data flows and make sure appropriate mitigation is implemented if necessary, following updates and guidance from the Information Commissioner's Office (ICO) and the European Data Protection Board (EDPB). GDS has engaged with other government departments via data advisory groups and data protection networks to ensure consistent mitigation.
Ultimately, however, it is a decision for individual government organisations where and how to store their data, provided it is done in a secure way and offers good value for money.