A network of more than one hundred and thirty Dutch chief information officers says that most Dutch and European companies do not comply with the GDPR. This would be due to the use of US cloud services that violate the law.
These American cloud services would not enable the purchasing companies to comply with European privacy law and would not be transparent about what they do with customer data. That is what the CIO Platform says to the Financieele Dagblad . The platform therefore asks governments in the newspaper to force software suppliers to comply with the GDPR legislation. As far as CIOs are concerned, companies such as Amazon, Google or Microsoft should only offer their cloud services in the EU if they themselves comply with the rules.
According to CIO Platform chairman Arthur Govaert, there is a flaw in the GDPR that requires the user to provide software that complies with the law. Govaert, also CIO of Radboudumc, states that the maker of the software should be responsible for the privacy security of a service. The chairman said that companies ‘hardly’ have a negotiating position with the American cloud providers, which means that Dutch and European companies have to bear almost all the costs in order to comply with the privacy law.
Govaert gives as an example that the software use and productivity of doctors and nurses at Radboud university medical center could be monitored by Microsoft in the United States. It was only when the Dutch government negotiated with Microsoft for a year and a half and carried out ‘great pressure’, that Microsoft was able to guarantee that the privacy of employees at ministries, university hospitals and other government bodies was protected. Individual companies would not have such a negotiating position; switching to another supplier would be ‘practically impossible’ due to the costs and time involved.
The Dutch Data Protection Authority tells the newspaper that American cloud services ‘by no means always’ comply with the GDPR. The AP is also worried that purchasing companies have to find out a lot about this. The regulator would ‘like to help companies with this’, but because of a lack of money, that would not work.
Amazon tells the newspaper that it has been compliant with the GDPR since 2018, Microsoft says it always ensures that it complies with all legislation. Google said in a response that data security is “at the heart” of how products are designed and built at the company.