It has been nearly a decade since former European Commission Vice President Neelie Kroes pitched plans for an EU Code of Conduct for cloud services. In 2012, data protection was very much a nascent field on European soil: There was no EU General Data Protection Regulation and privacy had hardly reached the priority files of European regulators and was far from an issue at the forefront of public minds.
Nevertheless, public and private stakeholders recently gathered to announce the finalization of the first approved code under the GDPR that harked back to Kroes’ original ambitions.
On May 19, 2021, the European Data Protection Board filed a favorable opinion on the code, paving the way for the Belgian Data Protection Authority, the lead body behind the initiative, to issue formal approval, rendering the agreement operational since the end of last week. The code pledges to provide legal certainty for cloud service providers, demonstrating compliance with the bloc’s data protection rules.
The 2012 European Cloud Strategy had first put forward the idea of fostering greater public and private synergies in Europe’s cloud ecosystem with the establishment of the European Cloud Partnership. Kroes announced shortly after that the commission had been working in parallel on a code of conduct for cloud services, which she hoped would be finalized by mid-2014.
As part of a launch event for the EU’s Cloud Code of Conduct on May 20, 2021, Kroes conceded she hadn’t expected it to have taken so long to complete talks on the agreement, but that in the past decade there were several significant changes in Europe’s data protection landscape that had interrupted progress.
“Part of the reason for this delay are the many developments we saw over past years in the era of privacy and security in Europe,” Kroes said. “We saw the GDPR coming into force, new cybersecurity frameworks and certifications being introduced, and the code has managed to incorporate successfully all these elements.”
Meanwhile, Belgian Secretary of State for Digitization Mathieu Michel praised the code in its efforts to foster collaboration between regulators and industry representatives.
"It demonstrates the potential of the collaboration between public authorities, industries and regulatory authorities in promoting and implementing data protection standards, an essential element of the GDPR," Michel said.
For their part, the industry was also keen to rally the benefits of the code, with Alibaba Cloud’s ShanShan Pa telling The Privacy Advisor that it allows for CSPs to demonstrate a “legally binding compliance with the GDPR and fulfill service providers obligations to customers.”
Key details: GDPR, monitoring, independence
Article 40 of the GDPR lays out the legal requirements for the relevant establishment of codes of conduct and encourages public and private collaboration in the conception of such agreements as a means of fostering a proper application of the bloc’s data protection rules.
And just as relevant for the code’s members, which include larger players, such as Google Cloud, Microsoft and Cisco, to smaller actors, such as Fabasoft, Okta and Secure Appbox, Article 28(5) of the GDPR is key in improving trust in cloud services, allowing these players to "demonstrate sufficient guarantees" for data protection compliance by way of their membership.
The code itself covers specifically business-to-business cloud services and lays out a series of requirements for service providers to prove their adherence to data protection regulation.
Under Article 41 of the GDPR, the regulation also calls for an independent monitoring body to take the reins in guaranteeing the compliance of members. In this vein, the Belgian DPA has accredited Scope Europe, a third-party organization, as operating as the monitoring body for the code, to ensure compliance from members.
As part of last week’s event, Scope Europe was pressed as to how it could guarantee its independence in the operations, bearing in mind its German parent company, the Self-Regulation Information Economy, counts as its own members some of the signatories to the code itself.
In response, Scope Europe’s Jörn Wittmann said that the role of the organization would be subject to the oversight of the Belgian DPA, noting safeguarding independence was a key ingredient from the beginning.
“We worked really hard together and designed the concept that makes clear that any kind of decision and any kind of assessment cannot be influenced by the companies that are involved in the process,” he said.
Three levels of compliance
The code contains three levels of compliance for which service providers can apply.
The first level involves the applicant conducting an internal review of its own conformity and then submitting this evidence to Scope Europe for further review, the second level allows for cloud service providers to submit additional evidence of partial compliance from independent third parties, and the third level demonstrates full compliance with the code as evidenced from third-party certificates and audits.
While the third level of compliance allows for CSPs to demonstrate more robust compliance standards, Scope Europe’s Wittmann believes the three different levels allow for micro- and smaller enterprises, often with vastly reduced resources when compared to the larger players, to have the capacity to meet the code’s requirements.
“There is something for all market players,” he said. “The question is how strongly you want to prove certain things to your users.”
Moreover, Belgian DPA Chairman David Stevens believes pitching the highest level of compliance to businesses that may have only a basic understanding of the GDPR, serves little purpose.
“We're looking for balance here, we shouldn't under formalize, we shouldn't over formalize,” he said at the recent red-ribbon event. “And for some, the monitoring body will be sufficient and level one will be sufficient.”
“If you're a bigger player, have a higher risk and more sensitive data, then additional formalization can be necessary.”
International data transfers
At a time when the EU faces an uncertain future with regards to the legality of trans-Atlantic data transfers following the Court of Justice of the European Union's "Schrems II" ruling, the EU Cloud Code of Conduct is also charting future additions to cover the international transfer of data.
And, despite some reticence from EU data protection authorities, Scope Europe’s Wittmann is optimistic that additional modules to the code may be able to provide some sort of a legal safeguard for firms to transfer data to third countries.
However, while work is ongoing on a specific module to cater for international data transfers, as part of their approval of the plans last week, the EDPB said that the code, as it stands, is “not to be used in the context of international transfers of personal data.”
The approval of the EU code came on the same week as the EDPB issued a positive response to the French data protection authority’s, Commission nationale de l'informatique et des libertés, draft approval of CISPE’s code of conduct for cloud infrastructure service providers, regarded as having a narrower scope.
And the recent approvals come at a time when many stakeholders in Europe are waiting patiently for the finalization of the commission’s standard contractual clauses — expected in the very near future, as well as the possibility of thrashing out a new trans-Atlantic data accord, after the CJEU annulment of the Privacy Shield last year.
In this context, it is a pertinent time to see the industry make more of a concerted effort to demonstrate compliance with EU data protection rules. This is not least due to the fact that May 25 marks the third anniversary of the application of the GDPR and the necessary debate over the efficacy of the regulation that so often accompanies it.
Photo by Łukasz Łada on Unsplash
