EDPB adopts opinions on first transnational Codes of Conduct for cloud service providers

Other Authors     Salome Peters, Legal Intern

Codes of conduct are documents prepared by associations and other bodies that demonstrate how the General Data Protection Regulation (“GDPR”) applies and can be complied with by participants in particular industries and sectors  under Article 40 of the GDPR. Businesses may voluntarily adhere to codes of conduct to demonstrate their ability to comply with the GDPR.

A Code of Conduct has been prepared in Belgium related to cloud service providers (the “EU CLOUD Code of Conduct”, available here) and a Code of Conduct has been prepared in France relating to Cloud Service Infrastructure Providers (“CISPE”; the “CISPE Code of Conduct”, available here). Both Codes of Conduct are intended to provide practical guidance for data processors in the European Union (“EU”). Draft approval decisions have been prepared by the Belgian and French data protection authorities respectively, and the Codes of Conduct have been welcomed in opinions 16 and 17 of the European Data Protection Board (“EDPB”) on 20 May 2021.  It is expected that the Belgian and French data protection authorities will now finalise their decisions to approve the codes.

EU CLOUD Code of Conduct

The draft decision of the Belgian authority relates to the EU CLOUD Code of Conduct for cloud service providers including providers of internet based applications, processing capability, storage and memory.

The EU CLOUD Code of Conduct was developed by the EU Cloud Code of Conduct General Assembly, an association of several European companies and organisations involved in cloud computing, based on input by supervisory authorities. It is broad ranging and suitable for providers of Software-as-a-Service (“SaaS”), Platform-as-a-Service (“PaaS”) and also Infrastructure-as-a-Service (“IaaS”). Current adopters of the code include industry leaders in cloud hosting products, as well as smaller cloud based application providers.

The EU CLOUD Code of Conduct provides cloud specific recommendations and approaches for GDPR compliance. It includes a road map correlating requirements of the code to the GDPR and to international standards such as ISO 27001 and 27018, as well as a governance section designed to support the effective and transparent implementation and management of the code. The code aims at making it easier for cloud customers (particularly SMEs and public organs) to determine whether cloud services are appropriate for their intended purpose and increasing the trust of cloud customers in the work of cloud service providers.

CISPE Code of Conduct

The draft decision of the French authority relates to the CISPE Code of Conduct for cloud infrastructure service providers.

CISPE is an association of cloud infrastructure service providers in Europe with 34 members which have headquarters in 14 EU Member States. Current adopters of the code also include large cloud hosting providers, as well as smaller providers of cloud back up services.

The CISPE Code of Conduct aims to support organisations in accelerating the development of cloud-based services for businesses, institutions and consumers in compliance with the GDPR. It focuses solely on the IaaS sector. Because the nature of cloud infrastructure services is different from other cloud services, it requires a more specific code of conduct.  The CISPE Code of Conduct sets out best practices and practical guidance for cloud infrastructure service providers so that they can improve their data protection measures and provide transparency to their customers. The code provides guidance on the responsibilities and specific roles of cloud infrastructure service providers in relation to these aims. For example, an IaaS provider shall provide information to its customers including about the security measures the IaaS provider has implemented and the responsibilities of the IaaS provider and its customers. The code also sets out technical and organizational security practices intended to create a ‘security baseline’ for cloud IaaS providers.

In order to encourage GDPR compliance, the code sets out the relevant requirements of the GDPR and the code's industry specific requirements in relation to the same area. For example, under Article 28(3) GDPR, a data controller must enter into a contractual relationship with a data processor. The CISPE Code of Conduct supplements this with certain details such as the need for service contracts which are flexible enough so as to not inhibit customers choosing to change their purposes for using the infrastructure at any time.

Opinion of the EDPB

The EDPB states that both draft codes are in compliance with the GDPR and has welcomed efforts made to produce practical and cost effective tools.

In particular, the EDPB welcomed that both codes were created as part of a collaborative process between industry members and relevant stakeholders in accordance with recital 99 of GDPR.

The EDPB also commented positively on the mechanism for participants to adhere to both codes which includes ongoing monitoring and the possibility of third party audits.

International transfers of personal data

Both codes of conduct contain provisions on transfers of personal data to third countries (such as that adherents must ensure that data transfers only take place upon instructions from the controller, and that appropriate safeguards under Article 46 GDPR, such as Standard Contractual Clauses, are in place). Adherence to both codes of conduct is intended to demonstrate compliance under Article 28(5) GDPR, but is not intended to serve as a third country transfer safeguard under Article 46(2)(e) of the GDPR. The ongoing so called "Third Country Transfer Initiative" of the EU Cloud Code of Conduct General Assembly is currently developing an on-top Module to the EU Cloud Code of Conduct that intends to create a dedicated safeguard for third country data transfers.

What this means for businesses

The EDPB opinions provide clarity that these codes of conduct are GDPR compliant. Providers of cloud services and cloud infrastructure services, as well as their customers, may rely on the codes of conduct as useful tools to demonstrate compliance with GDPR and with practices which may become industry standard.

Both codes are suitable for large and small businesses, and set out a clear adoption process. However, businesses should consider the cost of the ongoing requirements associated with adherence. For example submitting an annual review of compliance is compulsory under the EU Cloud Code of Conduct.

Customers, or future customers, of cloud service providers may consider referring to these codes as a way of demonstrating compliance with GDPR. However, the EDPB noted that the codes do not waive a data controller’s obligation to ensure compliance for all the processing operations carried out on its behalf. For example, the CISPE Code of Conduct does not apply to all elements of Article 28 of the GDPR. This means that data controllers must still enter into appropriate arrangements with data processors covering all of the requirements.

Given the EDPB’s positive view on these codes, we may see an increase in new, industry specific, codes of conduct with a transnational scope in the future.