EU Cloud Code of Conduct explained

The EU Cloud Code of Conduct (abbr. "EU Cloud CoC" also known by its extended title "EU Data Protection Code of Conduct for Cloud Service Providers") is a transnational Code of Conduct pursuant Article 40 of the European General Data Protection Regulation (GDPR).[1]

The code defines clear requirements for cloud service providers (CSPs) to implement Article 28 GDPR[2] and all its related articles, which covers the processing activities of every type of personal data.[3]

Encompassing all cloud service layers (including but not limited to IaaS, PaaS, and SaaS),[4] the code allows cloud service providers to demonstrate GDPR compliance in their role as processors, which is overseen by an accredited monitoring body,[5] as required by Article 41 GDPR.[6]

History

The work on the code started in 2012 when former vice president of the European Commission, Neelie Kroes, launched the European Cloud Strategy.[7] [8] In that context, a dedicated working group was created with the task to draft a cloud code of conduct under the Data Protection Directive.

One of the primary goals of drafting such code was to increase trust and amplify the adoption of cloud computing across the European Union.[9] The first draft produced by the working group was submitted to its first assessment in January 2015, which was then performed by the Article 29 Working Party.[10]

With the introduction of the GDPR, the code had to be adapted accordingly and by 2017,[11] the European Commission fully handed over the project to the industry.[12]

Still in 2017, six companies coming from that working group (Alibaba Cloud, Fabasoft, IBM, Oracle, Salesforce and SAP) founded the EU Cloud CoC General Assembly and assigned SCOPE Europe as its monitoring body and secretariat.[13] [14]

After several exchanges with supervisory authorities and related revisions,[15] the final version of the EU Cloud CoC was submitted to the Belgian Data Protection Authority for approval in 2019. According to the timestamps of the code versions published on the initiative's website, the code evolved further after submission and until its approval in May 2021. Such continued development of codes of conduct is expected, following the European Data Protection Board's Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation 2016/679.[16]

The code has been approved[17] by the Belgian Data Protection Authority as of May 20, 2021,[18] following a positive opinion issued by the European Data Protection Board.[19] [20]

Scope and structure of the code

The EU Cloud CoC allows CSPs to prove and demonstrate compliance within the scope of Article 28 GDPR and all its related Articles. Therefore, the EU Cloud CoC comprehends CSPs data protection obligations when processing any kind of personal data and its requirements are applicable to all cloud offerings (including but not limited to IaaS, PaaS, SaaS).[21] [22]

There are five sections that together compose the core structure of the code, namely, Scope, Data Protection, Security Requirements, Monitoring and Compliance and Internal Governance.[23] [24]

Besides the main text, the code is accompanied by a controls catalogue, which was designed to map the code’s requirements to auditable elements, the “Controls”, and to all corresponding GDPR provisions. Additionally, the controls catalogue also provides a mapping to relevant international standards (such as ISO 27001, ISO 27017, SOC 2 and BSI C5).[25]

Organizational structure

The organizational structure of the EU Cloud CoC is covered under its Internal Governance Section, which describes the rules and procedures applied for the code’s management. The referred Section lays out the organizational framework of the code itself, as well as of its bodies, namely, the General Assembly,[26] the Steering Board, and the Secretariat.

Dedicated monitoring body

The GDPR requires an independent monitoring body[27] to guarantee the appropriate implementation of its provisions.

In May 2021, SCOPE Europe has been officially accredited by the Belgian Data Protection Authority as the dedicated monitoring body of the EU Cloud CoC.[28]

According to GDPR, the monitoring body shall be responsible for performing an ongoing due diligence. Under the EU Cloud CoC, besides being subjected to an initial assessment to become adherent to the code, CSPs are reevaluated on an annual basis.

Additional assessments can also be triggered by justified complaints, media reports, new legislations, publications and Guidelines from Data Protection Authorities and any other relevant development that can potentially affect adherence to the code.

A CSP can opt for three Levels of Compliance[29] once declaring adherence to the EU Cloud CoC. Those levels relate solely to the type of evidence that is subjected to the review of the monitoring body. Nevertheless, each of those levels demands compliance to all the code’s requirements.

Membership and supporters

Membership to the code is open to any CSP as long as they agree with the approach and principles established in the code. In that regard, the EU Cloud CoC offers two main membership options, the first being dedicated to CSPs and the second covering any entity that is not a CSP and wishes to join the initiative as supporter.

Within the CSP membership umbrella, a tailored pricing scheme[30] is in place, which takes into consideration the needs of different company sizes allowing for accessibility for Small and Medium Enterprises (SMEs).

Today, the EU Cloud CoC General Assembly represents a significant share of the European cloud industry market and, as of August 2021, its membership encompasses Alibaba Cloud,[31] [32] [33] Alight, Arcules,[34] [35] Cisco,[36] Dropbox,[37] Epignosis,[38] Fabasoft,[39] Google Cloud,[40] IBM,[41] [42] K&L Gates,[43] Microsoft,[44] [45] Okta, Oracle,[46] Qompium (Extra Horizon),[47] Salesforce,[48] SAP,[49] Schellman,[50] SecureAppbox,[51] Timelex, TrustArc[52] [53] and Workday.[54]

The third country transfer initiative

Following the CJEU’s Schrems II ruling,[55] the EU Cloud CoC General Assembly started to work on an effective and yet accessible safeguard for third country transfers in the format of an on-top module to the code.[56] [57]

The so-called Third Country Transfer Module shall cover the legal requirements for third country transfers as outlined in Chapter V GDPR and, as any on-top module is not a standalone initiative which implies that prior compliance with EU Cloud CoC is a pre-requisite.[58]

See also

Notes and References

  1. Web site: Art. 40 GDPR - Codes of conduct. 2021-08-20. EUR-Lex: EU law. en-US.
  2. Web site: Art. 28 GDPR - Processor. 2021-08-20. EUR-Lex: EU law. en-US.
  3. Web site: 2021-05-24. Belgian DPA Approves First EU Data Protection Code of Conduct for Cloud Service Providers. 2021-08-26. Privacy & Information Security Law Blog. en-US.
  4. Web site: 2021-05-24. Conduct most becoming - Europe's new Cloud Code of Conduct shines a light on trust and transparency between buyers and sellers. 2021-08-26. diginomica. en.
  5. Web site: About EU Cloud CoC: EU Cloud CoC. 2021-08-20. eucoc.cloud.
  6. Web site: Art. 41 GDPR - Monitoring of approved codes of conduct. 2021-08-20. GDPR.eu. en-US.
  7. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF "COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Unleashing the Potential of Cloud Computing in Europe"
  8. Web site: What's behind the EU's new Cloud Code of Conduct?. 2021-08-26.
  9. Web site: Cloud Select Industry Group Shaping Europe's digital future. 2021-08-25. digital-strategy.ec.europa.eu.
  10. Web site: Opinion of the Article 29 Data Protection Working Party on the Code of conduct on data protection for cloud service providers Shaping Europe's digital future. 2021-08-20. digital-strategy.ec.europa.eu.
  11. News: 2021-06-03. The Belgian DPA approved the EU Cloud Code of Conduct for cloud service providers acting as a processor. en. Lexology. 2021-08-26.
  12. Web site: Oversight body handed Code of Conduct for Cloud Service Providers. 2021-08-20.
  13. Web site: Belgian DPA approves first EU Data Protection Code of Conduct for Cloud Service Providers privacy-ticker.com. 2021-08-26. en-US.
  14. Web site: Press Release, December 12th, 2017. 2021-08-26. eucoc.cloud. en. 2021-08-26. https://web.archive.org/web/20210826155555/https://eucoc.cloud/en/detail/news/press-release-december-12th-2017.html. dead.
  15. Web site: History: EU Cloud CoC. 2021-08-25. eucoc.cloud. 2021-08-22. https://web.archive.org/web/20210822214154/https://eucoc.cloud/en/about/history.html. dead.
  16. Web site: Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 - version adopted after public consultation European Data Protection Board. 2021-08-25. edpb.europa.eu.
  17. "Subject: Approval decision of the “Eu Data Protection Code of Conduct for Cloud Service Providers” by the General Secretariat of the Belgian Data Protection Authority", Decision n° 05/2021 of 20 May 2021, General Secretariat - Belgian Data Protection Authority, 20-05-2021, Retrieved 26-08-2021.
  18. Web site: 2021-07-30. GDPR: What Cloud Service Providers Should Know - Blog GlobalSign. 2021-08-26. GlobalSign GMO Internet, Inc.. en.
  19. "Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe", European Data Protection Board, 19-05-2021, Retrieved 19-05-2021.
  20. Web site: OneTrust. EU Cloud Code of Conduct Approved by DPA Blog. 2021-08-26. OneTrust. en-US.
  21. Web site: 2021-05-27. Privacy, il primo codice di condotta transnazionale è sul cloud: perché è importante. 2021-08-26. Agenda Digitale.
  22. Web site: Simmons & Simmons. 2021-08-26. www.simmons-simmons.com.
  23. Web site: Request the EU Cloud Code of Conduct: EU Cloud CoC. 2021-08-20. eucoc.cloud.
  24. https://eucoc.cloud/fileadmin/cloud-coc/files/former-versions/European_Cloud_Code_of_Conduct_2.10.pdf "EU Data Protection Code of Conduct for Cloud Service Providers - Version 10"
  25. Web site: Data watchdogs seek 'added value' in GDPR cloud codes. 2021-08-26. Pinsent Masons. en-GB.
  26. Web site: What you should know about the EU Cloud Code of Conduct. 2021-08-26. JD Supra. en.
  27. Web site: Art. 41 GDPR - Monitoring of approved codes of conduct. 2021-08-20. EUR-Lex: EU law. en-US.
  28. https://www.gegevensbeschermingsautoriteit.be/publications/decision-n-06-2021-of-20-may-2021.pdf "Subject: accreditation of the “Scope Europe” for the monitoring of the “Eu Cloud Code of Conduct” (DOS -2019-03289)", Decision n° 06/2021 of 20 May 2021
  29. Web site: Levels of Compliance: EU Cloud CoC. 2021-08-20. eucoc.cloud.
  30. Web site: Pricing: EU Cloud CoC. 2021-08-20. eucoc.cloud.
  31. Web site: 2021-06-22. Belgian DPA Approves Code of Conduct for the Cloud Industry. 2021-08-26. The WSGR Data Advisor. en-US.
  32. Web site: Alibaba Cloud adheres to the EU Cloud Code of Conduct. 2021-08-26. eucoc.cloud. en.
  33. Web site: Alibaba Cloud Joins the EU Code of Conduct for Cloud Service Providers Alibaba Cloud Press Room. 2021-08-26. www.alibabacloud.com.
  34. Web site: Arcules joins the EU Cloud Code of Conduct, committing to robust video data protection. 2021-08-26. eucoc.cloud. en. 2021-08-26. https://web.archive.org/web/20210826155550/https://eucoc.cloud/index.php?id=333&L=1&tx_news_pi1%5Bcontroller%5D=News&tx_news_pi1%5Baction%5D=detail&tx_news_pi1%5Bnews%5D=307&cHash=5e2524a37d8c8ce490916eef50c189bb. dead.
  35. Web site: Wolff. Kevin. 2018-04-24. Arcules Joins the European Union Cloud Code of Conduct, Committing to Robust Video Data Protection. 2021-08-26. Arcules. en-US.
  36. Web site: The EU Cloud Code of Conduct becomes first GDPR code of conduct to receive green light from data protection authorities. 2021-08-26. eucoc.cloud. en.
  37. Web site: PRESS RELEASE: Dropbox joins the EU Cloud Code of Conduct General Assembly. 2021-08-26. eucoc.cloud. en.
  38. Web site: 2018-03-01. Epignosis joins the EU Cloud Code of Conduct. 2021-08-26. Epignosis. en-US.
  39. Web site: PRESS RELEASE: Fabasoft is the first company to reach the highest compliance level available while declaring adherence to the EU Cloud Code of Conduct.. 2021-08-26. eucoc.cloud. en.
  40. Web site: Google Cloud Addresses the Approval of the EU Cloud Code of Conduct. 2021-08-26. eucoc.cloud. en.
  41. Web site: 2017-06-13. IBM Adds New Cloud Services to EU Data Protection Code of Conduct. 2021-08-26. THINKPolicy Blog. en-US.
  42. Web site: 2017-03-13. IBM Among 1st to Adopt EU's New Code of Conduct for Cloud Computing. 2021-08-26. THINKPolicy Blog. en-US.
  43. Web site: EU Cloud Code of Conduct welcomes K&L Gates as new Supporter. 2021-08-26. eucoc.cloud. en.
  44. Web site: 2021-05-20. Microsoft Azure adheres to the EU Cloud Code of Conduct. 2021-08-26. EU Policy Blog. en-US.
  45. Web site: GDPR-readiness of EU Cloud Code of Conduct wins backing of European data protection authorities. 2021-08-26. ComputerWeekly.com. en.
  46. Web site: Press Release, December 12th, 2017. 2021-08-26. eucoc.cloud. en. 2021-08-26. https://web.archive.org/web/20210826155555/https://eucoc.cloud/en/detail/news/press-release-december-12th-2017.html. dead.
  47. Web site: 2021-08-18. Extra Horizon has joined the EU Cloud Code of Conduct's General Assembly. 2021-08-26. www.extrahorizon.com. en.
  48. Web site: UpCRM. 2021-06-07. Salesforce Adopts European Union's New Cloud Code of Conduct UpCRM Salesforce Luxembourg. 2021-08-26. UpCRM Top partner Salesforce Luxembourg, CRM & Data Solutions. en-US.
  49. Web site: SAP Business Technology Platform EU Cloud CoC. 2021-08-26. SAP. English.
  50. Web site: PRESS RELEASE: Schellman becomes the newest supporting member of the EU Cloud Code of Conduct. 2021-08-26. eucoc.cloud. en.
  51. Web site: EU Cloud Code of Conduct General Assembly welcomes SecureAppbox as newest member. 2021-08-26. eucoc.cloud. en. 2021-08-26. https://web.archive.org/web/20210826155548/https://eucoc.cloud/en/detail/news/eu-cloud-code-of-conduct-general-assembly-welcomes-secureap-pbox-as-newest-member/. dead.
  52. Web site: EU Cloud Code of Conduct Resources. 2021-08-26. TrustArc The Leader in Privacy Management Software. en-CA.
  53. Web site: TrustArc. TrustArc Incorporates EU Cloud Code of Conduct Into PrivacyCentral Platform. 2021-08-26. Tank Town Media. en. 2021-08-26. https://web.archive.org/web/20210826155546/https://www.ttownmedia.com/news/state/trustarc-incorporates-eu-cloud-code-of-conduct-into-privacycentral-platform/article_501674af-37e9-529c-b33f-8d257b314ebf.html. dead.
  54. Web site: Workday Joins the General Assembly of the EU Cloud Code of Conduct. 2021-08-26. Workday Blog. en-US.
  55. Web site: EUR-Lex - CJEU C‑311/18. 2021-08-20. EUR-lex.
  56. Web site: 2020-09-17. EU Cloud Services Group Working on Post-Schrems II Data Transfer Solution. 2021-08-26. Privacy Compliance & Data Security. en-US.
  57. Web site: 2020-09-16. EU data protection code to replace US/EU data rules. 2021-08-26. ITEuropa. en.
  58. Web site: Third Country Transfer Initiative: EU Cloud CoC. 2021-08-20. eucoc.cloud.