EU Cloud Code of Conduct


The EU Cloud Code of Conduct (abbr. "EU Cloud CoC" also known by its extended title "EU Data Protection Code of Conduct for Cloud Service Providers") is a transnational Code of Conduct pursuant Article 40 of the European General Data Protection Regulation (GDPR).[1]

The code defines clear requirements for cloud service providers (CSPs) to implement Article 28 GDPR[2] and all its related articles, which covers the processing activities of every type of personal data.[3]

Encompassing all cloud service layers (including but not limited to IaaS, PaaS, and SaaS),[4] the code allows cloud service providers to demonstrate GDPR compliance in their role as processors, which is overseen by an accredited monitoring body,[5] as required by Article 41 GDPR.[6]

History

The work on the code started in 2012 when former vice president of the European Commission, Neelie Kroes, launched the European Cloud Strategy.[7][8] In that context, a dedicated working group was created with the task to draft a cloud code of conduct under the Data Protection Directive.

One of the primary goals of drafting such code was to increase trust and amplify the adoption of cloud computing across the European Union.[9] The first draft produced by the working group was submitted to its first assessment in January 2015, which was then performed by the Article 29 Working Party.[10]

With the introduction of the GDPR, the code had to be adapted accordingly and by 2017,[11] the European Commission fully handed over the project to the industry.[12]

Still in 2017, six companies coming from that working group (Alibaba Cloud, Fabasoft, IBM, Oracle, Salesforce and SAP) founded the EU Cloud CoC General Assembly and assigned SCOPE Europe as its monitoring body and secretariat.[13][14]

After several exchanges with supervisory authorities and related revisions,[15] the final version of the EU Cloud CoC was submitted to the Belgian Data Protection Authority for approval in 2019.[15] According to the timestamps of the code versions published on the initiative's website,[15] the code evolved further after submission and until its approval in May 2021. Such continued development of codes of conduct is expected, following the European Data Protection Board's Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation 2016/679.[16]

The code has been approved[17] by the Belgian Data Protection Authority as of May 20, 2021,[18] following a positive opinion issued by the European Data Protection Board.[19][20]

Scope and structure of the code

The EU Cloud CoC allows CSPs to prove and demonstrate compliance within the scope of Article 28 GDPR and all its related Articles. Therefore, the EU Cloud CoC comprehends CSPs data protection obligations when processing any kind of personal data and its requirements are applicable to all cloud offerings (including but not limited to IaaS, PaaS, SaaS).[21][22]

There are five sections that together compose the core structure of the code, namely, Scope, Data Protection, Security Requirements, Monitoring and Compliance and Internal Governance.[23][24]

Besides the main text, the code is accompanied by a controls catalogue, which was designed to map the code’s requirements to auditable elements, the “Controls”, and to all corresponding GDPR provisions. Additionally, the controls catalogue also provides a mapping to relevant international standards (such as ISO 27001, ISO 27017, SOC 2 and BSI C5).[25]

Organizational structure

The organizational structure of the EU Cloud CoC is covered under its Internal Governance Section, which describes the rules and procedures applied for the code’s management. The referred Section lays out the organizational framework of the code itself, as well as of its bodies, namely, the General Assembly,[26] the Steering Board, and the Secretariat.[23][24]

Dedicated monitoring body

The GDPR requires an independent monitoring body[27] to guarantee the appropriate implementation of its provisions.

In May 2021, SCOPE Europe has been officially accredited by the Belgian Data Protection Authority as the dedicated monitoring body of the EU Cloud CoC.[28]

According to GDPR, the monitoring body shall be responsible for performing an ongoing due diligence. Under the EU Cloud CoC, besides being subjected to an initial assessment to become adherent to the code, CSPs are reevaluated on an annual basis.

Additional assessments can also be triggered by justified complaints, media reports, new legislations, publications and Guidelines from Data Protection Authorities and any other relevant development that can potentially affect adherence to the code.

A CSP can opt for three Levels of Compliance[29] once declaring adherence to the EU Cloud CoC. Those levels relate solely to the type of evidence that is subjected to the review of the monitoring body. Nevertheless, each of those levels demands compliance to all the code’s requirements.

Membership and supporters

Membership to the code is open to any CSP as long as they agree with the approach and principles established in the code. In that regard, the EU Cloud CoC offers two main membership options, the first being dedicated to CSPs and the second covering any entity that is not a CSP and wishes to join the initiative as supporter.

Within the CSP membership umbrella, a tailored pricing scheme[30] is in place, which takes into consideration the needs of different company sizes allowing for accessibility for Small and Medium Enterprises (SMEs).

Today, the EU Cloud CoC General Assembly represents a significant share of the European cloud industry market and, as of August 2021, its membership encompasses Alibaba Cloud,[31][32][33] Alight, Arcules,[34][35] Cisco,[36] Dropbox,[37] Epignosis,[38] Fabasoft,[39] Google Cloud,[40] IBM,[41][42] K&L Gates,[43] Microsoft,[44][45] Okta, Oracle,[46] Qompium (Extra Horizon),[47] Salesforce,[48] SAP,[49] Schellman,[50] SecureAppbox,[51] Timelex, TrustArc[52][53] and Workday.[54]

The third country transfer initiative

Following the CJEU’s Schrems II ruling,[55] the EU Cloud CoC General Assembly started to work on an effective and yet accessible safeguard for third country transfers in the format of an on-top module to the code.[56][57]

The so-called Third Country Transfer Module shall cover the legal requirements for third country transfers as outlined in Chapter V GDPR and, as any on-top module is not a standalone initiative which implies that prior compliance with EU Cloud CoC is a pre-requisite.[58]

See also

References

  1. ^ "Art. 40 GDPR - Codes of conduct". EUR-Lex: EU law. Retrieved 2021-08-20.
  2. ^ "Art. 28 GDPR - Processor". EUR-Lex: EU law. Retrieved 2021-08-20.
  3. ^ "Belgian DPA Approves First EU Data Protection Code of Conduct for Cloud Service Providers". Privacy & Information Security Law Blog. 2021-05-24. Retrieved 2021-08-26.
  4. ^ "Conduct most becoming - Europe's new Cloud Code of Conduct shines a light on trust and transparency between buyers and sellers". diginomica. 2021-05-24. Retrieved 2021-08-26.
  5. ^ "About EU Cloud CoC: EU Cloud CoC". eucoc.cloud. Retrieved 2021-08-20.
  6. ^ "Art. 41 GDPR - Monitoring of approved codes of conduct". GDPR.eu. Retrieved 2021-08-20.
  7. ^ "COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Unleashing the Potential of Cloud Computing in Europe", European Commission, 27-09-2021, Retrieved 20-08-2021
  8. ^ "What's behind the EU's new Cloud Code of Conduct?". Retrieved 2021-08-26.
  9. ^ "Cloud Select Industry Group | Shaping Europe's digital future". digital-strategy.ec.europa.eu. Retrieved 2021-08-25.
  10. ^ "Opinion of the Article 29 Data Protection Working Party on the Code of conduct on data protection for cloud service providers | Shaping Europe's digital future". digital-strategy.ec.europa.eu. Retrieved 2021-08-20.
  11. ^ "The Belgian DPA approved the EU Cloud Code of Conduct for cloud service providers acting as a processor". Lexology. 2021-06-03. Retrieved 2021-08-26.
  12. ^ "Oversight body handed Code of Conduct for Cloud Service Providers". Retrieved 2021-08-20.
  13. ^ "Belgian DPA approves first EU Data Protection Code of Conduct for Cloud Service Providers | privacy-ticker.com". Retrieved 2021-08-26.
  14. ^ "Press Release, December 12th, 2017". eucoc.cloud. Archived from the original on 2021-08-26. Retrieved 2021-08-26.
  15. ^ a b c "History: EU Cloud CoC". eucoc.cloud. Archived from the original on 2021-08-22. Retrieved 2021-08-25.
  16. ^ "Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 - version adopted after public consultation | European Data Protection Board". edpb.europa.eu. Retrieved 2021-08-25.
  17. ^ "Subject: Approval decision of the “Eu Data Protection Code of Conduct for Cloud Service Providers” by the General Secretariat of the Belgian Data Protection Authority", Decision n° 05/2021 of 20 May 2021, General Secretariat - Belgian Data Protection Authority, 20-05-2021, Retrieved 26-08-2021.
  18. ^ "GDPR: What Cloud Service Providers Should Know - Blog | GlobalSign". GlobalSign GMO Internet, Inc. 2021-07-30. Retrieved 2021-08-26.
  19. ^ "Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe", European Data Protection Board, 19-05-2021, Retrieved 19-05-2021.
  20. ^ OneTrust. "EU Cloud Code of Conduct Approved by DPA | Blog". OneTrust. Retrieved 2021-08-26.
  21. ^ "Privacy, il primo codice di condotta transnazionale è sul cloud: perché è importante". Agenda Digitale. 2021-05-27. Retrieved 2021-08-26.
  22. ^ "Simmons & Simmons". www.simmons-simmons.com. Retrieved 2021-08-26.
  23. ^ a b "Request the EU Cloud Code of Conduct: EU Cloud CoC". eucoc.cloud. Retrieved 2021-08-20.
  24. ^ a b "EU Data Protection Code of Conduct for Cloud Service Providers - Version 10", EU Cloud Code of Conduct, October 2020, Retrieved 20-08-2021.
  25. ^ "Data watchdogs seek 'added value' in GDPR cloud codes". Pinsent Masons. Retrieved 2021-08-26.
  26. ^ "What you should know about the EU Cloud Code of Conduct". JD Supra. Retrieved 2021-08-26.
  27. ^ "Art. 41 GDPR - Monitoring of approved codes of conduct". EUR-Lex: EU law. Retrieved 2021-08-20.
  28. ^ "Subject: accreditation of the “Scope Europe” for the monitoring of the “Eu Cloud Code of Conduct” (DOS -2019-03289)", Decision n° 06/2021 of 20 May 2021, Belgian Data Protection Authority, 20-05-2021, Retrieved 20-08-2021.
  29. ^ "Levels of Compliance: EU Cloud CoC". eucoc.cloud. Retrieved 2021-08-20.
  30. ^ "Pricing: EU Cloud CoC". eucoc.cloud. Retrieved 2021-08-20.
  31. ^ "Belgian DPA Approves Code of Conduct for the Cloud Industry". The WSGR Data Advisor. 2021-06-22. Retrieved 2021-08-26.
  32. ^ "Alibaba Cloud adheres to the EU Cloud Code of Conduct". eucoc.cloud. Retrieved 2021-08-26.
  33. ^ "Alibaba Cloud Joins the EU Code of Conduct for Cloud Service Providers | Alibaba Cloud Press Room". www.alibabacloud.com. Retrieved 2021-08-26.
  34. ^ "Arcules joins the EU Cloud Code of Conduct, committing to robust video data protection". eucoc.cloud. Archived from the original on 2021-08-26. Retrieved 2021-08-26.
  35. ^ Wolff, Kevin (2018-04-24). "Arcules Joins the European Union Cloud Code of Conduct, Committing to Robust Video Data Protection". Arcules. Retrieved 2021-08-26.
  36. ^ "The EU Cloud Code of Conduct becomes first GDPR code of conduct to receive green light from data protection authorities". eucoc.cloud. Retrieved 2021-08-26.
  37. ^ "PRESS RELEASE: Dropbox joins the EU Cloud Code of Conduct General Assembly". eucoc.cloud. Retrieved 2021-08-26.
  38. ^ "Epignosis joins the EU Cloud Code of Conduct". Epignosis. 2018-03-01. Retrieved 2021-08-26.
  39. ^ "PRESS RELEASE: Fabasoft is the first company to reach the highest compliance level available while declaring adherence to the EU Cloud Code of Conduct". eucoc.cloud. Retrieved 2021-08-26.
  40. ^ "Google Cloud Addresses the Approval of the EU Cloud Code of Conduct". eucoc.cloud. Retrieved 2021-08-26.
  41. ^ "IBM Adds New Cloud Services to EU Data Protection Code of Conduct". THINKPolicy Blog. 2017-06-13. Retrieved 2021-08-26.
  42. ^ "IBM Among 1st to Adopt EU's New Code of Conduct for Cloud Computing". THINKPolicy Blog. 2017-03-13. Retrieved 2021-08-26.
  43. ^ "EU Cloud Code of Conduct welcomes K&L Gates as new Supporter". eucoc.cloud. Retrieved 2021-08-26.
  44. ^ "Microsoft Azure adheres to the EU Cloud Code of Conduct". EU Policy Blog. 2021-05-20. Retrieved 2021-08-26.
  45. ^ "GDPR-readiness of EU Cloud Code of Conduct wins backing of European data protection authorities". ComputerWeekly.com. Retrieved 2021-08-26.
  46. ^ "Press Release, December 12th, 2017". eucoc.cloud. Archived from the original on 2021-08-26. Retrieved 2021-08-26.
  47. ^ "Extra Horizon has joined the EU Cloud Code of Conduct's General Assembly". www.extrahorizon.com. 2021-08-18. Retrieved 2021-08-26.
  48. ^ UpCRM (2021-06-07). "Salesforce Adopts European Union's New Cloud Code of Conduct | UpCRM Salesforce Luxembourg". UpCRM | Top partner Salesforce Luxembourg, CRM & Data Solutions. Retrieved 2021-08-26.
  49. ^ "SAP Business Technology Platform EU Cloud CoC". SAP. Retrieved 2021-08-26.
  50. ^ "PRESS RELEASE: Schellman becomes the newest supporting member of the EU Cloud Code of Conduct". eucoc.cloud. Retrieved 2021-08-26.
  51. ^ "EU Cloud Code of Conduct General Assembly welcomes SecureAppbox as newest member". eucoc.cloud. Archived from the original on 2021-08-26. Retrieved 2021-08-26.
  52. ^ "EU Cloud Code of Conduct Resources". TrustArc The Leader in Privacy Management Software. Retrieved 2021-08-26.
  53. ^ TrustArc. "TrustArc Incorporates EU Cloud Code of Conduct Into PrivacyCentral Platform". Tank Town Media. Archived from the original on 2021-08-26. Retrieved 2021-08-26.
  54. ^ "Workday Joins the General Assembly of the EU Cloud Code of Conduct". Workday Blog. Retrieved 2021-08-26.
  55. ^ "EUR-Lex - CJEU C‑311/18". EUR-lex. Retrieved 2021-08-20.
  56. ^ "EU Cloud Services Group Working on Post-Schrems II Data Transfer Solution". Privacy Compliance & Data Security. 2020-09-17. Retrieved 2021-08-26.
  57. ^ "EU data protection code to replace US/EU data rules". ITEuropa. 2020-09-16. Retrieved 2021-08-26.
  58. ^ "Third Country Transfer Initiative: EU Cloud CoC". eucoc.cloud. Retrieved 2021-08-20.