There have been discussions for some time now about how standards and codes of conduct can help regulate the (broadly divergent) cloud sector. Yesterday’s discussion at the Privacy Law & Business’s (PL&B) annual conference was interesting in pointing out the benefits of the EU’s recent cloud codes of conduct and in considering how codes may be relevant to those in the UK.
New cloud codes of conduct
There have been a number of recent cloud developments at EU level, including:
- the EU’s Cloud Code of Conduct: the Belgium data protection authority announced this May that it had adopted the first transnational code of conduct in the EU since the GDPR came into force. The EU Cloud CoC covers all aspects of the cloud market (IaaS, PasS and SaaS). It aims to establish good practices for cloud service providers (for example, it provides information on security and audit provisions) and has developed a set of requirements that enable cloud service providers to demonstrate their capability to comply with GDPR. In parallel, the Belgium DPA accredited SCOPE Europe as the monitoring body for the EU Cloud CoC, whose role will include ensuring the code members comply with the code. This code was the focus of yesterday’s conference session.
- the EU’s code of conduct for cloud infrastructure service providers: The following month (11th June 2021), the French data protection authority CNIL announced that it had approved the first EU code of conduct for cloud infrastructure service providers. The code was submitted by Cloud Infrastructure Service Providers Europe and, like the Belgium code, its aim is to help facilitate GDPR compliance for the relevant cloud providers. It includes several annexes, which, among other things, list technical and organisational good practices in terms of security, recommendations as to how the listed compliance criteria should be documented, and a model for data breach notification.
It is hoped the codes will build trust in the sector, help regulators better understand the particular issues faced by those operating in the sector, and help controllers who are appointing processors as part of their due diligence processes. For example, the CNIL described the French code of conduct as a 'vector of legal certainty” and suggested it could enable members of the code ‘to demonstrate the existence of appropriate technical and organisational measures and facilitate compliance with Article 28 of the General Data Protection Regulation… which requires controllers to use only contractors who provide guarantees regarding the implementation of such measures.’
While the speakers at the PL&B session (who involved representatives from the Belgium DPA, EDPB and SCOPE) were not aware of any specific discussions around the UK adopting the EU Cloud CoC, they did confirm that the ICO had been involved in the process until recently and so was familiar with the code. This led to discussion at the conference around whether the ICO may want to consider adopting a simplified approval methodology to enable it to approve codes of conduct that are already approved in the EU (which could be similar to its approach on recognising EU approved binding corporate rules). While we are not aware of any plans for the ICO to do this, it has said it is committed to encouraging the development of codes of conduct and published specific guidance on UK codes of conduct earlier this year.