EU Cloud Code of Conduct

Last updated


The EU Cloud Code of Conduct (abbr. "EU Cloud CoC" also known by its extended title "EU Data Protection Code of Conduct for Cloud Service Providers") is a transnational Code of Conduct pursuant Article 40 of the European General Data Protection Regulation (GDPR). [1]

Contents

The code defines clear requirements for cloud service providers (CSPs) to implement Article 28 GDPR [2] and all its related articles, which covers the processing activities of every type of personal data. [3]

Encompassing all cloud service layers (IaaS, PaaS, and SaaS), [4] the code allows cloud service providers to demonstrate GDPR compliance in their role as processors, which is overseen by an accredited monitoring body, [5] as required by Article 41 GDPR. [6]

History

The work on the code started in 2012 when former vice president of the European Commission, Neelie Kroes, launched the European Cloud Strategy. [7] [8] In that context, a dedicated working group was created with the task to draft a cloud code of conduct under the Data Protection Directive.

One of the primary goals of drafting such code was to increase trust and amplify the adoption of cloud computing across the European Union. [9] The first draft produced by the working group was submitted to its first assessment in January 2015, which was then performed by the Article 29 Working Party. [10]

With the introduction of the GDPR, the code had to be adapted accordingly and by 2017, [11] the European Commission fully handed over the project to the industry. [12]

Still in 2017, six companies coming from that working group (Alibaba Cloud, Fabasoft, IBM, Oracle, Salesforce and SAP) founded the EU Cloud CoC General Assembly and assigned SCOPE Europe as its monitoring body and secretariat. [13] [14]

After several exchanges with supervisory authorities and related revisions, [15] the final version of the EU Cloud CoC was submitted to the Belgian Data Protection Authority for approval in 2019. [15] According to the timestamps of the code versions published on the initiative's website, [15] the code evolved further after submission and until its approval in May 2021. Such continued development of codes of conduct is expected, following the European Data Protection Board's Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation 2016/679. [16]

The code has been approved [17] by the Belgian Data Protection Authority as of May 20, 2021, [18] following a positive opinion issued by the European Data Protection Board. [19] [20]

Scope and structure of the code

The EU Cloud CoC allows CSPs to prove and demonstrate compliance within the scope of Article 28 GDPR and all its related Articles. Therefore, the EU Cloud CoC comprehends CSPs data protection obligations when processing any kind of personal data and its requirements are applicable to all cloud offerings (IaaS, PaaS, SaaS). [21] [22]

There are five sections that together compose the core structure of the code, namely, Scope, Data Protection, Security Requirements, Monitoring and Compliance and Internal Governance. [23] [24]

Besides the main text, the code is accompanied by a controls catalogue, which was designed to map the code’s requirements to auditable elements, the “Controls”, and to all corresponding GDPR provisions. Additionally, the controls catalogue also provides a mapping to relevant international standards (such as ISO 27001, ISO 27017, SOC 2 and BSI C5). [25]

Organizational structure

The organizational structure of the EU Cloud CoC is covered under its Internal Governance Section, which describes the rules and procedures applied for the code’s management. The referred Section lays out the organizational framework of the code itself, as well as of its bodies, namely, the General Assembly, [26] the Steering Board, and the Secretariat. [23] [24]

Dedicated monitoring body

The GDPR requires an independent monitoring body [27] to guarantee the appropriate implementation of its provisions.

In May 2021, SCOPE Europe has been officially accredited by the Belgian Data Protection Authority as the dedicated monitoring body of the EU Cloud CoC. [28]

According to GDPR, the monitoring body shall be responsible for performing an ongoing due diligence. Under the EU Cloud CoC, besides being subjected to an initial assessment to become adherent to the code, CSPs are reevaluated on an annual basis.

Additional assessments can also be triggered by justified complaints, media reports, new legislations, publications and Guidelines from Data Protection Authorities and any other relevant development that can potentially affect adherence to the code.

A CSP can opt for three Levels of Compliance [29] once declaring adherence to the EU Cloud CoC. Those levels relate solely to the type of evidence that is subjected to the review of the monitoring body. Nevertheless, each of those levels demands compliance to all the code’s requirements.

Membership and supporters

Membership to the code is open to any CSP as long as they agree with the approach and principles established in the code. In that regard, the EU Cloud CoC offers two main membership options, the first being dedicated to CSPs and the second covering any entity that is not a CSP and wishes to join the initiative as supporter.

Within the CSP membership umbrella, a tailored pricing scheme [30] is in place, which takes into consideration the needs of different company sizes allowing for accessibility for Small and Medium Enterprises (SMEs).

Today, the EU Cloud CoC General Assembly represents a significant share of the European cloud industry market and, as of August 2021, its membership encompasses Alibaba Cloud, [31] [32] [33] Alight, Arcules, [34] [35] Cisco, [36] Dropbox, [37] Epignosis, [38] Fabasoft, [39] Google Cloud, [40] IBM, [41] [42] K&L Gates, [43] Microsoft, [44] [45] Okta, Oracle, [46] Qompium (Extra Horizon), [47] Salesforce, [48] SAP, [49] Schellman, [50] SecureAppbox, [51] Timelex, TrustArc [52] [53] and Workday. [54]

The third country transfer initiative

Following the CJEU’s Schrems II ruling, [55] the EU Cloud CoC General Assembly started to work on an effective and yet accessible safeguard for third country transfers in the format of an on-top module to the code. [56] [57]

The so-called Third Country Transfer Module shall cover the legal requirements for third country transfers as outlined in Chapter V GDPR and, as any on-top module is not a standalone initiative which implies that prior compliance with EU Cloud CoC is a pre-requisite. [58]

See also

Related Research Articles

DPA may refer to:

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

<span class="mw-page-title-main">European Data Protection Supervisor</span> Independent supervisory authority

The European Data Protection Supervisor (EDPS) is an independent supervisory authority whose primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection when they process personal data and develop new policies.

ePrivacy Directive

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Fabasoft AG is a software manufacturer headquartered in Linz, Upper Austria. The company was established in 1988 by Helmut Fallmann and Leopold Bauernfeind.

Real-time bidding (RTB) is a means by which advertising inventory is bought and sold on a per-impression basis, via instantaneous programmatic auction, similar to financial markets. With real-time bidding, advertising buyers bid on an impression and, if the bid is won, the buyer's ad is instantly displayed on the publisher's site. Real-time bidding lets advertisers manage and optimize ads from multiple ad-networks, allowing them to create and launch advertising campaigns, prioritize networks, and allocate percentages of unsold inventory, known as backfill.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

Cloud computing is used by most people every day but there are issues that limit its widespread adoption. It is one of the fast developing area that can instantly supply extensible services by using internet with the help of hardware and software virtualization. Cloud computing biggest advantage is flexible lease and release of resources as per the requirement of the user. Its other advantages include efficiency, compensating the costs in operations and management. It curtails down the high prices of hardware and software

Alibaba Cloud, also known as Aliyun, is a cloud computing company, a subsidiary of Alibaba Group. Alibaba Cloud provides cloud computing services to online businesses and Alibaba's own e-commerce ecosystem. Its international operations are registered and headquartered in Singapore.

CISPE is a non-profit trade association for infrastructure as a service (IaaS) cloud providers in Europe. It was started to aid IaaS providers in explaining their business model to policymakers.

<span class="mw-page-title-main">NOYB</span> European data protection advocacy group

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

<span class="mw-page-title-main">Data Protection Act 2018</span> United Kingdom legislation

The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

The General Data Protection Regulation (GDPR) is a European Union regulation that specifies standards for data protection and electronic privacy in the European Economic Area, and the rights of European citizens to control the processing and distribution of personally-identifiable information.

<span class="mw-page-title-main">Cybersecurity Law of the People's Republic of China</span> Law of China

The Cybersecurity Law of the People's Republic of China, commonly referred to as the Chinese Cybersecurity Law, was enacted by the National People’s Congress with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security. The law is part of a wider series of laws passed by the Chinese government in an effort to strengthen national security legislation. Examples of which since 2014 have included a Law on National Intelligence, the National Security of the People’s Republic of China and laws on counter-terrorism and foreign NGO management, all passed within successive short timeframes of each other.

The Age appropriate design code, also known as the Children's Code, is a British internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). The draft Code was published in April 2019, as instructed by the Data Protection Act 2018 (DPA). The final regulations were published on 27 January 2020 and took effect 2 September 2020, with a one-year grace period before the beginning of enforcement. The Children's Code is written to be consistent with GDPR and the DPA, meaning that compliance with the Code is enforceable under the latter.

References

  1. "Art. 40 GDPR - Codes of conduct". EUR-Lex: EU law. Retrieved 2021-08-20.
  2. "Art. 28 GDPR - Processor". EUR-Lex: EU law. Retrieved 2021-08-20.
  3. "Belgian DPA Approves First EU Data Protection Code of Conduct for Cloud Service Providers". Privacy & Information Security Law Blog. 2021-05-24. Retrieved 2021-08-26.
  4. "Conduct most becoming - Europe's new Cloud Code of Conduct shines a light on trust and transparency between buyers and sellers". diginomica. 2021-05-24. Retrieved 2021-08-26.
  5. "About EU Cloud CoC: EU Cloud CoC". eucoc.cloud. Retrieved 2021-08-20.
  6. "Art. 41 GDPR - Monitoring of approved codes of conduct". GDPR.eu. Retrieved 2021-08-20.
  7. "COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Unleashing the Potential of Cloud Computing in Europe", European Commission, 27-09-2021, Retrieved 20-08-2021
  8. "What's behind the EU's new Cloud Code of Conduct?" . Retrieved 2021-08-26.
  9. "Cloud Select Industry Group | Shaping Europe's digital future". digital-strategy.ec.europa.eu. Retrieved 2021-08-25.
  10. "Opinion of the Article 29 Data Protection Working Party on the Code of conduct on data protection for cloud service providers | Shaping Europe's digital future". digital-strategy.ec.europa.eu. Retrieved 2021-08-20.
  11. "The Belgian DPA approved the EU Cloud Code of Conduct for cloud service providers acting as a processor". Lexology. 2021-06-03. Retrieved 2021-08-26.
  12. "Oversight body handed Code of Conduct for Cloud Service Providers" . Retrieved 2021-08-20.
  13. "Belgian DPA approves first EU Data Protection Code of Conduct for Cloud Service Providers | privacy-ticker.com" . Retrieved 2021-08-26.
  14. "Press Release, December 12th, 2017". eucoc.cloud. Archived from the original on 2021-08-26. Retrieved 2021-08-26.
  15. 1 2 3 "History: EU Cloud CoC". eucoc.cloud. Archived from the original on 2021-08-22. Retrieved 2021-08-25.
  16. "Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 - version adopted after public consultation | European Data Protection Board". edpb.europa.eu. Retrieved 2021-08-25.
  17. "Subject: Approval decision of the “Eu Data Protection Code of Conduct for Cloud Service Providers” by the General Secretariat of the Belgian Data Protection Authority", Decision n° 05/2021 of 20 May 2021, General Secretariat - Belgian Data Protection Authority, 20-05-2021, Retrieved 26-08-2021.
  18. "GDPR: What Cloud Service Providers Should Know - Blog | GlobalSign". GlobalSign GMO Internet, Inc. 2021-07-30. Retrieved 2021-08-26.
  19. "Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe", European Data Protection Board, 19-05-2021, Retrieved 19-05-2021.
  20. OneTrust. "EU Cloud Code of Conduct Approved by DPA | Blog". OneTrust. Retrieved 2021-08-26.
  21. "Privacy, il primo codice di condotta transnazionale è sul cloud: perché è importante". Agenda Digitale. 2021-05-27. Retrieved 2021-08-26.
  22. "Simmons & Simmons". www.simmons-simmons.com. Retrieved 2021-08-26.
  23. 1 2 "Request the EU Cloud Code of Conduct: EU Cloud CoC". eucoc.cloud. Retrieved 2021-08-20.
  24. 1 2 "EU Data Protection Code of Conduct for Cloud Service Providers - Version 10", EU Cloud Code of Conduct, October 2020, Retrieved 20-08-2021.
  25. "Data watchdogs seek 'added value' in GDPR cloud codes". Pinsent Masons. Retrieved 2021-08-26.
  26. "What you should know about the EU Cloud Code of Conduct". JD Supra. Retrieved 2021-08-26.
  27. "Art. 41 GDPR - Monitoring of approved codes of conduct". EUR-Lex: EU law. Retrieved 2021-08-20.
  28. "Subject: accreditation of the “Scope Europe” for the monitoring of the “Eu Cloud Code of Conduct” (DOS -2019-03289)", Decision n° 06/2021 of 20 May 2021, Belgian Data Protection Authority, 20-05-2021, Retrieved 20-08-2021.
  29. "Levels of Compliance: EU Cloud CoC". eucoc.cloud. Retrieved 2021-08-20.
  30. "Pricing: EU Cloud CoC". eucoc.cloud. Retrieved 2021-08-20.
  31. "Belgian DPA Approves Code of Conduct for the Cloud Industry". The WSGR Data Advisor. 2021-06-22. Retrieved 2021-08-26.
  32. "Alibaba Cloud adheres to the EU Cloud Code of Conduct". eucoc.cloud. Retrieved 2021-08-26.
  33. "Alibaba Cloud Joins the EU Code of Conduct for Cloud Service Providers | Alibaba Cloud Press Room". www.alibabacloud.com. Retrieved 2021-08-26.
  34. "Arcules joins the EU Cloud Code of Conduct, committing to robust video data protection". eucoc.cloud. Archived from the original on 2021-08-26. Retrieved 2021-08-26.
  35. Wolff, Kevin (2018-04-24). "Arcules Joins the European Union Cloud Code of Conduct, Committing to Robust Video Data Protection". Arcules. Retrieved 2021-08-26.
  36. "The EU Cloud Code of Conduct becomes first GDPR code of conduct to receive green light from data protection authorities". eucoc.cloud. Retrieved 2021-08-26.
  37. "PRESS RELEASE: Dropbox joins the EU Cloud Code of Conduct General Assembly". eucoc.cloud. Retrieved 2021-08-26.
  38. "Epignosis joins the EU Cloud Code of Conduct". Epignosis. 2018-03-01. Retrieved 2021-08-26.
  39. "PRESS RELEASE: Fabasoft is the first company to reach the highest compliance level available while declaring adherence to the EU Cloud Code of Conduct". eucoc.cloud. Retrieved 2021-08-26.
  40. "Google Cloud Addresses the Approval of the EU Cloud Code of Conduct". eucoc.cloud. Retrieved 2021-08-26.
  41. "IBM Adds New Cloud Services to EU Data Protection Code of Conduct". THINKPolicy Blog. 2017-06-13. Retrieved 2021-08-26.
  42. "IBM Among 1st to Adopt EU's New Code of Conduct for Cloud Computing". THINKPolicy Blog. 2017-03-13. Retrieved 2021-08-26.
  43. "EU Cloud Code of Conduct welcomes K&L Gates as new Supporter". eucoc.cloud. Retrieved 2021-08-26.
  44. "Microsoft Azure adheres to the EU Cloud Code of Conduct". EU Policy Blog. 2021-05-20. Retrieved 2021-08-26.
  45. "GDPR-readiness of EU Cloud Code of Conduct wins backing of European data protection authorities". ComputerWeekly.com. Retrieved 2021-08-26.
  46. "Press Release, December 12th, 2017". eucoc.cloud. Archived from the original on 2021-08-26. Retrieved 2021-08-26.
  47. "Extra Horizon has joined the EU Cloud Code of Conduct's General Assembly". www.extrahorizon.com. 2021-08-18. Retrieved 2021-08-26.
  48. UpCRM (2021-06-07). "Salesforce Adopts European Union's New Cloud Code of Conduct | UpCRM Salesforce Luxembourg". UpCRM | Top partner Salesforce Luxembourg, CRM & Data Solutions. Retrieved 2021-08-26.
  49. "SAP Business Technology Platform EU Cloud CoC". SAP. Retrieved 2021-08-26.
  50. "PRESS RELEASE: Schellman becomes the newest supporting member of the EU Cloud Code of Conduct". eucoc.cloud. Retrieved 2021-08-26.
  51. "EU Cloud Code of Conduct General Assembly welcomes SecureAppbox as newest member". eucoc.cloud. Archived from the original on 2021-08-26. Retrieved 2021-08-26.
  52. "EU Cloud Code of Conduct Resources". TrustArc The Leader in Privacy Management Software. Retrieved 2021-08-26.
  53. TrustArc. "TrustArc Incorporates EU Cloud Code of Conduct Into PrivacyCentral Platform". Tank Town Media. Archived from the original on 2021-08-26. Retrieved 2021-08-26.
  54. "Workday Joins the General Assembly of the EU Cloud Code of Conduct". Workday Blog. Retrieved 2021-08-26.
  55. "EUR-Lex - CJEU C‑311/18". EUR-lex. Retrieved 2021-08-20.
  56. "EU Cloud Services Group Working on Post-Schrems II Data Transfer Solution". Privacy Compliance & Data Security. 2020-09-17. Retrieved 2021-08-26.
  57. "EU data protection code to replace US/EU data rules". ITEuropa. 2020-09-16. Retrieved 2021-08-26.
  58. "Third Country Transfer Initiative: EU Cloud CoC". eucoc.cloud. Retrieved 2021-08-20.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.