The two recently approved Codes of Conduct for the cloud industry, which will be open to everyone willing to subscribe, could foster the uptake of a technology at the heart of the digital economy, following a green light from the European Data Protection Board.
The EDPB approved the Codes of Conduct on cloud service providers and cloud infrastructure on Thursday (20 May).
The two Codes have been developed by industry leaders to provide a blueprint for compliance with the EU’s data protection regulation, the GDPR, in a cloud environment and are the first of their kind to be formally approved by the European data protection authorities.
“We welcome the efforts made by the code owners to elaborate codes of conduct, which are practical, transparent and potentially cost-effective tools to ensure greater consistency among a sector and foster data protection compliance,” said EDPB Chair Andrea Jelinek
Cloud computing allows storing data and software on a network of remote servers through the internet instead of on your local device, increasing flexibility in data storage and access to higher computer power.
It is also cost-effective and enables the use of other key technologies, including Artificial Intelligence, 5G and Internet of Things – a common reference to billions of physical devices around the world that are now connected to the internet.
In its updated Industrial Strategy, the European Commission indicated cloud computing as a key area of vulnerability.
Only 36% of EU companies use cloud computing, and usually for very basic services such as email storage. As uncertainty around judicial applicability and data protection are two major obstacles, providing clear guidance is expected to increase the industry’s uptake.
The Codes are intended to increase transparency and trust in the European cloud computing market, boosting intra-providers competition based on fair principles.
Both Codes institute independent monitoring bodies that will ensure their application is GDPR compliant. The monitoring bodies will provide external auditing and will be accredited by the relevant data protection authority.
Business to customer
The EU Cloud Code of Conduct (CoC) is intended for Cloud Service Providers to provide guidance in their data protection compliance and secure trust from cloud customers. It therefore covers Software as a Service (SaaS) and counts among its subscribers Alibaba Cloud, Cisco, Dropbox, Google Cloud, Microsoft, and IBM.
These big players already account for a very large share of the European cloud market, and market adoption seems to be growing.
“We are getting hundreds and hundreds of downloads a day, amounting to many thousands, Jonathan Sage, Government and Regulatory Affairs Executive at IBM Europe, told EURACTIV.
For Sage, the CoC provides “the utmost point of proving compliance”, explaining this was the result of a long negotiation to find a balance between industry interests and data protection requirements.
He also pointed to third-party documentation the subscribers to the Code will need to provide, which shows that the Code has got “teeth” to ensure compliance.
“The user chooses a cloud service which is under the Code, they can be sure all GDPR-related questions from a client perspective have already been covered: the right security controls behind it, the right data privacy management controls. Thus, the user doesn’t have to dig in,” he added.
Business to business
The Code developed by the Cloud Infrastructure Services Providers in Europe (CISPE) is intended for Infrastructure as a Service (IaaS) providers, and counts Amazon Web Services as its main subscriber.
CISPE is one of the founding members of GAIA-X, a Franco-German initiative on data governance and infrastructure that has been gathering support from EU institutions and European capitals.
Although the EDPB specifies that the codes “are not to be used in the context of international transfers of personal data”, CISPE chairman Alban Schmutz explained that thanks to the Code, “customers will be able to request the storage of their data in Europe.”
In this way, businesses will be able to avoid the uncertainty created by the Schrems II ruling.
For Schmutz, the CISPE code will allow EU citizens to be in control of their personal data as it imposes transparency on where the data is stored and located. In compliance with GDPR requirements, the code also prevents service providers from re-using customer data.
Schmutz also pointed to the relation between the cloud industry and the green transition, as “cloud technology reduces power consumption through economies of scale”. CISPE members have committed to reaching climate neutrality for their data centres by 2030.
[Edited by Zoran Radosavljevic]