The EU Data Protection Code of Conduct for Cloud Service Providers (“EU Cloud Code of Conduct”) defines clear requirements for Cloud Service Providers acting as “processors” under the General Data Protection Regulation (GDPR) and is adopted broadly by the cloud market. While the official approval of the current Code by the European Data Protection Board (EDPB), comprised of national Data Protection Authorities (DPAs), is pending, the EU Cloud Code of Conduct General Assembly today announced in a virtual press conference the creation of a new module to the Code for transferring personal data outside of the EU.
The announcement comes only weeks after the recent European Court of Justice’s so-called "Schrems II" ruling which invalidated the data exchange mechanism between the US and the EU (Privacy Shield). The ruling also imposed strict obligations on companies that rely on transfers of personal data to non-EU countries by Standard Contractual Clauses.
The EU Cloud Code of Conduct General Assembly invites interested Cloud Service Providers (CSPs) and cloud-users to join the initiative and to contribute to the development of the module, thereby shaping the future legal basis to transfer EU citizen’s personal data to third countries around the world.
We are working closely together with the members of the EU Cloud CoC and SCOPE Europe on this project, as we believe that a robust code of conduct for cloud providers will contribute greatly to the online protection of European citizens. We are impressed by the efforts and resources dedicated by this industry-group to implement best practices for the cloud industry that are both hands-on and respectful of the data subjects.
David Stevens, Chairman Belgian Data Protection Authority
The EU Cloud Code of Conduct has been developed and refined over several years with guidance from the industry, subject matter experts, and the EU authorities. It is an ideal mechanism to provide additional safeguards for third country transfers pursuant to Art 46 of the GDPR.
Eva Salzmann, Senior Counsel, Global Privacy Legal & Data Protection Officer Europe, IBM
To ensure an even better protection of individual privacy rights on a global level, we need future-proof and innovations-friendly solutions for European and Non-European businesses alike. We believe that the EU Cloud Code of Conduct is the best tool to reach that goal, as it combines state-of-the-art business practices with robust data protection requirements negotiated directly with the authorities.
Mathias Cellarius, Head of Data Protection & Privacy, SAP
To apply the technical and organizational requirements of the outstanding EU Cloud Code of Conduct for the processing, storage and transmission of sensitive customer data is the strongest possible self-commitment of European Cloud Service Providers, to be fully in line with the provisions of the General Data Protection Regulation. Therefore, all European-minded CSPs should exercise these relevant safeguards for data protection and best privacy efforts based on European Cloud sovereignty.
Helmut Fallmann, Member of the Managing Board, Fabasoft
Developing a global tool for the transfer of personal data outside of the European Union requires smart and effective safeguards to protect data subject rights. A major challenge is translating them into implementable and enforceable controls addressing very different and diverse legislative environments. We are delighted to work together with this unique group of experts to take this challenge.
Hilary Wandall, SVP Privacy Intelligence and General Counsel, TrustArc
In the aftermath of Schrems II, we need a suitable mechanism that will survive the test of time. We believe that a Code of Conduct built jointly by the cloud industry and the supervisory authorities is an indication of strong reliability for protecting personal data in accordance with EU principles wherever they flow across the world.
Lorena Marciano, Director, EMEAR Privacy Officer, Cisco
A key advantage of utilising Codes of Conduct such as the EU Cloud CoC as a third country transfer mechanism is the mandatory monitoring of compliance by an independent accredited body such as SCOPE Europe to ensure binding and enforceable commitments are implemented. We are convinced that the independent monitoring provides possibilities to overcome challenges following the Schrems II ruling that are not provided by any other tool.
Jörn Wittmann, Managing Director, SCOPE Europe
Background
The EU Cloud Code of Conduct is the only Code covering the full spectrum of cloud services (SaaS, PaaS, IaaS) currently discussed at the European Data Protection Board (EDPB), made up of national Data Protection Authorities (DPAs). The EU Cloud Code of Conduct General Assembly consists of world leading (CSPs) as well as small and medium-sized companies.
SCOPE Europe acts as the independent Monitoring Body of the Code and has already prepared its procedures to effectively monitor adherent Cloud services, applying the same principles and procedures now under the current version of the Code, pending the endorsement of the Code and its official approval by supervisory authorities.
