Brussels, 06. October 2020 – Pending the approval of its Code of Conduct under Europe’s General Data Protection Regulation (GDPR), the EU Cloud Code of Conduct (EU Cloud CoC) initiated the development of an on-top module to tackle the recent decision from the Court of Justice of the European Union (CJEU) “Schrems II”. Post-Schrems II, such an additional module is considered extremely helpful by the industry. GDPR explicitly refers to codes of conduct as an appropriate safeguard in its Article 46.2.(e). Provided that approved codes of conduct require independent oversight by an accredited monitoring body, codes of conduct may be the missing link how to create “supplementary measures” as called-for by the CJEU.
“Addressing Schrems II surely will be demanding. Therefore, the General Assembly highly welcomes the addition of this well-known international law firm. This adds to our large pool of subject matter experts and experience that will be necessary in developing an additional module for third party data transfers.”, said Jonathan Sage, Government and Regulatory Affairs Executive at IBM and Chairman of the EU Cloud CoC General Assembly.
The EU Cloud CoC, in its core version, addresses requirements pursuant to Article 28 GDPR for processors. Consequently, the Code focuses on establishing best practices to address relevant legal requirements. Drafting a third country transfer mechanism will require close negotiations with different stakeholders, as such a mechanism easily corelates with non-GDPR related aspects, such as political and societal.
“Our clients are in dire need of stable, yet flexible solutions. The Schrems II ruling created massive turbulence not just for service providers but also, and especially, for customers, who are lacking any foreseeability on the compliance of internationally provided services. We are willing to contribute to this upcoming future standard with our distinct expertise in finding practical solutions for all of our clients, and thus inherently balancing interests of providers and customers alike, through such self-regulation mechanism for the whole ecosystem. Our involvement in the EU Cloud CoC will be led by Dr. Thomas Nietsch from our Berlin Office.” said Claude-Etienne Armingaud, CIPP/E and Practice Group Coordinator for Data Protection, Privacy, and Security at K&L Gates LLP.
Considering the press conference announcing this development, one may note that European Supervisory Authorities and also the European Commission are welcoming initiatives like the one as of the EU Cloud CoC. The EU Cloud CoC General Assembly is looking forward to a cooperative dialogue with relevant stakeholders, inviting interested parties to join, to make sure that the upcoming module is meeting legal requirements, but also data subjects and industry needs, as this will be key for broad market adoption and effectiveness.
Background
The EU Cloud Code of Conduct is a sector-specific Code pursuant to GDPR Article 40, currently pending the endorsement and official approval by supervisory authorities. Among the key benefits of the Code is its applicability to the full spectrum of cloud services, as all services types (SaaS, PaaS, IaaS) can be declared adherent against the Code.
The Code’s General Assembly members are eligible to declare their services adherent and make them subject to the robust monitoring and assessment of the Code’s Monitoring Body, thereby underpinning GDPR compliance. The General Assembly has recently announced the next evolution of its Code by drafting a dedicated module for third country transfers. Find out more about the Code , the Third Country Transfer Initiative and learn how easy it is to join the General Assembly of the EU Cloud Code of Conduct.