The European Court of Justice’s pivotal "Schrems II" ruling, invalidated the transfer mechanism between the US and the EU (Privacy Shield) and imposed stringent obligations on companies that transfer personal data to non-EU countries. In this context, the General Assembly of the EU Cloud CoC is working on a safeguard for third country transfers (pursuant to Chapter V GDPR) in the form of an on-top module to the existing Code.
The initial draft version of the Third Country Transfers Module is now available for public consultation on the EU Cloud CoC website. The EU Cloud CoC General Assembly invites all interested parties to review and share their comments on this preliminary draft. Their insights will meaningfully contribute to shaping an effective solution for all cloud environments.
By incorporating the requirements derived from the EDPB Guidelines and the Schrems II ruling, the Third Country Transfers Module fosters harmonization and coherence within the cloud market. The Module will benefit all stakeholders alike: data processors, controllers, and importantly, data subjects. The intent is to safeguard personal data transferred to third countries in accordance with GDPR principles by establishing adequate standards for transparency and accountability of Cloud Service Providers (CSPs). Furthermore, the module facilitates compliance assessments of services provided by adherent CSPs.
The Third Country Transfers Module emerges as a versatile Chapter V solution that presents the advantages of covering data transfers to multiple jurisdictions, while providing tailored compliance guidance for cloud services. Once approved, this instrument will create the necessary legal certainty and safeguards for compliant international data transfers, equipping organizations with an optimal tool to operate globally.
After months of close collaboration between the EU Cloud Code of Conduct members and SCOPE Europe, we are excited to share the draft of the Third Country Transfers Module for public consultation. This represents a significant step in our journey to establish an efficient and robust safeguard for protecting personal data in the context of international data transfers. The module aims to provide standardized mechanisms that Cloud Service Providers can use to effectively support Cloud customers and controllers while upholding fundamental rights and freedoms of individuals. Leading with transparency, the module aims to increase trust in adherent cloud services and accelerate the pace of digital transformation in a multi-cloud world."
Jelena Kljujic, EMEA Privacy Officer, Cisco, Chairperson of the Third Country Transfers Initiative
have a look at our video where Jelena Kljujic presents the initiative: https://youtu.be/UkHzQsAZSPk
Codes of conduct — such as the Third Country Transfers Module — offer the potential to streamline procedures, documentation obligations, and enhance transparency for a certain sector. These requirements gain heightened legal certainty as they have to be endorsed by the EDPB, get the approval from the lead data protection authority, and validation by the European Commission. This is particularly vital for all data exporting and importing entities involved in transfers to third countries, especially in the post-Schrems II era.”
Dr. Thomas Nietsch, Partner, K&L Gates, Chairperson of the Third Country Transfers Initiative
The successful experience of the EU Cloud CoC attests to the effectiveness, reliability, and accessibility that GDPR codes of conduct can offer. In this context, we are convinced that this tool can also largely support the safeguarding of international data transfers by incorporating a robust independent monitoring scheme.”
Gabriela Mercuri, Managing Director, SCOPE Europe