EU Cloud Code of Conduct

From HandWiki


The EU Cloud Code of Conduct (abbr. "EU Cloud CoC" also known by its extended title "EU Data Protection Code of Conduct for Cloud Service Providers") is a transnational Code of Conduct pursuant Article 40 of the European General Data Protection Regulation (GDPR).[1]

The code defines clear requirements for cloud service providers (CSPs) to implement Article 28 GDPR[2] and all its related articles, which covers the processing activities of every type of personal data.[3]

Encompassing all cloud service layers (IaaS, PaaS, and SaaS),[4] the code allows cloud service providers to demonstrate GDPR compliance in their role as processors, which is overseen by an accredited monitoring body,[5] as required by Article 41 GDPR.[6]

History

The work on the code started in 2012 when former vice president of the European Commission, Neelie Kroes, launched the European Cloud Strategy.[7][8] In that context, a dedicated working group was created with the task to draft a cloud code of conduct under the Data Protection Directive.

One of the primary goals of drafting such code was to increase trust and amplify the adoption of cloud computing across the European Union.[9] The first draft produced by the working group was submitted to its first assessment in January 2015, which was then performed by the Article 29 Working Party.[10]

With the introduction of the GDPR, the code had to be adapted accordingly and by 2017,[11] the European Commission fully handed over the project to the industry.[12]

Still in 2017, six companies coming from that working group (Alibaba Cloud, Fabasoft, IBM, Oracle, Salesforce and SAP) founded the EU Cloud CoC General Assembly and assigned SCOPE Europe as its monitoring body and secretariat.[13][14]

After several exchanges with supervisory authorities and related revisions,[15] the final version of the EU Cloud CoC was submitted to the Belgian Data Protection Authority for approval in 2019.[15] According to the timestamps of the code versions published on the initiative's website,[15] the code evolved further after submission and until its approval in May 2021. Such continued development of codes of conduct is expected, following the European Data Protection Board's Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation 2016/679.[16]

The code has been approved[17] by the Belgian Data Protection Authority as of May 20, 2021,[18] following a positive opinion issued by the European Data Protection Board.[19][20]

Scope and structure of the code

The EU Cloud CoC allows CSPs to prove and demonstrate compliance within the scope of Article 28 GDPR and all its related Articles. Therefore, the EU Cloud CoC comprehends CSPs data protection obligations when processing any kind of personal data and its requirements are applicable to all cloud offerings (IaaS, PaaS, SaaS).[21][22]

There are five sections that together compose the core structure of the code, namely, Scope, Data Protection, Security Requirements, Monitoring and Compliance and Internal Governance.[23][24]

Besides the main text, the code is accompanied by a controls catalogue, which was designed to map the code’s requirements to auditable elements, the “Controls”, and to all corresponding GDPR provisions. Additionally, the controls catalogue also provides a mapping to relevant international standards (such as ISO 27001, ISO 27017, SOC 2 and BSI C5).[25]

Organizational structure

The organizational structure of the EU Cloud CoC is covered under its Internal Governance Section, which describes the rules and procedures applied for the code’s management. The referred Section lays out the organizational framework of the code itself, as well as of its bodies, namely, the General Assembly,[26] the Steering Board, and the Secretariat.[23][24]

Dedicated monitoring body

The GDPR requires an independent monitoring body[27] to guarantee the appropriate implementation of its provisions.

In May 2021, SCOPE Europe has been officially accredited by the Belgian Data Protection Authority as the dedicated monitoring body of the EU Cloud CoC.[28]

According to GDPR, the monitoring body shall be responsible for performing an ongoing due diligence. Under the EU Cloud CoC, besides being subjected to an initial assessment to become adherent to the code, CSPs are reevaluated on an annual basis.

Additional assessments can also be triggered by justified complaints, media reports, new legislations, publications and Guidelines from Data Protection Authorities and any other relevant development that can potentially affect adherence to the code.  

A CSP can opt for three Levels of Compliance[29] once declaring adherence to the EU Cloud CoC. Those levels relate solely to the type of evidence that is subjected to the review of the monitoring body. Nevertheless, each of those levels demands compliance to all the code’s requirements.

Membership and supporters

Membership to the code is open to any CSP as long as they agree with the approach and principles established in the code. In that regard, the EU Cloud CoC offers two main membership options, the first being dedicated to CSPs and the second covering any entity that is not a CSP and wishes to join the initiative as supporter.

Within the CSP membership umbrella, a tailored pricing scheme[30] is in place, which takes into consideration the needs of different company sizes allowing for accessibility for Small and Medium Enterprises (SMEs).

Today, the EU Cloud CoC General Assembly represents a significant share of the European cloud industry market and, as of August 2021, its membership encompasses Alibaba Cloud,[31][32][33] Alight, Arcules,[34][35] Cisco,[36] Dropbox,[37] Epignosis,[38] Fabasoft,[39] Google Cloud,[40] IBM,[41][42] K&L Gates,[43] Microsoft,[44][45] Okta, Oracle,[46] Qompium (Extra Horizon),[47] Salesforce,[48] SAP,[49] Schellman,[50] SecureAppbox,[51] Timelex, TrustArc[52][53] and Workday.[54]

The third country transfer initiative

Following the CJEU’s Schrems II ruling,[55] the EU Cloud CoC General Assembly started to work on an effective and yet accessible safeguard for third country transfers in the format of an on-top module to the code.[56][57]

The so-called Third Country Transfer Module shall cover the legal requirements for third country transfers as outlined in Chapter V GDPR and, as any on-top module is not a standalone initiative which implies that prior compliance with EU Cloud CoC is a pre-requisite.[58]

See also

References

  1. "Art. 40 GDPR - Codes of conduct" (in en-US). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e3885-1-1. 
  2. "Art. 28 GDPR - Processor" (in en-US). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e3150-1-1. 
  3. "Belgian DPA Approves First EU Data Protection Code of Conduct for Cloud Service Providers" (in en-US). 2021-05-24. https://www.huntonprivacyblog.com/2021/05/24/belgian-dpa-approves-first-eu-data-protection-code-of-conduct-for-cloud-service-providers/. 
  4. "Conduct most becoming - Europe's new Cloud Code of Conduct shines a light on trust and transparency between buyers and sellers" (in en). 2021-05-24. https://diginomica.com/conduct-most-becoming-europes-new-cloud-code-conduct-shines-light-trust-and-transparency-between. 
  5. "About EU Cloud CoC: EU Cloud CoC". https://eucoc.cloud/en/about/about-eu-cloud-coc/. 
  6. "Art. 41 GDPR - Monitoring of approved codes of conduct" (in en-US). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e4014-1-1. 
  7. "COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Unleashing the Potential of Cloud Computing in Europe", European Commission, 27-09-2021, Retrieved 20-08-2021
  8. "What's behind the EU's new Cloud Code of Conduct?". https://iapp.org/news/a/whats-behind-the-eus-new-cloud-code-of-conduct/. 
  9. "Cloud Select Industry Group | Shaping Europe's digital future". https://digital-strategy.ec.europa.eu/en/news/cloud-select-industry-group. 
  10. "Opinion of the Article 29 Data Protection Working Party on the Code of conduct on data protection for cloud service providers | Shaping Europe's digital future". https://digital-strategy.ec.europa.eu/en/library/opinion-article-29-data-protection-working-party-code-conduct-data-protection-cloud-service. 
  11. "The Belgian DPA approved the EU Cloud Code of Conduct for cloud service providers acting as a processor" (in en). Lexology. 2021-06-03. https://www.lexology.com/library/detail.aspx?g=fd8359d4-931e-453f-a5be-902c2bedfce3. 
  12. "Oversight body handed Code of Conduct for Cloud Service Providers". https://iapp.org/news/a/oversight-body-handed-code-of-conduct-for-cloud-service-providers/. 
  13. "Belgian DPA approves first EU Data Protection Code of Conduct for Cloud Service Providers | privacy-ticker.com" (in en-US). https://www.privacy-ticker.com/belgian-dpa-approves-first-eu-data-protection-code-of-conduct-for-cloud-service-providers/. 
  14. "Press Release, December 12th, 2017" (in en). https://eucoc.cloud/en/detail/news/press-release-december-12th-2017.html. 
  15. 15.0 15.1 15.2 "History: EU Cloud CoC". https://eucoc.cloud/en/about/history.html. 
  16. "Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 - version adopted after public consultation | European Data Protection Board". https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-12019-codes-conduct-and-monitoring-bodies-0_en. 
  17. "Subject: Approval decision of the “Eu Data Protection Code of Conduct for Cloud Service Providers” by the General Secretariat of the Belgian Data Protection Authority", Decision n° 05/2021 of 20 May 2021, General Secretariat - Belgian Data Protection Authority, 20-05-2021, Retrieved 26-08-2021.
  18. "GDPR: What Cloud Service Providers Should Know - Blog | GlobalSign" (in en). 2021-07-30. https://www.globalsign.com/en/blog/gdpr-what-cloud-service-providers-should-know. 
  19. "Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe", European Data Protection Board, 19-05-2021, Retrieved 19-05-2021.
  20. OneTrust. "EU Cloud Code of Conduct Approved by DPA | Blog" (in en-US). https://www.onetrust.com/blog/the-eu-cloud-code-of-conduct-approved-by-belgian-dpa/. 
  21. "Privacy, il primo codice di condotta transnazionale è sul cloud: perché è importante". 2021-05-27. https://www.agendadigitale.eu/sicurezza/privacy/privacy-il-primo-codice-di-condotta-transnazionale-e-sul-cloud-perche-e-importante/. 
  22. "Simmons & Simmons". https://www.simmons-simmons.com/en/publications/ck0a7v7ddcs6l0b59ozyzqgh0/22012019-gdpr-and-codes-of-conduct-in-saas. 
  23. 23.0 23.1 "Request the EU Cloud Code of Conduct: EU Cloud CoC". https://eucoc.cloud/en/contact/request-the-eu-cloud-code-of-conduct.html. 
  24. 24.0 24.1 "EU Data Protection Code of Conduct for Cloud Service Providers - Version 10", EU Cloud Code of Conduct, October 2020, Retrieved 20-08-2021.
  25. "Data watchdogs seek 'added value' in GDPR cloud codes" (in en-GB). https://www.pinsentmasons.com/out-law/analysis/watchdogs-added-value-gdpr-cloud-codes. 
  26. "What you should know about the EU Cloud Code of Conduct" (in en). https://www.jdsupra.com/legalnews/what-you-should-know-about-the-eu-cloud-3980848/. 
  27. "Art. 41 GDPR - Monitoring of approved codes of conduct" (in en-US). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e4014-1-1. 
  28. "Subject: accreditation of the “Scope Europe” for the monitoring of the “Eu Cloud Code of Conduct” (DOS -2019-03289)", Decision n° 06/2021 of 20 May 2021, Belgian Data Protection Authority, 20-05-2021, Retrieved 20-08-2021.
  29. "Levels of Compliance: EU Cloud CoC". https://eucoc.cloud/en/public-register/levels-of-compliance/. 
  30. "Pricing: EU Cloud CoC". https://eucoc.cloud/en/participate/pricing/. 
  31. "Belgian DPA Approves Code of Conduct for the Cloud Industry" (in en-US). 2021-06-22. https://www.wsgrdataadvisor.com/2021/06/belgian-dpa-approves-code-of-conduct-for-the-cloud-industry/. 
  32. "Alibaba Cloud adheres to the EU Cloud Code of Conduct" (in en). https://eucoc.cloud/en/detail/news/alibaba-cloud-adheres-to-the-eu-cloud-code-of-conduct/. 
  33. "Alibaba Cloud Joins the EU Code of Conduct for Cloud Service Providers | Alibaba Cloud Press Room". https://www.alibabacloud.com/de/press-room/alibaba-cloud-joins-the-eu-code-of-conduct-for-cloud. 
  34. "Arcules joins the EU Cloud Code of Conduct, committing to robust video data protection" (in en). https://eucoc.cloud/index.php?id=333&L=1&tx_news_pi1%5Bcontroller%5D=News&tx_news_pi1%5Baction%5D=detail&tx_news_pi1%5Bnews%5D=307&cHash=5e2524a37d8c8ce490916eef50c189bb. 
  35. Wolff, Kevin (2018-04-24). "Arcules Joins the European Union Cloud Code of Conduct, Committing to Robust Video Data Protection" (in en-US). https://arcules.com/blog/arcules-joins-the-european-union-cloud-code-of-conduct-committing-to-robust-video-data-protection/. 
  36. "The EU Cloud Code of Conduct becomes first GDPR code of conduct to receive green light from data protection authorities" (in en). https://eucoc.cloud/index.php?L=1&id=333&tx_news_pi1%5Bnews%5D=647. 
  37. "PRESS RELEASE: Dropbox joins the EU Cloud Code of Conduct General Assembly" (in en). https://eucoc.cloud/en/detail/news/press-release-dropbox-joins-the-eu-cloud-code-of-conduct-general-assembly/. 
  38. "Epignosis joins the EU Cloud Code of Conduct" (in en-US). 2018-03-01. https://www.epignosishq.com/epignosis-joins-cloud-of-conduct/. 
  39. "PRESS RELEASE: Fabasoft is the first company to reach the highest compliance level available while declaring adherence to the EU Cloud Code of Conduct." (in en). https://eucoc.cloud/en/detail/news/press-release-fabasoft-is-the-first-company-to-reach-the-highest-compliance-level-available-while-d/. 
  40. "Google Cloud Addresses the Approval of the EU Cloud Code of Conduct" (in en). https://eucoc.cloud/en/detail/news/google-cloud-adresses-the-approval-of-the-eu-cloud-code-of-conduct/. 
  41. "IBM Adds New Cloud Services to EU Data Protection Code of Conduct" (in en-US). 2017-06-13. https://www.ibm.com/blogs/policy/eu-cloud-code-additions/. 
  42. "IBM Among 1st to Adopt EU's New Code of Conduct for Cloud Computing" (in en-US). 2017-03-13. https://www.ibm.com/blogs/policy/eu-cloud-code-of-conduct/. 
  43. "EU Cloud Code of Conduct welcomes K&L Gates as new Supporter" (in en). https://eucoc.cloud/en/detail/news/eu-cloud-code-of-conduct-welcomes-kl-gates-as-new-supporter/. 
  44. "Microsoft Azure adheres to the EU Cloud Code of Conduct" (in en-US). 2021-05-20. https://blogs.microsoft.com/eupolicy/2021/05/20/microsoft-azure-adheres-to-the-eu-cloud-code-of-conduct/. 
  45. "GDPR-readiness of EU Cloud Code of Conduct wins backing of European data protection authorities" (in en). https://www.computerweekly.com/news/252501133/GDPR-readiness-of-EU-Cloud-Code-of-Conduct-wins-backing-of-European-data-protection-authorities. 
  46. "Press Release, December 12th, 2017" (in en). https://eucoc.cloud/en/detail/news/press-release-december-12th-2017.html. 
  47. "Extra Horizon has joined the EU Cloud Code of Conduct's General Assembly" (in en). 2021-08-18. http://www.extrahorizon.com/extra-horizon-has-joined-the-eu-cloud-code-of-conduct-s-general-assembly. 
  48. UpCRM (2021-06-07). "Salesforce Adopts European Union's New Cloud Code of Conduct | UpCRM Salesforce Luxembourg" (in en-US). https://www.up-crm.com/salesforce-adopts-european-union-new-cloud-code-of-conduct. 
  49. "SAP Business Technology Platform EU Cloud CoC" (in English). https://www.sap.com/documents/2021/07/fe904d0b-ea7d-0010-bca6-c68f7e60039b.html. 
  50. "PRESS RELEASE: Schellman becomes the newest supporting member of the EU Cloud Code of Conduct" (in en). https://eucoc.cloud/en/detail/news/press-release-schellman-becomes-the-newest-supporting-member-of-the-eu-cloud-code-of-conduct/. 
  51. "EU Cloud Code of Conduct General Assembly welcomes SecureAppbox as newest member" (in en). https://eucoc.cloud/en/detail/news/eu-cloud-code-of-conduct-general-assembly-welcomes-secureap-pbox-as-newest-member/. 
  52. "EU Cloud Code of Conduct Resources" (in en-CA). https://trustarc.com/eu-cloud-code-of-conduct-resources/. 
  53. TrustArc. "TrustArc Incorporates EU Cloud Code of Conduct Into PrivacyCentral Platform" (in en). https://www.ttownmedia.com/news/state/trustarc-incorporates-eu-cloud-code-of-conduct-into-privacycentral-platform/article_501674af-37e9-529c-b33f-8d257b314ebf.html. 
  54. "Workday Joins the General Assembly of the EU Cloud Code of Conduct" (in en-US). https://blog.workday.com/en-us/2018/workday-joins-the-general-assembly-of-the-eu-cloud-code-of-conduct.html. 
  55. "EUR-Lex - CJEU C‑311/18". https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62018CJ0311. 
  56. "EU Cloud Services Group Working on Post-Schrems II Data Transfer Solution" (in en-US). 2020-09-17. https://dataprivacy.foxrothschild.com/2020/09/articles/european-union/gdpr/eu-cloud-services-group-working-on-post-schrems-ii-data-transfer-solution/. 
  57. "EU data protection code to replace US/EU data rules" (in en). 2020-09-16. https://www.iteuropa.com/news/eu-data-protection-code-replace-useu-data-rules. 
  58. "Third Country Transfer Initiative: EU Cloud CoC". https://eucoc.cloud/en/about/third-country-transfer-initiative/.