First GDPR code of conduct for a European sovereign cloud
Faced with heterogeneous environments and sometimes contradictory contractual policies, the parties are often struggling to find an agreement on a data processing agreement (DPA). The initiative of CISPE, the association of Cloud Infrastructure Services Providers in Europe, which led to the adoption of a code of conduct within the meaning of Article 40 of the GDPR, will help overcome these difficulties and simplify the location of personal data within the European Economic Area.
After a brief reminder of the concept of code of conduct within the meaning of Article 40 of the GDPR, this article will assess the contents of the CISPE IaaS code before considering the next steps.
Code of conduct: definition and background
A code of conduct sets out the legal requirements — such as technical and organisational measures specific to an industry or category of processing — necessary to comply with the GDPR, both for the processor and the controller. Codes of conduct can be prepared by associations or other bodies representing categories of controllers or processors.
CISPE, an association of Cloud Infrastructure Services Providers in Europe created in 2016, was the first to prepare a code of conduct for its industry. Its draft code of conduct was first submitted to the French supervisory authority, the CNIL, which examined it in February 2021, and then to European Data Protection Board (EDPB), which greenlighted it. It should be noted that the Belgian supervisory authority also obtained a favourable opinion from the EDPB on the same day on a similar initiative carried by another association, Scope Europe.
The monitoring of compliance with such a code is not the direct responsibility of the CNIL, but of the bodies that it has accredited for that purpose pursuant to Article 41 of the GDPR.
Note that these codes of conduct under the GDPR should not be confused with the codes of conduct that have existed for several years in application of Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union. Some CISPE members have also adhered to the code proposed by SWIPO (SWItching cloud and POrting data), an association facilitated by the European Commission to develop voluntary codes of conduct for the proper application of the said Regulation 2018/1807.
The content of the IaaS code of conduct
Codes of conduct generally specify the application of the processing in order to set the applicable security standards and to resolve sensitive issues such as:
- the pseudonymisation of personal data;
- the information provided to the public and to data subjects;
- the exercise of the rights of data subjects;
- the measures and procedures referred to in Articles 24 and 25 of the GDPR and the measures to ensure security of processing referred to in Article 32 of the GDPR;
- the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
- since the repeal of the EU-US Privacy Shield by the Schrems II judgment, the transfer of personal data to third countries or international organisations;
- out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79 of the GDPR.
In this case, the IaaS code of conduct goes even further insofar as, in light of the difficulties Microsoft once encountered, it prohibits any form of commercial exploitation of user data. The regionalization of data within the European Economic Area also makes it possible to move towards a sovereign cloud.
In concrete terms, this means that when concluding a SaaS contract, the parties only have to:
- refer to the code of conduct;
- make any necessary adaptations; and above all
- provide for the terms and conditions of cost control and allocation by the approved service provider.
Clauses and annexes that previously gave rise to endless negotiations will now be replaced by a single clear reference framework, with limited contractual adjustments.
Another advantage of adhering to the code of conduct lies in the exposure to the risk of financial penalties in the event of an infringement: since Article 83(2)(j) of the GDPR takes into account adherence to approved codes of conduct when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine, this leads to a presumption of good faith that will result in moderating the penalty to be applied.
Next steps and outlook
The IaaS code of conduct is not yet in force but after the EDPB’s greenlight the final validation by the CNIL should not take long. The extension of its effects by the European Commission is hoped for.
Whereas the code of conduct on the management of personal data in SaaS previously received a cold welcome from Cigref (a network of major French corporations and public administrations set up in order to develop its members’ ability to acquire and master digital technology) who believed that it reinforced dependency on suppliers, there is no doubt that these new guidelines for the management of personal data in IaaS, which do include terms for reversibility, should be well received.
The regionalization of data is seen by the first commentators as a catalyst for the sovereign cloud, particularly within the Gaia-X initiative, in which CISPE members are involved.
In any case, all stakeholders should be pleased with this new step on the road to GDPR compliance.
Article provided by: Eric Le Quellenec (Lexing, France)
Dr. Tobias Höllwarth (Managing Director INPLP)