Will co-regulation finally work? The first EU level codes of conduct are approved under the GDPR in Belgium and France
One of the central innovations of the GDPR is its greater emphasis on accountability. Rather than regulating every possible detail, companies and industries have more freedom – and more responsibility – for conducting their own compliance assessments, and for proving that they satisfy the high European standards for data protection.
The accountability focus can also be seen in the GDPR’s support for codes of conduct. In a nutshell, the GDPR allows (and indeed encourages) associations and other bodies to draw up codes of conduct, which can be approved at the EU level. Companies that sign up to such approved codes must thereafter be supervised by independent monitoring bodies. The approach is co-regulatory, with the private sector drawing up the rules, and the public sector (via the data protection authorities) verifying and approving the work before they are given legal authority.
Codes of conduct were also supported by the 1995 Data Protection Directive, but it’s fair to say they’ve never taken hold. Only one code of conduct – the FEDMA direct marketing code of conduct – was approved over a period of more than 25 years. That is, until 19 May 2021, when the European Data Protection Board gave its blessing to two codes of conduct in a single session.
Perhaps surprisingly, both of them relate to cloud computing. One was assessed by the Belgian data protection authority: the EU CLOUD Code of conduct, which targets cloud service providers in general. The second was assessed by the CNIL in France: the CISPE Code of Conduct targets cloud infrastructure service providers (IaaS providers) in particular.
The codes share a common DNA, since both were initiated under the auspices of the European Commission, through the Cloud Select Industry Group (C-SIG). Their history also shows the importance of stamina: initial discussions on the codes were initiated in 2012, and a first code was submitted for approval in 2015. In the end, it took 9 years to conclude the work.
Of course, a major hurdle in the timeline was the adoption of the GDPR halfway through the development, and the clarification of expectations for codes of conduct and for monitoring bodies in Europe. Both codes therefore had to pioneer a road that had never been walked before. Moreover, by focusing on cloud computing, the codes arguably targeted one of the most politically sensitive topics, leading to careful scrutiny by the European data protection authorities.
None the less, it is hopeful to see that both codes were able to convince the European authorities that co-regulation could work. It is even more remarkable that cloud companies have already signed up to both of them. Clearly, the appetite for co-regulation is there.
In future years, we will be able to assess the effectiveness of codes in safeguarding data protection in Europe, and to see if other forms of co-regulation supported by the GDPR – such as certification and the use of codes as international transfer mechanisms – take hold. With some luck, the GDPR and European data protection professionals will be able to prove that the private sector and data protection authorities can be allies, rather than antagonists.
Note: the author of this post acted as the editor for the C-SIG Code of Conduct activities between 2013 and 2017.
Article provided by: Hans Graux (Time.lex, Belgium)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database