On May 20, 2021, the Belgian Supervisory Authority (Belgian SA) approved the EU Cloud Code of Conduct (EU Cloud CoC).[1] This is the first time that a Supervisory Authority has approved a transnational, industry-wide code of conduct under the General Data Protection Regulation (GDPR).[2] Cloud service providers (CSPs) will be able to rely on their adherence to the code to demonstrate compliance with the GDPR as a data processor. Although the EU Cloud CoC does not yet qualify as an appropriate safeguard for international data transfers, a separate module is currently under discussion and should, when adopted, accommodate such transfers.
Background
Codes of conduct can be adopted by business associations to allow for a sectoral implementation of the GDPR.[3] These codes can specify the requirements of the GDPR in a more detailed and operational way for specific industries.
The EU Cloud CoC is the result of a decade-long discussion between the private and public sectors with the aim to tailor the application of the GDPR to the cloud computing sector. It is intended for all CSPs which handle personal data as a data processor.[4] The Belgian SA has accredited Scope Europe, a Belgian non-for-profit organization as the enforcement body under the EU Cloud CoC to ensure its members’ compliance.[5] Google Cloud, Microsoft, Cisco, and Alibaba Cloud are member organizations which have already declared adherence to the EU Cloud CoC and are also part of the Cloud CoC General Assembly.
The EU Cloud CoC is a transnational code (i.e., it concerns processing activities in several Member States) and therefore requires the EDPB’s prior review.[6] The Belgian SA’s decision was thus preceded by an opinion of the European Data Protection Board (EDPB) which declared the draft compliant with the GDPR.[7]
Structure of EU Cloud CoC and Enrollment Process
The EU Cloud CoC consists of requirements imposed on CSPs regarding i) data protection (substantive rights and obligations), ii) information security (baseline of appropriate technical and organizational security measures), iii) monitoring and compliance mechanisms, and iv) internal governance (management, application, and revision rules).
The EU Cloud CoC is suitable for all types of cloud services: software (SaaS), infrastructure (IaaS), and platform (PaaS). CSPs are free to sign up for all of their cloud services or only for specific service offerings. To be able to declare adherence to the EU Cloud CoC, CSPs must become a member of the EU Cloud CoC’s General Assembly, complete an online declaration of adherence,[8] and successfully go through a compliance assessment conducted by the monitoring body. The EU Cloud CoC provides three different levels of compliance, depending on the level of evidence submitted to the monitoring body. Each level of compliance is associated with a compliance mark, which indicates the level of compliance achieved by the cloud provider.[9]
Benefits and Risks
The EU Cloud CoC should help CSPs achieve and demonstrate compliance with the GDPR and secure the trust of their customers. In particular, companies can rely on their adherence to the EU Cloud CoC to demonstrate that they offer sufficient guarantees as required in Article 28(1)-(4) GDPR.
In addition, an organization’s adherence to a code of conduct, such as the EU Cloud CoC, is a factor that Supervisory Authorities must take into consideration when determining administrative fines.[10] Specifically, effective monitoring and enforcement by Scope Europe may in certain cases let Supervisory Authorities conclude that no additional enforcement measures such as administrative fines are required in a given scenario. Therefore, CSP’s adherence to the EU Cloud CoC may result in a lower fining rate. Furthermore, a CSP’s adherence to the EU Cloud CoC may signal that a vendor has obtained a good level of privacy maturity and help bolster the argument that risks have been adequately mitigated in the context of a Data Privacy Impact Assessment.
However, since the GDPR prevails over a code of conduct, the mere adherence to the EU Cloud CoC will not exempt adhering CSPs from being subject to potential enforcement actions from the competent Supervisory Authorities. Also, the scope of the EU Cloud CoC cannot yet be used as an appropriate safeguard for third country data transfers under Article 46 GDPR. A separate module is currently under discussion with different stakeholders, including the European Commission and the Supervisory Authorities which will accommodate said data transfers. Finally, the adherence to the EU Cloud CoC is subject to fees and annual review. CSPs will be charged upon joining and annually depending on their size and on whether they have full or non-voting membership.[11]
Conclusion
The EU Cloud CoC is likely the first of a number of transnational sectoral codes of conduct under the GDPR and may become a useful compliance tool for both CSPs and their customers. The planned module to the EU Cloud CoC accommodating third country data transfers to CSPs subscribing to the EU Cloud CoC will likely catalyze its use.
Our EU privacy and cybersecurity team is closely monitoring this topic and will keep you up to date on future developments.
Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.
[1] Decision 5/2021 of May 25, 2021 (Belgian SA Decision).
[2] Pursuant to Article 40, “where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation […]”
[3] EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, dated June 4, 2019.
[4] The EU Cloud CoC does not apply to “B2C services or to any processing activities for which the CSP may act as a data controller.” See Decision 5/2021 of May 25, 2021 (Belgian SA Decision, para. 5); see also the EU Cloud CoC’s introduction.
[5] Scope Europe is a subsidiary of the German non-profit-organization SRIW e.V.
[6] See Article 40 (7) GDPR.
[7] Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe, dated May 19, 2021.
[8] Online declaration available at: https://eucoc.cloud/en/public-register/declaration-of-adherence/.
[9] For more information about the compliance marks, see here.
[10] See Article 83 (2) GDPR.
[11] For more information about the Pricelist, please see here.