EU: First transnational codes approved under the GDPR
The first codes of conduct under the General Data Protection Regulation (Regulation (EU 2016/679) ('GDPR') have recently been approved, with a focus on the area of cloud computing. Anna Eidvall and Mikael Satama Granberg, Partner and Legal Director respectively at MAQs Advokatbyrå AB, discuss these codes and their content.
The GDPR introduced a possibility for controllers and processors to demonstrate compliance with the GDPR through adherence to an approved code of conduct. The code should be prepared by an association or other body representing categories of controllers or processors with the purpose of specifying the application of the GDPR in a specific sector, such as with regard to fair and transparent processing, the collection of personal data, and the information provided to the public and to data subjects. In order for the code to be a legitimate tool that contributes to the proper application of the GDPR, it must be submitted to, and approved by, a competent supervisory authority. Transnational codes should, before approval, also be subject to the European Data Protection Board's ('EDPB') opinion.
All things come to those who wait
Following the implementation of the GDPR, many associations prepared codes of conduct, both on national and transnational levels. However, we had to wait until this year, before the first transnational codes of conduct were approved; the 'EU Data Protection Code of Conduct for Cloud Service Providers' ('the EU Cloud Code') – submitted to the Belgian Data Protection Authority by Scope Europe (with members like Google Cloud, Microsoft Azure, and Salesforce) – and the code of conduct of Cloud Infrastructure Service Providers in Europe ('the CISPE Code') – submitted to the French data protection authority by the Cloud Infrastructure Service Providers (with members like Amazon Web Services) (together, 'the Codes'). The reasons may be many; it is expensive to draw up a code of conduct that meets the GDPR's criteria, while it is also expensive and requires a robust organisation to ensure that the code is properly managed. Initially, the supervisory authorities also urged stakeholders to wait for the EDPB's guidelines on Codes of conduct and monitoring bodies – which were adopted in its final wording in June 2019.
Before the Codes in question were formally approved, the EDPB adopted its opinions on the same. In its opinions, the EDPB gave the green light to the Codes and they were approved shortly thereafter (in May and June, respectively).
Scope of application
The EU Cloud Code and the CISPE Code both address cloud computing – which is interesting enough since it is an area currently suffering from a lot of scrutiny following the decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II') last summer. Cloud computing as a concept covers a variety of different service provision models such as Infrastructure as a Service ('IaaS'), Platform as a Service ('PaaS'), and Software as a Service ('SaaS'). The 'as a Service' suffix is understood as services provided by a third party, over the internet. The aforementioned three variants represent the main types of such services.
IaaS can be seen as a 'first step' to adopt for the use of cloud services. It enables an organisation to shift from the use of on-premise hardware (i.e. servers) for storage to a cloud-based hosting service. The latter will be tailored and scalable to the organisation's requirements. PaaS adds an additional layer of 'platform software' to the IaaS, providing organisations with a ready-to-go software environment, e.g. for development or hosting of proprietary web-based software. SaaS, as the final add on, ensures that the organisation can also access software and application services via the internet.
While the cloud service providers' security standards may be high and their resources to tackle data security threats are better than if kept within the organisation's internal IT department, using cloud services still requires the organisation to entrust the service provider with data and information to a certain degree. The GDPR requires that a controller (i.e. an organisation) only uses processors (i.e. cloud service providers) that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the GDPR's requirements and ensure the protection of the rights of the data subject. This puts a heavy burden on the controller to really know its processors. Codes of conduct represent an opportunity to establish a set of rules that contribute to the proper application of the GDPR in a practical, transparent, and potentially cost-effective manner that takes into account the specificities for a particular sector and/or its processing activities. Adherence to a code of conduct indicates the processor's compliance with the GDPR. However, it does not prevent supervisory authorities from exercising their enforcement power and prerogatives.
While the CISPE Code applies to the specific features of processing by IaaS providers, the EU Cloud Code addresses all service types of the cloud market (e.g. IaaS, PaaS, SaaS) and creates a 'baseline for implementation of GDPR' for these services. However, the main objective of the Codes is to concretise the legal requirements of Article 28 of the GDPR and the relevant related articles of the GDPR (i.e. to ensure that the cloud service provider provides sufficient in such a manner that processing will meet the GDPR's requirements and ensure the protection of the rights of the data subject). In its opinions, the EDPB specifically recalled that the Codes will not apply to all the processing operations carried out on behalf of the controller, but only to the elements of Article 28 and related relevant articles.
In light of the Schrems II decision and its aftermath, it should specifically be noted that neither code is meant for international transfers of personal data and therefore does not provide appropriate safeguards within the framework of transfers of personal data to third countries or international organisations. Consequently, any transfer of personal data to a third country or to an international organisation may take place only if the provisions of Chapter V are respected. This includes the need to carry out a Data Transfer Impact Assessment, if the transfer relies on one of the Article 46 transfer tools.
The EDPB concluded the Codes facilitate the effective application of the GDPR and contain both strict requirements particularising provisions of the GDPR and good practices currently followed by the sector. The Codes also describe the rights and obligations of adhering services providers on key principles of GDPR such as purpose limitations, data subject rights, transfers, security, auditing, liability, etc.
In terms of 'added value', the EDPB found that the Codes provide guidance adapted to the sector on security measures, auditing requirements, data subject rights, and transparency requirements, to mention a few.
In addition, the Codes also contain mechanisms that enable a monitoring body accredited by the EDPB to carry out the mandatory monitoring of compliance with them and ensure that efficient enforcement measures are put in place to ensure compliance. These mechanisms consist of three phases: (i) one that binds the actor that wants to adhere to the code and enables the monitoring body to assess the actor's eligibility, (ii) one that describes how the monitoring of compliance with the code takes place on an ongoing basis, and (iii) how such monitoring is to be carried out ad hoc. Both of the Codes meet these requirements, and also allow for sanctions in cases of infringement.
Scope of application: Both the CISPE Code and the EU Cloud Code enable cloud service providers to understand and comply with the GDPR principles applicable to them as data processors.
Outside the scope of application: Neither the CISPE Code nor the EU Cloud Code apply to the processing of personal data in an actor's capacity as data controller. Nor do they apply in business to consumer relationships. However, consumers may still benefit from knowing that their personal data has been entrusted to a company that uses a processor that adheres to any of the codes.
Moreover, neither code can be used as a transfer mechanism to validate international transfers of personal data under the GDPR.