The EU Cloud Code of Conduct is working on a proposed legal solution for the transfer of personal data outside the EU. Once approved by data protection authorities, the solution could be an alternative to the recently annulled EU-U.S. Privacy Shield, previously relied on by thousands of businesses who now face disruption and uncertainty when transferring EU citizens’ data across the Atlantic.
The EU Data Protection Code of Conduct for Cloud Service Providers says it will define clear requirements for Cloud Service Providers acting as “processors” under the General Data Protection Regulation (GDPR) and is adopted broadly by the cloud market. While the official approval of the current Code by the European Data Protection Board (EDPB), comprised of national Data Protection Authorities (DPAs), is pending, the EU Cloud Code of Conduct General Assembly will have a new module to the Code for transferring personal data outside of the EU.
The announcement comes only weeks after the recent European Court of Justice’s so-called "Schrems II" ruling which invalidated the data exchange mechanism between the US and the EU (Privacy Shield). The ruling also imposed strict obligations on companies that rely on transfers of personal data to non-EU countries by Standard Contractual Clauses.
The EU Cloud Code of Conduct General Assembly is inviting interested Cloud Service Providers (CSPs) and cloud-users to join the initiative and to contribute to the development of the module, thereby shaping the future legal basis to transfer EU citizen’s personal data to third countries around the world.
"We are working closely together with the members of the EU Cloud CoC and SCOPE Europe on this project, as we believe that a robust code of conduct for cloud providers will contribute greatly to the online protection of European citizens. We are impressed by the efforts and resources dedicated by this industry-group to implement best practices for the cloud industry that are both hands-on and respectful of the data subjects" says David Stevens, Chair of the Belgian Data Protection Authority
"The EU Cloud Code of Conduct has been developed and refined over several years with guidance from the industry, subject matter experts, and the EU authorities. It is an ideal mechanism to provide additional safeguards for third country transfers pursuant to Art 46 of the GDPR" says Eva Salzmann, Senior Counsel, Global Privacy Legal & Data Protection Officer Europe, IBM
"In the aftermath of Schrems II, we need a suitable mechanism that will survive the test of time. We believe that a Code of Conduct built jointly by the cloud industry and the supervisory authorities is an indication of strong reliability for protecting personal data in accordance with EU principles wherever they flow across the world," commented Lorena Marciano, Director, EMEAR Privacy Officer, Cisco