Sergey Nivens - stock.adobe.com
An EU-backed effort to create a regulatory framework that would make it easier for IT buyers to identify and purchase cloud services that are compliant with the General Data Protection Regulation (GDPR) has found favour with the European Data Protection Board.
The EU Cloud Code of Conduct is intended to help IT buyers source cloud services from GDPR-compliant providers, and – in turn – speed up adoption of off-premise services across the continent by allaying users’ data protection concerns about using the cloud.
The code features a set of requirements and characteristics that cloud service providers must meet to demonstrate their ability to comply with GDPR, with participants expected to self-evaluate their services to ensure compliance with its contents.
There is also an independent monitoring body in place, known as Scope Europe, to ensure participants’ ongoing compliance with the contents of the code, which is a requirement of GDPR.
The code has been created in collaboration with the European Commission and the cloud computing community, including the likes of IBM, Salesforce, Oracle and Alibaba Cloud, with additional input on its contents secured from the Article 29 Working Group.
During a keynote address at the virtual EU Cloud Compliance Summit today (20 May 2021), Agnieszka Bruyere, vice-president of IBM Cloud for Europe, Middle East and Africa (EMEA), confirmed the code and its governance model have secured the backing of 26 supervisory authorities from the European Data Protection Board.
This development marks it out as the first transnational code of conduct that covers all categories of cloud offerings – spanning software, platform and infrastructure services – to be approved as GDPR compliant by data protection authorities in this way.
“It’s a very important moment because this is the first tool in Europe that can not only demonstrate compliance, but also bring proof of the compliance for cloud users and cloud providers all over Europe.
“It’s also very important because this is the first time an independent monitoring body has been accredited – it’s absolutely unique. These two combined factors make the Cloud Code of Conduct a unique, robust tool for all users and providers of cloud in Europe.”
Tech giant Microsoft is among the providers which have already taken steps to ensure their offerings comply with the Code of Conduct, with the company confirming that 140 of the services that fall under its Azure public cloud branding are now classified as compliant.
Getting the code to this point has not been without its challenges, said Neelie Kroes, former vice-president of the European Commission, who began laying the groundwork for the Cloud Code of Conduct in 2012 at the World Economic Forum in Davos, Switzerland, when she talked about the data regulation barriers impeding the take-up of cloud technologies across Europe.
In a separate keynote address at the EU Cloud Compliance Summit, where details of the Code of Conduct achieving the approval of the Belgian Data Protection Authority (DPA) were announced, Kroes said she had not expected it to take as long as it had for the Code of Conduct to win the approval of the European data protection authorities, but she is pleased that it has.
“Part of the reason for this delay are the many developments we saw in the past years in privacy and security. We saw the GDPR coming into force, new cyber security frameworks, certifications… and the code has managed to incorporate successfully all these elements,” she said.
“The code is the first tool approved by data protection authorities to ensure and improve GDPR compliance for all types of cloud services. It successfully addresses the concerns… [of] cloud users and authorities, while protecting the rights of hundreds of millions of European citizens. And it is setting a high-quality baseline for future developments in the field of cloud regulation.”
Kroes also called on the members of the cloud software, infrastructure and platform communities that are yet to ensure their own offerings comply with the Code of Conduct to get involved, in the interests of creating a “wide and trusted ecosystem” of providers for IT buyers to tap into.
“My wish is to see more trust in technology,” she said. “So European companies [can] innovate, they can rebuild after the pandemic, and they can create new business models and build new startups.”
The EU Cloud Code of Conduct is not the only initiative designed to help IT buyers ensure the cloud technologies they are basing their digital transformation strategies on are GDPR-compliant, nor is it the first to have found favour with the European Data Protection Board.
Indeed, the board has also provided a “favourable opinion” regarding the CISPE Data Protection Code of Conduct in recent days, which exclusively focuses on ensuring the services provided by cloud infrastructure firms operating in Europe are GDPR compliant.
In another address during the EU Cloud Compliance Summit, David Stevens, chairman of the Belgian DPA, said one of the most positive elements of the EU Cloud Code of Conduct was that participation is not limited to cloud software or infrastructure players – all are welcome.
“This is a very good code [and] one of the main arguments [for that] relates to the fact that it has a very broad scope. This is not just a specific type of cloud services, but it covers infrastructure as a service, platform as a service and software as a service,” he said.
“It covers… a large part of the value chain of everything which relates to cloud. This is a very important characteristic – we need an open vision, a broad scope when we are thinking about law and technology. That’s a very important point.”
Read more about GDPR compliance and cloud
- With the European Commission's data protection rules set to drop before 2016, take a look at what the changes mean for the cloud and datacentre community.
- Microsoft has committed to storing and processing all of its European Union (EU) customer data within the bloc by creating an “EU Data Boundary”, but data protection experts have criticised the move as a tacit admission that data is being routinely processed elsewhere.