Data watchdogs seek 'added value' in GDPR cloud codes

Out-Law Analysis | 30 Nov 2018 | 11:50 am | 7 min. read

ANALYSIS: A letter published by an EU data protection watchdog earlier this year offers clues as to how a new cloud computing code of conduct will be assessed for approval under the General Data Protection Regulation (GDPR).

A revised version of the EU Cloud Code of Conduct was published earlier this month. It is the latest version of a code of conduct developed by the cloud computing industry and has been put forward as helping cloud service providers to meet their obligations under the GDPR. However, the code will only be truly relied upon to show effective GDPR compliance if it is approved by data protection authorities. To-date, none of the other codes the cloud industry has developed have had that approval.

The EU's cloud vision and data protection

After the European Commission set out its vision for unleashing the potential of cloud computing in Europe back in 2012, it brought industry representatives together via the Cloud Select Industry Group (C-SIG) and tasked the body with establishing a number of new codes to support growth in the use of cloud computing – this included the development of a new data protection code of conduct for the cloud computing sector.

C-SIG's draft code of conduct on data protection was considered by the Article 29 Working Party – the predecessor to the European Data Protection Board that now operates under the GDPR. The Working Party did not endorse the code, prompting subsequent re-workings.

The publication of the new EU Cloud Code of Conduct represents the latest iteration of the C-SIG work. The body behind the new code – the EU Cloud Code of Conduct General Assembly, which includes IBM, Oracle, Salesforce and SAP, Cisco, Google and Workday – said the code "tracks code requirements to GDPR and to international standards such as ISO 27001 and 27018".

The new EU Cloud Code of Conduct from C-SIG seeks to "make it easier and more transparent for customers [of cloud services] to analyse whether cloud services are appropriate for their use case". The code sets out guarantees – referred to as 'controls' – which are described as an "inherent part of the code". Compliance with the controls is "a mandatory part of declaring adherence to the code".

The code explains that cloud service providers (CSPs), a monitoring body accredited as such under Article 41 of the GDPR, and supervisory authorities will have the ability to assess compliance with the code by requesting a copy of the 'controls catalogue', which CSPs are required to implement in practice.

CSPs may sign up to the code for some or all of the cloud services they provide to customers. CSPs will then be able to show compliance with the code by way of a compliance mark – there are three levels of compliance – depending on the assessment made by an accredited monitoring body as to the CSPs level of compliance. At present, the monitoring body is not accredited pursuant to Article 41 of the GDPR therefore it will not be able to verify compliance of CSPs with the code.

Central areas of the code

The EU Cloud Code of Conduct from C-SIG sets out the requirement that cloud service providers and their customers specify the terms governing the processing of personal data in the contract between them. This reflects the requirements of Article 28(3) of the GDPR. The code goes further, though, by providing further detail and points to consider for how cloud service providers and their customers might comply with those obligations.

In addition, the code sets out the standards that CSPs should adhere to in order to implement effective security measures. It also explains how compliance with the code be monitored.

When expanding the requirements of Article 28(3), the code seeks to set industry standards in respect of the CSP's and its customer's responsibilities for lawful processing, sub-processing, international transfers, cooperation and assistance between the parties, records of processing, data subject rights, data breaches and post-termination events. For example, when considering the approach to a customer's audit rights, the code said the CSP and the customer should consider and agree how they will minimise the risks associated with the audit, that the customer should provide written notice prior to an audit, and further encourages the CSP and the customer to consider costs associated with the audit.

However in a number of cases, the code states that "the CSP shall establish documented procedures" in respect of specific provisions of Article 28(3), including to "ensure that [the CSP] only engages subprocessors that can provide sufficient guarantees of compliance with the GDPR" and ""to assist the customer for fulfilling data subject access requests". This leaves some flexibility for CSPs to decide how they will demonstrate their compliance with the code, but it does not provide the detail customers may require "to analyse whether cloud services are appropriate for their use case" based only on the code.

On liability, the code provides cloud customers with the right to pursue CSPs under their cloud service agreement and the GDPR where the CSP "has acted outside or contrary to [their] lawful instructions". This may cause CSPs to carefully consider the cloud customer's processing instructions and require greater detail of these instructions in the cloud services agreement, at the request of the CSP, to ensure the CSP does not fall foul of the cloud customer's processing instructions. In addition, CSPs cannot prohibit data subjects from enforcing their rights and/or from seeking any other remedies that are available to the data subject under the GDPR.

The security measures referred to in the code point to specific security standards that CSPs should adhere to, for example ISO27001, IS27002, SOC2, and C5, but does not go so far as to require formal certification against the relevant standards. Detailed security objectives are set out in the code, with the 'controls' citing relevant sections of ISO27001 that deal with the management direction for information security, human resources security, asset management, access controls, encryption, physical and environmental security, and incident management, to name just a few highlighted as areas of security to focus on and that require implementation of effective security measures,

While previous versions were drawn up before the GDPR began to apply on 25 May this year, the new code has been submitted to the European Data Protection Board with the express aim of obtaining approval under the GDPR.

Articles 40 and 41 of the GDPR provide for the endorsement of industry-drafted codes of conduct that are "intended to contribute to the proper application" of the Regulation. The EDPB must approve the code where it relates to processing in more than one EU member state; national data protection authorities can approve codes designed for use within their own jurisdiction only.

Clues as to what the EDPB will look for when scrutinising the new code can be derived from a letter published by the Article 29 Working Party in February this year in response to a rival industry body's plans for a GDPR-approved cloud code.

The CISPE code

Although both are codes developed for a business-to-business, cloud provider-to-cloud customer context, the code developed by the Cloud Infrastructure Service Providers in Europe (CISPE) differs from that drawn up by the EU Cloud Code of Conduct General Assembly. The CISPE Data Protection Code of Conduct is directly focused for activities of infrastructure-as-a-service (IaaS) providers.

CISPE's code was considered by the Article 29 Working Party in light of both the previous Data Protection Directive and the GDPR. The Working Party offered recommendations on the CISPE’s code, which it did not approve, but invited CISPE to discuss the points further – at that stage it was not issuing binding recommendations under the GDPR. To-date, CISPE has not published further details of its work on the code, but instead it recently announced that it has committed to creating the first ever Cloud Infrastructure Data Portability Code of Conduct, which concerns the EU's proposed new Regulation on the free flow of non-personal data and not the GDPR.

Lessons to be learned from the Working Party's letter

In its letter to CISPE, the Working Party said codes of conduct under the GDPR have to be "sufficiently focused on the specific data protection questions and problems in the organisation or sector to which it is intended to apply and offer sufficiently clear solutions for these questions" if they are to gain approval.

The CISPE was urged to "consider what 'added value' the code provides as a whole and, in particular, what specific examples, practical solutions or recommendations the code is offering to the customer to demonstrate that your code would merit being approved".

The Working Party criticised some of the language CISPE used in the code and called on the body to make it clear where requirements are "binding" and where they are otherwise "optional".

The letter also set out specific recommendations for CISPE in a number of areas, including in respect of provisions on data retention, transparency and data subject access, as well as in respect of data security.

The Working Party suggested the code could be improved by "describing a certain baseline of security measures" that IaaS providers would provide "and be responsible for". It also said CISPE should outline "how these implemented security measures will support the customer in securing the data against the various threats stated".

The Working Party said that while CISPE had gone in "the right direction" by explaining security responsibilities in an annex to its code, it said the body should have "further expanded" and could have done this by aligning the controls it set out with "the ISO 27002 standard (or a subset thereof)".

The CISPE code's requirements in relation to how security incidents would be managed were also described as "quite vague". The Working Party said the code should offer "concrete examples of the policies that [IaaS providers signing up to the code] will implement to identify and respond to security incidents involving customer’s data". The code should also clarify that other types of personal data breach beyond cases of 'unauthorised access' would need to be reported.

The Working Party's letter highlights the high standards that data protection authorities are seeking from industry codes of conduct. The EDPB is likely to be equally as detailed with its scrutiny of the new EU Cloud Code of Conduct and other codes that put forward for approval too.

Claire Edwards and Michele Voznick are data protection experts at Pinsent Masons, the law firm behind