Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

New code of conduct on data protection for cloud service providers being scrutinised by EU privacy watchdogs

EU privacy watchdogs are assessing a proposed new code of conduct on data protection for cloud service providers that the European Commission hopes will help to boost the uptake of cloud services by EU businesses.

The draft code, which has been developed by industry in a project supported by the Commission, could be approved by the Article 29 Working Party later this summer. The Working Party is a committee made up of representatives from each of the national data protection authorities in the EU.

Representatives from Microsoft, Oracle and the Cloud Industry Forum are among those that have been involved in drafting the code, according to minutes from a previous meeting of the Commission-chaired Cloud Select Industry Group on Code of Conduct.

Cloud computing experts at the Commission told Out-Law.com that the aim of the new code is to "help potential cloud computing users assess whether a cloud provider complies with EU data protection rules, and with their own data protection obligations". They said it will "also help cloud providers demonstrate that they comply with the data protection legal framework, particularly when providing cross-border services".

The Article 29 Working Party's opinion on the proposed code has been sought to "ensure legal certainty and coherence between the code of conduct and EU law", the experts said. "This is a legal requirement under existing and future EU data protection rules," they said.

The Working Party's opinion on the new code is expected to be published "in the second half of 2015", they said. A new "governance structure", which will address issues such as how compliance with the code should be assessed and recognised, "will be agreed by the industry and finalised after the publication of the Article 29 Working Party's opinion", the experts said.

Out-Law.com understands, however, that the code, once completed and operational, will require amendment to account for the outcome of current negotiations on reforms to EU data protection laws. The new code is not being designed to replace existing cloud data protection certification schemes developed by industry but will instead exist as a benchmark for other self-regulatory initiatives.

One new cloud certification scheme that has been launched is the Certified Cloud Security Professional (CCSP) Certification. The CCSP has been developed by (ISC)² in partnership with the Cloud Security Alliance (CSA).

The scheme is aimed at improving skills, and the recognition of those skills, in cloud security, Dr. Adrian Davis, (ISC)² managing director for EMEA, said.

"As cloud becomes part of the IT infrastructure, it’s becoming more important to ensure that there are qualified IT professionals with relevant skills to manage and implement cloud securely," Davis said. "New UK-based statistics reveal that security professionals are still concerned about the management of cloud, especially as threats rapidly develop and increase in number. Together with CSA, we’ve developed this certification to provide IT professionals with advanced knowledge to help businesses ensure that security is a key component of cloud adoption."

Research undertaken by cloud computing industry body the Cloud Industry Forum published earlier this month revealed that the main obstacles to UK organisations' adoption of cloud-based IT services are concerns about data privacy, security and the loss of control over IT infrastructure.

However, the Commission cloud experts said they hope the new code can help address those issues. They said: "By bringing more clarity and certainty to data protection issues, we hope that the code will help build trust and confidence in the field of cloud computing, and lead to more businesses taking up cloud services."

A recent report published by the Commission on cloud service uptake in the EU said that "net additional GDP growth" in the EU economy that will be derived from the use of cloud services next year is likely to range between €53.9bn and €62.2bn. However, the report highlighted the challenge EU cloud providers face in competing for business with US-based cloud providers. It also said that differing interpretations across the EU of EU rules on "data location" have had a "significant impact on the adoption of cloud based computing solutions".

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.