On September 22, 2015, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the Cloud Select Industry Group (“C-SIG”) Code of Conduct on data protection for Cloud Service Providers (the “Code”). In the Opinion, the Working Party analyzes the Code that was drafted by the Cloud Select Industry Group (the “C-SIG”).
Although the Opinion recognizes the effort of the C-SIG to provide guidance to cloud service providers (“CSPs”) regarding data protection and privacy rules in Europe, it does not formally approve the Code. According to the Working Party’s Opinion, some major concerns remain and should be taken into account when drafting the final version of the Code.
In particular, the Working Party addresses the following concerns:
- Adhering to the Code will not make CSPs immune to any future changes in the data protection law. In particular, the Code should take into consideration provisions that will be introduced by the future EU General Data Protection Regulation such as certifications, powers of Data Protection Authorities (DPAs), controllership, status of processors and codes of conduct.
- Adhering to the Code will not make CSPs immune to any enforcement actions by DPAs or the imposition of sanctions, but the Code will help CSPs demonstrate accountability with regard to data protection rules.
- The C-SIG should clarify the governance of the Code, specifically with regard to the conditions for adherence to the Code (i.e., self-assessment or third party certification procedures).
- The Code should provide guidance to CSPs with regard to cloud services dedicated to the processing of sensitive data, citing specific examples.
- The Code should provide clear guidance with regard to the location of processing. In addition, the obligation of CSPs to inform controllers should be strengthened, in particular when the processing of data involves processors and sub-processors. This can only be achieved if the controller has precise information on the locations where the processing takes place.
- Although the C-SIG Group indicates that CSPs are not entitled to identify personal data on their service, the Working Party recommends that the Code contain references to personal data, articulated with the notion of anonymization. In addition, the Working Party notes that if references to pseudonymization are made in the Code, it can only be considered as a security measure and it does not exempt CSPs from their responsibilities as provided for under data protection law.
- The Code should specify the conditions for the communication of personal data to a law enforcement authority located outside the EU, and in particular, should note that “transfers of personal data by a processor to any public authority cannot be massive, disproportionate and indiscriminate in a manner that it would go beyond what is necessary in a democratic society.”
- The Opinion states that the Code should elaborate further on the liability regime applicable to the parties involved in the processing of personal data in case of violation of their data protection obligations. In particular, the Code should prevent the use of terms and conditions that unduly limit the CSPs’ obligations and liability.
- The Working Party encourages the C-SIG Group to include provisions regarding IT security in the Code, including the possibility to perform a security risk assessment and data protection impact assessment to implement security measures. In addition, the Code should encourage CSPs to establish different levels of protection depending on the nature of the data.
- The right to audit given to data controllers should be strengthened as it allows control of the activities of the data processor by the data controller.
- Reference to data portability should be made in the Code in order to facilitate interoperability and the transfer of personal data to new cloud service provider, while safeguarding data subjects’ rights.
The EU Commission will continue working with the C-SIG Group on the Code. The C-SIG Group is encouraged to finalize the Code, taking the Working Party’s opinion into consideration, by the end of October.