On September 27, 2016, Cloud Infrastructure Services Providers in Europe (“CISPE”) published its Data Protection Code of Conduct (the “Code”). CISPE, a relatively new coalition of more than 20 cloud infrastructure providers with operations in Europe, has focused the Code on transparency and compliance with EU data protection laws.

Highlights of the code include:

  • a requirement that cloud customers are offered the ability to process and store their data exclusively within the EEA;
  • “Trust Mark” awarded to compliant cloud infrastructure providers, and listing on CISPE website; and
  • a prohibition on the use of customers’ personal data for cloud infrastructure service providers’ own benefit or the sale of such data to third parties.

Currently, cloud infrastructure service providers may demonstrate their compliance with the Code either by certification from independent third-party auditors or by self-certifying compliance. Customers may verify the service provider’s compliance through the CISPE website.

CISPE claims that the Code is based on internationally recognized security standards and is compliant with the requirements of the EU’s General Data Protection Regulation, which comes into force across all EU Member States in May 2018.