On 22 September 2015 the Article 29 Data Protection Working Party ("WP29" – the Committee of national Data Protection Authorities) adopted an Opinion on the Cloud Select Industry Group (C-SIG) Code of Conduct on data protection for Cloud Service Providers.

Nota bene: the development of the Data Protection Code of Conduct for Cloud Service Providers should be regarded as work-in-progress and this version of the document may still undergo further changes. The C-SIG should consider the WP29's opinion published in October 2015 and integrate the WP29's recommendations into a final version of the Code.

The Code of conduct focuses strongly on improving transparency and facilitating the understanding by cloud customers of data protection issues and of how they are addressed by the cloud service providers.

Opinion of the Article 29 Data Protection Working Party on the Code of conduct on data protection for cloud service providers

On 22 September 2015 the Article 29 Data Protection Working Party ("WP29" – the Committee of national Data Protection Authorities) adopted an Opinion on the Cloud Select Industry Group (C-SIG) Code of Conduct on data protection for Cloud Service Providers.

The Code of Conduct was submitted to the WP29 for their opinion on behalf of the C-SIG in January 2015, pursuant to articles 27 and 30 of the Data Protection Directive (95/46/EC) [1].

In its opinion, the WP29 expresses its appreciation of the effort put in by industry to draft this Code of conduct and recognizes that the Code of conduct provides important guidance to cloud computing providers with regard to applicable data protection and privacy rules in Europe. The WP29 stresses its expectation that adherence to the Code of conduct will contribute to greater transparency and legal certainty, for all parties involved.

The WP29 also analyses in detail those aspects of the Code of conduct that may still be considered as a concern in relation to personal data protection in a cloud computing environment and provides recommendations on how to improve the Code of conduct. The detailed analysis of the WP29 is important as it will guide industry towards the finalisation of the Code of conduct.

Self- and or co-regulatory initiatives like the Code of conduct are particularly appropriate for new technologies and services such as cloud because of the rapidly changing nature of the technology and the services provided on the basis of those technologies. Self- and co-regulatory initiatives are also encouraged in the draft General Data Protection Regulation, which means that a dynamic C-SIG Code of Conduct will serve as an appropriate and relevant tool for the industry going forward.

The Commission will continue to work with the C-SIG on the Code of conduct, because of its role in helping the cloud industry to meet its obligations but also in giving confidence to users and potential users of cloud services. This is particularly important for the Commission in the implementation of the Digital Single Market Strategy. The C-SIG is encouraged to work to finalise the Code of Conduct along the lines of the guidance of the WP29's Opinion, hopefully by the time of the Plenary meeting of the C-SIG taking place on 29 October.

 

[1] The Code of Conduct takes into account the Data Protection Directive, which foresees in Article 27 the possibility of the development of code of conducts intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors. The draft General Data Protection Regulation also encourages the drawing up of codes of conduct.