The code, established by Cloud Infrastructure Services Providers in Europe (CISPE), places restrictions on the processing of personal data that cloud customers store with providers, defines responsibilities for data security, and requires providers to offer customers the option to process and store personal data entirely within the European Economic Area (EEA). It also, among other things, details protocols for handling requests for data from government authorities and law enforcement agencies, as well as for the notification of data breaches.
The code (41-page / 364KB PDF) has been drafted to accord with the requirements of the EU's new General Data Protection Regulation (GDPR), which does not take effect until 25 May 2018.
A number of cloud infrastructure providers, including Amazon Web Services (AWS), have already signed up to the voluntary code. Those providers can display a certification mark to notify cloud customers of their compliance with the code.
CISPE said the new code "can be used as a tool by customers in Europe to assess if a particular cloud infrastructure service provides appropriate safeguards for the processing they wish to perform".
Data protection law expert Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said: "This is a very positive step. I hope that this code will be approved for GDPR purposes, whether by the European Commission or a national data protection supervisory authority, to enable transfers to adhering cloud providers, even if they are outside the EU, as well as to help evidence their compliance generally."
Hon has called for the EU's E-Commerce Directive to be updated to address an anomaly which exposes infrastructure cloud providers to potential liabilities for unlawful handling of personal data by their customers, even if they are not aware of their customers’ activities. She said the anomaly will be more striking when the GDPR takes effect.
Alban Schmutz, chairman of CISPE, said: "Any customer will know that if their cloud infrastructure provider is complying with the CISPE code of conduct, their data will be protected to clear standards. CISPE code of conduct provides Europeans with the confidence that their information will not be used for anything other than what they stipulate. The CISPE compliance mark clearly addresses this, providing consistency across Europe, what European customers call for."