Cloud Infrastructure Service Providers in Europe Release Data Protection Code of Conduct

In January 2017, the Cloud Infrastructure Service Providers in Europe (CISPE) published a Data Protection Code of Conduct for Cloud Infrastructure Service Providers (the Code of Conduct).

CISPE is an association of cloud infrastructure service providers that operate in Europe.  CISPE advocates on behalf of its members to promote harmonized security requirements and technical standards for the provision of cloud services.  CISPE also seeks to promote uniform privacy requirements for cloud service providers.

The Code of Conduct, which consists of a set of requirements for cloud service providers as data processors, seeks to provide a uniform framework for complying with the European Union’s General Data Protection Regulation, which is set to come into force on May 25, 2018.  The Code of Conduct is particularly focused on data security and transparency with respect to the security measures implemented by cloud service providers.

Among other things, the Code of Conduct provides that cloud service providers must provide their customers with the ability to store and process their data exclusively within the European Economic Area.  Additionally, the Code of Conduct provides that cloud service providers will provide their customers with information about the region and country where data is stored and processed by or on behalf of the cloud service provider, including for sub-contractors involved in the processing of the customer’s data.

The Code of Conduct has not been approved by the European Commission.  Nevertheless, in a press release published by CISPE on February 14, 2017, CISPE noted that a coalition of cloud computing infrastructure providers operating in Europe have declared their compliance with the Code of Conduct.  Some of the companies included in this coalition include Amazon Web Services, Aruba and OVH.

Summary By: Michael House