What is the EU Cloud Code of Conduct?

As businesses increasingly rely on cloud software to manage, store, and share data, questions arise regarding how it can be regulated to address privacy concerns. Various laws, such as the General Data Protection Regulation (GDPR), are already in place to ensure companies adequately protect user information. However, as digital operations expand rapidly worldwide, there is often confusion among professionals about how to comply.

As a result of such ambiguity, various countries have introduced codes of conduct containing best practices and guidance to assist with compliance. One of note is the EU Cloud Code of Conduct (the EU Cloud CoC), which the EU supervisory authorities approved in 2021.

This article explains the CoC, its main provisions, who it applies to, and how it impacts individuals, businesses, and the UK.

What is the EU Cloud Code of Conduct?

The EU Cloud CoC is a voluntary framework that aligns data protection requirements with cloud service usage. It provides companies subject to GDPR with guidance about how to comply. Although businesses aren’t legally obligated to follow the code, implementing its recommended practices has many benefits. In particular, companies can:

• Easily prove they’re compliant with regulations;

• Address long-running challenges by introducing specific, GDPR-based solutions;

• Adjust internal procedures to ensure compliance and improve efficiency;

• Confidently grow their business with legal and financial security;

• Minimise the risk of legal action; and

• Improve reputation and customer relationships.

Main provisions

The code deals with four main areas:

Who does it apply to?

The code’s provisions predominantly apply to CSPs operating within the EU or offering services to EU customers. Its scope only covers CSPs offering business-to-business (B2B) services, including:

• Infrastructure-as-a-service (IaaS)
• Platform-as-a-service (PaaS)
• Software-as-a-service (Saas)

However, customers engaging CSPs are also partly responsible for encouraging compliance with the code and ensuring adherence to GDPR.

The code is also helpful for small and medium enterprises (SMEs) and public-sector organisations, which can refer to the CoC to assess a potential CSP’s compliance while using it to demonstrate their own adherence to GDPR.

How does it impact CSPs?

For CSPs, the code comes with several advantages and disadvantages:

Pros:

• Competition: CSPs adopting the code will likely be more attractive to potential customers than those that don’t, especially in regulated industries like finance and healthcare.

• Expansion: demonstrating they’re trustworthy providers through compliance with the code will make it easier for CSPs to expand into new markets.

• Enhanced operations: CSPs that follow the code are more likely to streamline operations, minimise risk, and boost efficiency.

Cons:

• Higher burden of responsibility: CSPs complying with the code must meet high standards, which can be time-consuming and require a lot of resources.

• Increased costs: the code’s requirements to implement advanced technical systems, such as encryption, will likely result in higher costs, which could be a struggle for smaller providers.

• Complexity: providers may find interpreting and applying the code complex, as it adds another level of compliance to GDPR. In particular, engaging subprocessors will require more work to manage.

• Liability: while the code aims to minimise risk, the consequences of a breach could have profound financial and reputational impacts on CSPs, even if it’s a subprocessor’s fault.

How does it impact businesses?

While the CoC has many benefits for businesses using cloud services, it also comes with challenges. The key impacts are summarised below.

Pros:

• Improved trust: businesses can feel confident about compliance if they engage a CSP that adheres to the CoC.

• Simplified processes: the code makes it easier for businesses to assess compliance with GDPR, saving time and costs. This streamlining is particularly valuable for SMEs with fewer resources.

• Risk mitigation: compliance with the code reduces the risk of breaches and, therefore, legal action.

• Transparency: businesses have more information about the cloud services they use due to the code’s transparency requirements.

• Fast and effective reporting: CSPs must promptly notify businesses of a data breach, allowing companies to respond quickly and minimise financial and reputational damage.

Cons:

• Lack of customisation: strict adherence to the code may result in CSPs providing limited flexibility and tailoring to their services, which may not work well for certain companies.

• Increased costs: CSPs complying with the code will implement more advanced security systems and data protection measures. As such, they’re likely to charge a premium, which may be unaffordable for smaller businesses.

• Over-reliance on the CoC: there’s a risk that businesses will place too much weight on the code and disregard their GDPR responsibilities as data controllers. Companies must ensure their data practices align with the law regardless of the code’s compliance checks.

The EU Cloud CoC’s impact on the UK

While EU law no longer governs the UK post-Brexit, the code still impacts some aspects of UK markets. Firstly, the UK adopted a UK GDPR, broadly reflecting the EU regulation. Secondly, UK-based CSPs that process EU residents’ data must also adhere to the EU GDPR, meaning they should have regard to the CoC when ensuring compliance.

Where relevant, UK businesses that comply with the code can also help maintain the UK’s adequacy status. This is confirmation from the EU that a certain outlier country or territory offers a similar standard of data protection as the EU. This status allows for smooth data transfers between the UK and EU without further safeguards, thereby promoting an ongoing trading relationship which highly benefits the UK.

Conclusion

The EU Cloud Code of Conduct plays a vital role in addressing the complexities of data protection in cloud computing. As businesses increasingly rely on cloud services, adhering to GDPR is crucial, and the code provides a valuable framework for ensuring compliance while promoting trust between CSPs and their customers.

The code encourages CSPs to implement high-security and transparency measures by offering standardised practices, allowing businesses to choose compliant providers confidently. It reduces legal risks, simplifies procurement, and ensures CSPs follow strict processes, such as adequately managing subprocessors.

Its scope covers B2B cloud services like IaaS, PaaS, and SaaS providers operating in or serving the EU. It’s especially useful for SMEs and public sector organisations, as they can more easily assess and select CSPs while focusing on growth and feeling confident about securing their data.

The CoC offers improved trust, simplified compliance checks, and risk mitigation for businesses using cloud services. However, due to security and operational investments, the cost of engaging CSPs that comply with the code may be higher. The code brings a competitive advantage for CSPs, although meeting its requirements can be resource intensive.

UK-based CSPs processing EU data must still comply with GDPR and can benefit from adhering to the code to maintain cross-border data flows. Adherence to the EU Cloud CoC will be vital for effective data protection and security as cloud computing expands.