On 23 February 2018, the Article 29 Working Party (WP29) sent a letter to Alban Schmutz, President of Cloud Infrastructure Services Providers in Europe (CISPE), in response to the organisation’s submission of a draft Code of Conduct for Cloud Infrastructure Service Providers.

In conducting its review, the aim of WP29 was to ensure that the draft Code would enable individuals to feel confident that their chosen cloud infrastructure services are compliant with the Data Protection Directive (Directive 95/46/EC) (the ‘Directive’) and the General Data Protection Regulation ((EU) 2016/679) (GDPR). It should be noted that the GDPR recommendations made by WP29 are non-binding for now, with a final assessment of the Code to be made once the GDPR is implemented on 25 May 2018.

In the annexes to the letter, a series of general and specific remarks are made to assist CISPE in re-evaluating and redrafting the Code.

What is cloud computing?

In simple terms, cloud computing is the practice of using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or a personal computer.

Cloud computing has numerous commercial and technological advantages. The main one is to facilitate ubiquitous access to shared pools of configurable system resources, which can be used with minimal management effort, sharing resources in a way that achieves economies of scale.

The letter

The text of the letter sets out those areas on which WP29 focused when conducting its assessment. These areas include considering whether the draft Code: (i) is of sufficient quality and provides sufficient added value to the Directive; (ii) is sufficiently focused on the data protection questions and problems in cloud computing and the wider digital sector; and (iii)offers sufficiently clear solutions to data subjects.

The letter asks CISPE to contemplate the “added value” the Code is providing when making the next round of revisions.

Annexes – general remarks and specific comments on the Code

WP29’s key remarks focus on the lack of clarity and authority in the Code. For example, it points to a lack of delineation between the binding and optional requirements set out in the Code. WP29 suggests that the Code should give a potential customer a clear and unambiguous indication of what they can expect if they choose a service provider that claims to be compliant. In addition, it is also recommended that CISPE make it more obvious where the GDPR is being referred to.

Another key recommendation made by WP29 is that the Code should focus less on the matters that the CISPE as a processor is not responsible for, and more upon what kind of security measures it does offer. Lastly, WP29 observes that some of the statements in the Code are overly generic, and recommends that the CISPE should focus more on the specific data protection problems of and questions about cloud computing services.

Final thoughts

The WP29’s comments help clarify the application of European data protection law to the cloud computing space and should enable CISPE to create a clearer, more instructive document. Ultimately, this should enable those who purchase and use cloud infrastructure or hosting services to do so confident in the knowledge that their chosen providers are compliant.