What does this cover?
A code of conduct on data protection for cloud service providers (the Code), drawn up by EU working group, Cloud Select Industry Group (C-SIG), is currently being finalised following the publication of an opinion of the Article 29 Working Party.
The Code aims to support a consistent and transparent application of data protection rules in the cloud industry and to improve cloud customer understanding of data protection issues. C-SIG submitted its draft Code to the Article 29 Working Party earlier this year so that it could deliver its opinion.
The opinion found that there are significant gaps which need to be addressed before the Code is finalised. In particular, the opinion highlights the need for the Code to be more specific on the requirement of transparency regarding the location of data processing, in the prevention of the adoption of terms of service that are of disadvantage to a customer by unduly limiting cloud providers' obligations, and in the need for specific care to be taken in the handling of data subjects' complaints/requests.
The opinion has, however, been published with a view to supporting the progress and finalisation of the Code, and the Article 29 Working Party has recognised that the Code provides important guidance to the cloud industry and to data controllers in assessing a cloud provider/product.
What action could be taken to manage risks that may arise from this development?
While the code is being finalised companies may find the opinion useful as a means of helping to assess whether their cloud service is providing adequate levels of security and data protection.