On 14 February 2017, the organization Cloud Infrastructure Services Providers in Europe (CISPE) issued a press release that a number of leading cloud computing vendors operating in Europe have declared compliance with the CISPE Data Protection Code of Conduct (the "Code") for some or all their services. All cloud infrastructure services compliant with the Code requirements are listed on the CISPE Public Register. The providers of these services can display a certification mark on their websites to notify their customers of their services' compliance with the Code.
CISPE said that the Code is supposed to guide customers in assessing whether cloud infrastructure services being offered by a particular provider are suitable for the data processing activities that they wish to perform. This includes, in particular, compliance with all EU data protection laws that are applicable and binding on them, including the EU Data Protection Directive and the General Data Protection Regulation (GDPR). The GDPR will come into effect on 25 May 2018. Cloud service providers adhering to the Code must, inter alia, give customers the choice to store and process their data entirely within the European Economic Area. They must also commit that they will not access or use their customers' data for their "own purposes, including, in particular, for the purposes of data mining, profiling or direct marketing."
In creating the Code, the CISPE acknowledged that there are a wide variety of cloud computing models and that data protection considerations vary based on the type of model a service provider uses. The Code focuses on Infrastructure-as-a-Service providers (IaaS) which host hardware, software, servers, storage and other infrastructure components on behalf of their customers. (Other categories of cloud computing services include Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS).)
The Code has yet to be approved by the European Commission or any national data protection supervisory authority for GDPR purposes.
This article was originally published on AllAboutIP – Mayer Brown's blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2017. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.