New EU Code of Conduct for cloud providers: not a GDPR party

June 2, 2021

Just before the third anniversary of the GDPR, the Data Protection Authorities in the EU (united in the EDPB) have approved two codes of conduct for cloud providers, see opinions 16/2021 and 17/2021. The CISPE Code of Conduct (for cloud infrastructure providers) and the EU Cloud Code (for all types of cloud providers) could, in theory, provide an enormous privacy boost. But unfortunately, the agreed rules are of little consequence. The Cloud Code does not offer a solution for the major privacy risks for European customers of(mainly) US American cloud providers, when it comes to purpose limitation,transparency, legal ground and data minimisation. The Code of Conduct thus somewhat resembles the promises of the food industry to for example reduce the added sugars and salts in prepared food. The Global Food Research Program of the University of North Carolina pointedly summarises this as  Industry Self-Regulation: Empty Pledges’.

Codes of Conduct and supervision of privacy compliance

A Code of Conduct can support supervision of privacy compliance. The idea is that organisations in an industry sector agree how they should apply the open standards from the General Data Protection Regulation (GDPR). Just copying clauses of the law is not good enough. A Code of Conduct should promote transparency and legal certainty and give confidence to current and future customers of the services. A Code of Conduct should therefore provide specific explanations and choices, in particular when there are differences of opinion. And the sector must arrange for effective supervision of compliance with the Code of Conduct by its member organisations. This makes the Code of Conduct one of the building blocks of GDPR supervision, in addition to the Data Protection Authorities (DPAs), the DPOs and data subjects that can lodge complaints with organisations, and go to court with claims for damages.

Code of Conduct 9 years in the making

The Code of Conduct has been 9 years in the making. In 2012, the European Commission promised that a Code of Conduct would be ready in 2013, Unleashing the Potential of Cloud Computing in Europe. Things did not go as smoothly as hoped. In 2015, the DPAs issued a first scathing opinion on the envisaged general Code of Conduct. In 2018 they sent a letter with new 'recommendations'. In their initial opinion, the DPAs emphasised that there should be no confusion about the role of the cloud provider: as data processor or as data controller. In addition, they noted that the Code of Conduct wrongly failed to provide an interpretation of the concept of personal data and of anonymisation. In 2018, the DPAs still saw no added value in the code. The cloud providers focused too much on explaining what they were not responsible for, and gave too little substance to their obligations. The DPAs noted that although the Code of Conduct explicitly excluded account data (the login data that customers must provide to cloud providers), it was unclear what the Code of Conduct was about, as the concept of 'customer data' was unclear.

General cloud provider Code of Conduct does not cover metadata

The newly adopted version of the EU Cloud Code does not solve these problems. The Code of Conduct only applies to the processing of Customer Personal Data. And these are defined as:

Any personal data in relation to data subjects that the Customer entrusts to the CSP as part of the provision of the Cloud Services.

In other words, the Code of Conduct only covers the data that customers knowingly upload to the computers of the cloud provider, but does not contain any rules about the processing of the metadata. The metadata are the very detailed personal data that cloud providers collect about the individual use of their services. Every time you open, edit, save and send a file or email, the cloud provider records this in server generated logs. At Privacy Company we have done a lot of extensive research into these data flows, for example in the public DPIA reports about Microsoft and Google. These studies show that cloud providers collect personal metadata on a large scale without properly informing their customers or offering them relevant privacy choices. Moreover, the providers like to determine the purposes of the processing of metadata themselves.

Unclear role of cloud providers

Cloud providers usually consider themselves as (independent) data controllers for the metadata. In GDPR terms, this means that they themselves may determine the purposes of the data processing, whereas a processor may only follow instructions from its customers (the controllers). Many US cloud providers eagerly process the data on the use of the services for their own commercial purposes. That is why it is so important that the Code of Conduct clearly sets out what a cloud provider may and may not do with the personal data. But the new Cloud Code carefully avoids that dilemma:

In the course of the Cloud Service Agreement and to the extent CSP is concerned as processor, CSP shall not process Customer Personal Data except on Customer’s Instructions unless required to do so by law, as specified in Article 28.3 GDPR.

So if the cloud provider considers itself to be a processor, for the content data that a customer actively uploads to a cloud computer, the cloud provider shall process those (content) data for the purposes of the customer. Not a word on when the provider may qualify itself as a data controller, and no mention of the many other types of diagnostic personal data that are automatically created by the cloud provider when an organisation decides to use its services.

No self-regulation in case of imbalance of power

I find this Code of Conduct a strikingly awkward example of the failure of self-regulation. Self-regulation does not work when there is an imbalance of power. Just as in the tobacco, food, alcohol, medicine, oil and gas industries, the interests in the IT world are unequal and there are only a few global market players. The enormous revenues of these dominant players are opposed to social damage that is difficult to quantify. Moreover, the damage often occurs in the long term. Member States seem more concerned with the financial and economic benefits of employment through Big Tech than with the individual disadvantage for customers(both consumers and employees who use cloud services through their employer). Since data protection is a fundamental right, governments should offer strong guarantees. The globally operating cloud providers have managed to keep the legislator at bay for 9 years, but now everyone can judge for themselves that the result is a farce, and that the cloud providers have no intention of killing their business model.

Supervision failure in Ireland

Government,businesses, universities and hospitals have massively switched to public cloud services in recent years, while there is a flagrant lack of supervision. This is mainly due to the lack of action by the Irish Data Protection Commissioner(DPC). Within the EDPB, the Irish DPC is almost always designated as the lead DPA, i.e. the regulator that has to settle conflicts with Big Tech on behalf of all other DPAs, because those companies have their European headquarters in Ireland. The European Parliament recently passed a resolution by a large majority that the European Commission should start an infringement procedure against Ireland for its failed implementation of the GDPR, in particular because of the lack of resources for the Irish DPC. But how can governments act effectively to protect our fundamental rights?

EDPS investigation and EU cloud purchase conditions

It is clear that supervision by DPAs can never cover all data processing and that the two new Codes of Conduct do not contribute to reducing the privacy risks of using public cloud services. My hopes are pinned on enforcement by the EDPS, the DPA of the European institutions, and on stricter purchasing conditions by governments and universities.

I am curious about the results of a new investigation announced by the EDPS into Microsoft’s GDPR compliance. In the Netherlands, cloud services of Microsoft, Google and Amazon are centrally purchased by SLM Rijk for the central government, and by SURF for the universities. SLM Rijk (housed at the Dutch ministry of Justice and Security) sets a good example in Europe by publishing DPIA reports and then negotiating with cloud providers to tighten their data processing agreements. As a result,Microsoft has improved its privacy terms worldwide,in line with the Dutch negotiation results. The EDPS has taken the lead with SLM Rijk to unite all public sector purchasers of cloud services in The Hague Forum for Cloud Contracting.

It would be great if this assembly could produce standard contracts that are transparent about all types of personal data and that do provide legal certainty. EU legislators can then help by making the use of these standard contracts mandatory for all public sector organisations. The big cloud providers often resist changes, because they offer their global services in one identical way. But that disadvantage can be turned into an advantage: if they have to change their processing in order to provide services to the public sector, the chances are very high that they will offer the improved processing to all customers worldwide.