New EU Code of Conduct for cloud providers: not a GDPR party
Just before the third anniversary of the GDPR, the Data Protection Authorities in the EU (united in the EDPB) have approved two codes of conduct for cloud providers, see opinions 16/2021 and 17/2021. The CISPE Code of Conduct (for cloud infrastructure providers) and the EU Cloud Code (for all types of cloud providers) could, in theory, provide an enormous privacy boost. But unfortunately, the agreed rules are of little consequence. The Cloud Code does not offer a solution for the major privacy risks for European customers of(mainly) US American cloud providers, when it comes to purpose limitation,transparency, legal ground and data minimisation. The Code of Conduct thus somewhat resembles the promises of the food industry to for example reduce the added sugars and salts in prepared food. The Global Food Research Program of the University of North Carolina pointedly summarises this as ‘Industry Self-Regulation: Empty Pledges’.