Since the EU General Data Protection Regulations (“GDPR”) came into effect in 2018, there has been much discussion, but little action, with regard to Article 40 Codes of Conduct (”Codes”) and Certifications (Article 42). As the European Data Protection Board (“EDPB”) points out in its 2019 Guidelines (“EDPB Guidelines”), Codes “provide an opportunity for particular sectors to reflect upon common data processing activities and to agree to bespoke and practical data protection rules which will meet the needs of the sector as well as the requirements of the GDPR”. While this opportunity would appear highly attractive to certain sectors (e.g., cloud computing, life sciences), there is little evidence of substantive progress to date. Specifically, the EDPB’s register of approvals contains only three entries to date.
One of the hurdles to wider adoption of codes is the submission and approval process. Draft Codes must be submitted to a competent supervisory authority (“CompSA”) for approval. Where Codes are meant for use by data controllers or processors across multiple EU member states (“Transnational Codes”), the competent authority is required to seek opinion from the EDPB and the CompSAs in other member states whose residents’ personal data will be processed, before providing considering final approval for the Codes
This is not to say that there has not been interest or effort directed at drafting, submitting, and implementing Codes. At least three organizations (“Code Owners”) have created Codes for use by cloud service providers acting as data processors. However, none of these Codes has yet to receive approval from the competent authorities. Interestingly, of the three entries in the EDPB register of approvals, none are transnational.
While it is difficult to pinpoint specific reasons for the delay in approval and adoption of Codes, the following actions by submitting organizations, the CompSAs and the EDPB, may help lead to more wide adoption of Codes by avoiding or mitigate unnecessary delays.
- Increased levels of details in the draft Codes and transparency in the drafting process. Code Owners should be required to publish detailed draft Codes publicly and seek feedback from security/privacy practitioners or stakeholders. Such feedback should also be available for public reviews. Transparency in the process will generate awareness and of the Code, support public confidence in the controllers/processors and may facilitate more timely regulatory approval.
- Specificity in review/approval timelines. EDPB guidelines should be specific in terms of timelines allowed for CompSAs to finish their review and approval. Timelines currently set out in section 8.3 of the EDPB guidelines simply require That the CompSA “aim to arrive at a decision within a reasonable period of time”. Similarly, the guidelines should be specific in terms of the duration allowed for the completion of EDPB reviews and approvals of Codes submitted to them by CompSAs. The guidelines do not specify any timelines currently in this regard.
- Transparency in progress of Codes’ approvals by CompSA and EDPB. CompSAs should consider publishing periodic updates regarding the status of Codes submitted, reasons for delays (e.g., delays from concerned supervisory authorities or the EDPB; delayed responses to queries sent to Code Owners) and the dates the Codes are approved. Similarly, the EDPB should publish updates regarding the status of Codes submitted to them, reasons for any delays (e.g., delays in responses from CompSAs) and the dates the Codes are approved.
While currently submitted Codes are awaiting approval, processors should consider whether adoption of and adherence to one of these Codes might make sense as part of their privacy strategies. For example, considering the predominance of the use of cloud-based services by data processors, the Cloud Security Alliance (“CSA”) Code may benefit organizations for the following reasons:
- Current. Of the three submitted Codes (available publicly from the respective Code Owners’ websites), only CSA appears to have a version updated since the publication of EDPB Guidelines in 2019. While the CSA’s current version is from September 2020, Codes from the other two Code Owners have not been updated since 2017.
- Participation. CSA’s Code has been developed by a working group (PLA Working Group) that is composed of a broad set of stakeholders, including Cloud Service Providers (CSPs), local supervisory authorities and independent security and privacy professionals. Evidence of similar external stakeholder participation (including involvement of independent security and privacy professionals) is not available in the Codes published by the other two Code Owners.
- Transparency. CSA’s Code went through a process of public feedback and consultation before the draft was finalized for submission to the CompSA (CNIL). Such a record for the Codes from the other two Code Owners was not publicly available on their websites.
- Code Content and Details. CSA’s Code is far more detailed than the other two Codes, not only in terms of the privacy and security content, but also in its governance and adherence mechanisms, roles and responsibilities of its governance groups, and details of governance processes and activities.
- Geographical Coverage and Reputation. CSA is recognized and respected worldwide for its industry leadership given its track record in development of privacy and data protection guidelines and best practices for the cloud environment since 2013. This should enhance CSA’s appeal to not only processors (CSPs and cloud users) located in the EU, but also those that are located elsewhere and process personal data of EU residents.
Evidencing compliance with the CSA Code (or others) will help processors gain the confidence of their customers and prospects. Code Owners typically offer either self-assessment or certification to demonstrate adherence to the Code. Organizations processing personal data of EU residents should consider self-assessment before choosing to graduate to the certification option later, perhaps after the Codes are approved by the CompSAs and EDPB.
 Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679