At the end of March, CISPE President Alban Schmutz (OVH), Vice President Stefano Cecconi (Aruba) and Secretary General Francisco Mingorance were interviewed by Giuseppe Badalucco from the Italian website “Data Manager Online”. 

An English translation of the article can be found below. The original article in Italian is available here: http://www.datamanager.it/2018/03/cispe-in-dirittura-darrivo-il-codice-di-condotta-per-la-protezione-di-dati/

Having received the first WP29 feedback, the body is releasing the second version of the text in preparation for the GDPR

We’re ready. CISPE, Cloud Infrastructure Services Providers in Europe (https://cispe.cloud), an association of more than twenty operators working in Europe, is releasing the updated version of the Code of Conduct (CoC) for data protection. This text offers the possibility of processing all data exclusively in Europe and a specific ban on selling or using business clients’ data. Once the green light has been given by the Article 29 Working Party, the independent body responsible for examining the requests to approve codes submitted by the industry, the document will stand out to become the benchmark standard for all suppliers in this sector.

Let’s go in order. Discussions on the final draft of the text, preceded by two days of preparatory work carried out by the Board of CISPE and the CCTF (Code of Conduct Task Force) – the working groups that met last week at the new Aruba data center in the Province of Bergamo – focused on the correct interpretation of the standpoint of Data Protection Authorities. “For now, we can say that it was great to get the WP29’s initial feedback, along with a number of valuable suggestions about how to improve the Code even more”, says Stefano Cecconi, Aruba’s CEO (www.aruba.it). “The information in the GDPR outlines the principles and objectives without specifying what needs to be done in detail; conversely, the comments made by the Data Protection Authorities, which were very specific, were very helpful in suggesting how to change the text”, points out Francisco Mingorance, General Secretary of CISPE. In order to respond and to improve the code in terms of the points covered by the Authorities, the CCTF has adjusted the old text by providing more details about services and terms of use for Cloud infrastructures. Examples have been added, and some parts have been completely rewritten so that they are more comprehensible for end customers. “We have added lots of examples applicable to the services offered, and rewritten some technical passages to make them clearer, hence ensuring that our customers understand the document”, explains Alban Schmutz, President of CISPE. “For some technical and legal points, we have provided a number of user case studies. We have described the state-of-the-art technology used and our goals in terms of data protection. The Code clarifies in detail the services offered by and the responsibilities of the Cloud Service Provider in relation to the data center and infrastructure, equipment, networking, logical security, server rooms etc. Everything else, in terms of platforms and software, is a customer management component that we are not involved with”, Cecconi confirms.

The fundamental points

Reiterating the commitment by providers not to carry out data mining or profiling customer data for the purposes of marketing activities or for sale to third parties, the CISPE Code confirms its plans to fit in with the requirements stipulated by the GDPR. It will go further in terms of guarantees for customers. “Our Code of Conduct is committed to assuming certain obligations not stipulated in the Regulation. To start with, all companies that sign up to the Code undertake to offer their customers the option of processing all data exclusively in Europe. This is a service that not all providers operating in Europe are currently able to provide”, Mingorance points out. Cloud providers are also specifically prohibited from selling or using business clients’ data. This specific assumption of responsibility sends a strong message to the market. “Especially to European companies that want to see their data kept in Europe without the risk of it being sold or used. None of us will ever be able to offer customers the option to use Cloud infrastructures free of charge in exchange for access to data. This is complemented by the commitment not to access data processed on the systems used by our customers in any way or in any circumstance. They have the option to choose whether to keep it exclusively in Europe, or elsewhere. This is a commitment that is neither compulsory, nor even considered in the GDPR”, Cecconi points out. This is backed up by a series of tools made available to customers to ensure compliance with the commitments made. “A number of aspects that need to be considered and rules that must be adopted. From certification to auditing, as well as security guarantees provided both in terms of data security and physical security. The data kept at our data centers is protected by security measures confirmed by the certificates that Aruba has been awarded, including ISO 27001 and ANSI-TIA 942-A, which cover logical, physical and organizational data security”, argues Cecconi.

Importance of the Code of Conduct

Having secured the green light from the WG29, CISPE hopes that everyone will have to adapt to what will become the benchmark for the industry. “The work that we are doing is being carried out in collaboration with other stakeholders who are making this Code of Conduct fair and representative, and therefore acceptable, we hope, to the Data Protection Authorities”, Cecconi confirms. This does not mean that the Code of Conduct will change over time. But each change must, in turn, be accepted by the Authorities. “It will not be possible to first adopt it and then change it without the approval of the European data protection regulators”, observes Mingorance.

Alongside this work, the CISPE Board has also been discussing a regulation on the free flow of data. In regard to this subject, EU member states came to an agreement last December that will lead to the creation of a digital single market. Such market will in fact make it possible to set limits on the flow of data only for specific security reasons, improving portability and avoiding the risk of data lock-in. We hope that this will result in enhanced trust and the spread of Cloud computing services.