At the end of March, CISPE President Alban Schmutz (OVH), Vice President Stefano Cecconi (Aruba) and Secretary General Francisco Mingorance were interviewed by Giuseppe Badalucco from the Italian website “Data Manager Online”.
An English translation of the article can be found below. The original article in Italian is available here: http://www.datamanager.it/2018/03/cispe-in-dirittura-darrivo-il-codice-di-condotta-per-la-protezione-di-dati/
Having received the first WP29 feedback, the body is releasing the second version of the text in preparation for the GDPR
We’re ready. CISPE, Cloud Infrastructure Services Providers in Europe (https://cispe.cloud/), an association of more than twenty operators working in Europe, is releasing the updated version of the Code of Conduct (CoC) for data protection. This text offers the possibility of processing all data exclusively in Europe and a specific ban on selling or using business clients’ data. Once the green light has been given by the Article 29 Working Party, the independent body responsible for examining the requests to approve codes submitted by the industry, the document will stand out to become the benchmark standard for all suppliers in this sector.
The fundamental points
Reiterating the commitment by providers not to carry out data mining or profiling customer data for the purposes of marketing activities or for sale to third parties, the CISPE Code confirms its plans to fit in with the requirements stipulated by the GDPR. It will go further in terms of guarantees for customers. “Our Code of Conduct is committed to assuming certain obligations not stipulated in the Regulation. To start with, all companies that sign up to the Code undertake to offer their customers the option of processing all data exclusively in Europe. This is a service that not all providers operating in Europe are currently able to provide”, Mingorance points out. Cloud providers are also specifically prohibited from selling or using business clients’ data. This specific assumption of responsibility sends a strong message to the market. “Especially to European companies that want to see their data kept in Europe without the risk of it being sold or used. None of us will ever be able to offer customers the option to use Cloud infrastructures free of charge in exchange for access to data. This is complemented by the commitment not to access data processed on the systems used by our customers in any way or in any circumstance. They have the option to choose whether to keep it exclusively in Europe, or elsewhere. This is a commitment that is neither compulsory, nor even considered in the GDPR”, Cecconi points out. This is backed up by a series of tools made available to customers to ensure compliance with the commitments made. “A number of aspects that need to be considered and rules that must be adopted. From certification to auditing, as well as security guarantees provided both in terms of data security and physical security. The data kept at our data centers is protected by security measures confirmed by the certificates that Aruba has been awarded, including ISO 27001 and ANSI-TIA 942-A, which cover logical, physical and organizational data security”, argues Cecconi.
Importance of the Code of Conduct
Having secured the green light from the WG29, CISPE hopes that everyone will have to adapt to what will become the benchmark for the industry. “The work that we are doing is being carried out in collaboration with other stakeholders who are making this Code of Conduct fair and representative, and therefore acceptable, we hope, to the Data Protection Authorities”, Cecconi confirms. This does not mean that the Code of Conduct will change over time. But each change must, in turn, be accepted by the Authorities. “It will not be possible to first adopt it and then change it without the approval of the European data protection regulators”, observes Mingorance.
Alongside this work, the CISPE Board has also been discussing a regulation on the free flow of data. In regard to this subject, EU member states came to an agreement last December that will lead to the creation of a digital single market. Such market will in fact make it possible to set limits on the flow of data only for specific security reasons, improving portability and avoiding the risk of data lock-in. We hope that this will result in enhanced trust and the spread of Cloud computing services.