Belgium approves first EU-wide GDPR code of conduct

Viewpoints
May 20, 2021
1 minutes

One of my favourite quotes comes from Episode 7 of Series 1 of The Wire. Bunk Moreland: "A man must have a code". Omar Little: "Oh, no doubt." 

I'd like to think the architects of the GDPR had that in mind when drafting Article 40(1): "The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises."

This morning, the Belgian data protection authority approved the first transnational code of conduct in the EU, for cloud services. The code creates a baseline for implementation of the GDPR for cloud providers of all types, including the Article 28 requirement for processors to provide sufficient guarantees around their technical and organisation means.

It's an important development and comes at a time when the use of cloud providers, and particularly the legality of using US-based operators (including in Europe), is under scrutiny. To be clear, the code does not provide appropriate safeguards for third-country data transfers, so it's not a silver bullet in that respect. However, it remains more internationalist than France's recently released cloud strategy, which seeks to keep data within French borders — the latest (albeit still nascent) move towards European data sovereignty. 

It also offers welcomed guidance — for controllers and processors alike — around the issues that we still see being heavily negotiated, including audit rights, the deletion and return of customer data, security measures and transparency requirements (which, in the latter case, go above and beyond the GDPR standard). In practice, that will mean revisions to existing processing agreements, likely in conjunction with Schrems 2-related updates.

Unsurprisingly, the largest industry players have endorsed the code. But it's also designed — through a three-level compliance framework — to be accessible and relevant for providers of all sizes, as per the ethos described in Article 40(1). As with all things GDPR, there is no one-size-fits-all, and rightly so. After a slow start, we'll hopefully now see the impetus for more industry-specific codes to be released in the near future.