Data protection code of conduct for cloud service providers and the right to data protection: effectiveness of the self-regulatory instrument and its future
The paper “Data protection code of conduct for cloud service providers and the right to data protection: effectiveness of the self-regulatory instrument and its future” (Moyakine, E.) will be presented at the 5th Conference on the Regulation of Infrastructures (24 June 2016).
In the contemporary digital age, cloud computing has developed into a cornerstone of various IT infrastructures and plays an increasingly significant role in the provision of cloud services over the Internet offering an array of benefits to both public and private actors. In the European Union, these services must be carried out in compliance with the fundamental rights to privacy and data protection of EU citizens. The decision of the Court of Justice of the European Union in the Maximillian Schrems v. Data Protection Commissioner case recognised the importance of these rights and declared the Safe Harbour agreement between the European Commission and the United States invalid. This has direct consequences on business operations of many US cloud service providers and leads to uncertainties among corporations from other third countries.
With respect to cloud computing, there is a self-regulatory initiative called the Data Protection Code of Conduct for Cloud Service Providers drafted by a Subgroup of the Cloud Select Industry Group, which includes such major stakeholders as Google and Microsoft, with active participation of the European Commission. Article 27(1) of the Directive 95/46/EC and Article 40(1) of the new General Data Protection Regulation specifically encourage the adoption of these codes of conduct with an intention of contributing to the proper application and implementation of data protection law. The Code of Conduct contains guidelines specifically designed for cloud computing providers that will stimulate their compliance with EU rules on privacy and data protection. At the moment, this document is being finalised and is considered work-in-progress. Unfortunately, given its nature and current draft status this particular initiative does not receive much attention in legal literature while it potentially constitutes a benchmark for other self-regulation processes in this field and a crucial measure in ensuring that the right to data protection of EU citizens is guaranteed when they make use of cloud services.
This contribution uses desk study on the basis of literature review as the main legal research method. It looks into possible effects that the Code of Conduct has on the right to data protection in the EU and examines the extent of its effectiveness in guaranteeing this right through evaluation of aspects of legitimacy, quality and enforcement. The article also identifies gaps, which cannot be left unaddressed and must be closed, in order to ensure that it will achieve its regulatory objectives. Finally, some changes and modifications of the Code are proposed.
ABOUT THE AUTHOR
Evgeni Moyakine obtained his first Master’s degree in International and European Law cum laude at Radboud University Nijmegen and successfully completed the Research Master in Law programme at Tilburg University and Leuven University with the same grade point average.
He was awarded a PhD grant by the Netherlands Organization for Scientific Research in 2010 and worked as a doctoral candidate at the Department of European and International Public Law, Tilburg Law School, Tilburg University. His doctoral thesis entitled “The Privatized Art of War: Private Military and Security Companies and State Responsibility for Their Unlawful Conduct in Conflict Areas” was published in 2015 by Intersentia. He lectured and supervised students, published scientific articles, participated in various research activities and conferences and functioned as an active member of the Utrecht School of Human Rights Research and a senior editor at the Tilburg Law Review.
Since 2015, he has been working as a postdoctoral researcher at STeP, “Security, Technology and e-Privacy Research Group”, located at the Department of European and Economic Law, Faculty of Law, University of Groningen. Currently, he actively participates in several international research projects on – inter alia – biometrics, privacy and data protection and is involved in teaching and supervision activities.
Presentation given by Evgeni Moyakine