EC Conduct Plan May be Privacy Shield Alternative
An EU-backed cloud industry code could help ease data transfer woes caused by Privacy Shield's rejection by the European Court of Justice in Schrems II (see 2007160002), its developers said. The Cloud Code of Conduct, developed by the European Commission and the cloud computing community, is expecting final approval soon, and work is underway on a "Third Country Module" of the CoC that could be an alternative to PS, said K&L Gates data protection attorney Thomas Nietsch.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The EC generally welcomes such self-regulation as "trusted and valuable additions" to existing mechanisms, Nietsch noted. The general data protection regulation was designed to be future-proof and "while dealing with a highly innovative industry, it has distanced itself from certain technical aspects." Aware of that potential limitation, the EC put in place mechanisms to address the lack of technical specificity while guaranteeing "robust application" of GDPR, including codes of conduct, he said. The third country module hasn't been vetted by the European Data Protection Board or Data Protection Supervisor, but has been discussed with supervisory authorities, Nietsch said.
Businesses of all sizes must have tools to enable secure international data flows, said Computer & Communications Industry Association Senior Manager-Public Policy Alexandre Roure. He said a code of conduct "is a great initiative to restore legal certainty for companies that rely on global data flows for their daily business operations."
An April European Parliament research service analysis examined available tools for data flows between the EU and U.K. after Brexit. Though codes of conduct are "at an early stage," some see "great potential" in them, the report said. "Reliability of these supplementary measures remains uncertain and the subscription to these codes does not reduce the responsibility of the [data] controller or processor for compliance with the GDPR."
U.S. and private stakeholders didn't comment Thursday. Nietsch said the U.S. has been monitoring the PS and standard contracts situation.