Avatar

Codes of Conduct may be used as appropriate safeguards for cross-border transfers under Article 46 of the European Union General Data Protection Regulation (GDPR). Today, the EU Cloud Code of Conduct (EU Cloud CoC) General Assembly is proud to release a draft version of the Third Country Transfers Module for public consultation.

In July 2023, the European Commission passed the long-awaited adequacy decision to restore lawful and secure transfers of personal data from the European Economic Area (EEA) to the United States (US). The adequacy decision supports personal data flows between any entity in the EEA and US companies participating in the EU-US Data Privacy Framework (EU-US DPF). Cisco welcomed the news, celebrating the efforts of the European Commission and US agencies to rebuild trust in data transfers between some of the world’s largest economies.

This decision could not have been possible without addressing the underlying fundamental human rights and civil liberties concerns – including binding safeguards that limit access to data by US intelligence authorities to only what is “necessary and proportionate” to protect national security – and establishing an independent and impartial redress mechanism available to EEA data subjects. Similar framework arrangements with the United Kingdom and Switzerland are awaiting formal adequacy decisions and are expected shortly. Cisco is an active participant in the EU-US DPF and UK Extension, as well as the Swiss-US DPF.

The need for supplementary measures

While the decision offers some relief, the future of the DPF remains uncertain and legal challenges have already begun. Two previous adequacy decisions made by the European Commission – Safe Harbor and Privacy Shield – were struck down in 2015 and 2020 respectively by the Court of Justice of the European Union (CJEU). Correspondingly, the European Data Protection Board’s (EDPB) recommendations on measures that supplement remaining transfer tools created previously unforeseen legal responsibilities for companies of all sizes through assessments of third country laws and practices in pursuit of “essential equivalence” (i.e., transfer impact assessments). The defying outcome of legal uncertainty around transfers became obvious – GDPR had become a de facto, data localization standard.

A tool to address legal uncertainty and administrative overhead

The Third Country Transfers Module (the Module) under the EU Cloud CoC was launched against this background of legal uncertainty and administrative overhead that arguably further endangers fundamental rights and freedoms. Conversely, a cloud service provider (CSP) adherent to the Module warrants it has no reason to believe the laws of the non-EEA countries receiving personal data would prevent the CSP from honoring its obligations under the EU Cloud CoC. Read more about the Guidelines 04/2021 on codes of conduct as tools for transfers.

The Module builds upon relevant CJEU decisions: EDPB Recommendation 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data and Guidelines 04/2021 on codes of conduct as tools for transfers, amongst other legal requirements. It aims to provide scalable, sustainable, and demonstrable compliance mechanism for cloud providers whose power lies in service catalogues that identify appropriate technical, contractual, and organizational supplementary measures to be adopted by adherent services.

The service catalogues represent tailored transfer impact assessments that are not only attuned to the nature, scope, context, and purposes of personal data processing, but also contain assessment of the third country laws and practices and their influence on a particular transfer. As such, code-adherent cloud services eliminate the requirement for users of cloud services to conduct case-by-case assessments as required by other transfer mechanisms, such as Standard Contractual Clauses. Service catalogues could also be understood as “off-the-shelf nutrition labels” for third country transfers that incorporate fundamental rights considerations while supporting economic growth through “data free flows with trust.”

Next steps for an effective and accountable cross-border transfer solution

Before any Code of Conduct can be used as a Third Country Transfers tool, it must be approved by the EDPB and given general validity by the European Commission. Together with the General Assembly members, Cisco invites those interested in reviewing this preliminary draft to contribute to the shaping of an effective cross-border transfer solution for trusted cloud environments. We look forward to partnering with broader stakeholder groups to advance mechanisms and practices that support demonstrable accountability for effective data privacy.

Cisco and the EU Cloud CoC

Cisco has been a proud supporter of the EU Cloud CoC since its inception in 2017 – from ideation, to development, to adherence of our services, to additional tools like the Third Country Transfers Module. In November 2021, Webex by Cisco (Webex) was declared adherent to the EU Cloud CoC and in July 2023, the first collaboration platform to achieve its highest adherence level (3) – another testament to Cisco’s commitment to data protection and to delivering secure technologies. As Cisco’s EMEA Privacy Officer and the Co-Chair of the Third Country Transfers Module, I am greatly honored and proud of our team’s contribution and am looking forward to learning from this public consultation.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Jelena Kljujic

EMEA Privacy Officer

Cisco Privacy Center of Excellence