Europe’s Cloud Computing industry today sent out a strong message about its commitment to security and privacy. Following a four-year collaboration between cloud service providers and the European Commission –

– in which IBM has been a driving force – the text of a Data Protection Code of Conduct for Cloud Service Providers in Europe has been published. Those who sign up to the Code of Conduct pledge that their privacy and security policies are robust, going far beyond legal compliance. We expect the code to establish an essential bond of trust in cloud computing between those who provide cloud services and those who stand to benefit most from them.

The core text of the code, already agreed on by industry representatives and by representatives of DGs Justice and Connect of the European Commission, is expected to be endorsed by a Plenary Group, a broad cross-sectoral group of cloud computing stakeholders.  The Plenary Group’s endorsement will be a significant step in the validation of the Code.

Importantly, the Article 29 Working Party, representing European Data Protection Authorities, has given input to the Code of Conduct – the version presented today reflects its opinion.

The purpose of this voluntary Code of Conduct* is to make it easier and more transparent for cloud service customers to analyze if cloud services are appropriate for their planned usage. The transparency created by the Code will contribute to an environment of trust and will create a high default level of data protection in the European cloud computing market, in particular for cloud customers such as Small and Medium enterprises (SMEs) and public administrations. The Code draws upon existing global standards such as ISO/IEC 27001 and 27018, which IBM already complies with in its cloud offerings. As the Code aligns with current European data protection legislation and also brings on board key elements of the new EU General Data Protection Regulation, it will help cloud service providers and customers make the transition to the new Regulation.

We are now working on finalizing governance of the Code of Conduct – establishing the best ways for cloud service providers to register their adherence to the code, and defining how signatories will be approved and certified. The outcome will be a European “Trust in Cloud Services” compliance mark, immediately visible to cloud customers, demonstrating the provider’s commitment to security and privacy.  Cloud service customers will thereby have a proof point on legal compliance and best practices, and can use the Code of Conduct as a gold standard alongside any cloud service agreement they sign.

At IBM, we firmly believe in the need to strengthen trust in the digital world and in cloud computing. We take seriously the concerns expressed about data privacy. By working on this initiative, we want not just to say but to show that realizing the promise of cloud computing does not require sacrificing privacy. As a leading cloud services provider, we stand ready to sign up to the finalized code.

We are pleased and proud that industry and the European Commission have achieved the creation of the Code of Conduct. It’s been a rewarding and constructive collaboration focused on empowering cloud customers to make the right choices when it comes to security and privacy. This cooperative approach to finding a policy solution sets a good precedent for what we hope will be many such fruitful initiatives in the future.

###

(*This Code of Conduct has been prepared to contribute to the proper application of the national data protection provisions adopted by Member States pursuant to Directive 95/46/EC, taking into account the specific features of the cloud computing sector.)

By Jonathan Sage
 IBM Government and Regulatory Affairs Executive

###

Media Contact:
Anita Kelly
anita.kelly@ketchum.com