A European industry group composed of cloud infrastructure providers has released a 41-page "code of conduct" that seeks to assure customers their data is being protected in accordance with standards set by government rules. Here's the gist from the Cloud Infrastructure Services Providers in Europe (CISPE)'s announcement:
The CISPE Data Protection Code of Conduct provides a data protection compliance framework that makes it easier for customers to assess whether cloud infrastructure services being offered by a particular provider are suitable for the processing of personal data.
Cloud providers adhering to the Code must give customers the choice to store and process their data entirely within the European Economic Area. Providers must also commit that they will not access or use their customers' data for their own purposes, including, in particular, for the purposes of data mining, profiling or direct marketing.
Companies declaring compliance with the CISPE Code of Conduct requirements represent a group of leading cloud infrastructure providers operating in Europe: Amazon Web Services (AWS), Aruba, DADA, Daticum, Gigas Hosting, Ikoula, LeaseWeb, Outscale, OVH, Seeweb, SolidHost and UpCloud, with more to be announced soon.
The framework set out by the CISPE adheres to both Europe’s existing Data Protection Directive as well the EU's General Data Protection Regulation, which comes into effect in May 2018, according to the group.
Overall, the code of conduct is a proactive and welcome move but one that should be viewed with the right amount of skepticism. It is an industry-led effort, after all, and therefore is as much about marketing as it is about complying with data-protection laws. (Indeed, members of the group are entitled to use a compliance mark on their websites and other materials showing their adherence to the code of conduct.)
Secondly, the full document includes key passages such as this one:
The Code is a voluntary instrument, allowing a CISP to evaluate and demonstrate its adherence to the Code Requirements for one or several of its services. This may be either (i) certification by an independent third party auditors, or (ii) self-assessment by the CISP and self-declaration of compliance.
Certification by a third party is highly preferable to "self-assessment" and "self-declaration of compliance." Customers who engage with providers bearing the CIPSE code flag should check to see if their bona fides have been checked out by the former.
Notably missing from the initial list of participants is Microsoft and IBM. The former has staked out a sizable claim in Europe for its Azure cloud services, and has sought unique differentiation with arrangements such as that with Deutsche Telekom. DT runs the centers and Microsoft can only get access to customer data with permission from DT or the customer.
In any event, the code of conduct is well worth a careful read whether you're in Europe or other parts of the world, as it contributes to the ever-important discussion about data privacy and sovereignty in a rapidly changing world.
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.