CoC for Cloud Service Providers is now underway


It’s been announced last week that the EU Data Protection Code of Conduct (CoC) for Cloud Service Providers is now underway.

Designed as a safeguard for the international data transfers under the GDPR Article 46(2) in a post-‘Schrems II’ world, the CoC might become an interesting one by itself. At the same time, it still leaves us with the same question like SCC upheld by the CJEU: how a formal legal mechanism can remediate inadequate privacy practices in a third country?

After the Privacy Shield (PS) invalidation, a suggestion to migrate to the SCC to continue EU-US data transfers looks weird because a formal change of an underlying legal mechanism actually change nothing in defective privacy practices of the US intelligence. If we replace USA with another random third country with similar practices and/or take CoC instead of SCC – the conclusion will remain the same.

To that end, it is highly questionable that a CoC is able to become a ‘window’ to America (as currently expected). At the same time, let us see how this will work in real life. Indeed, if SCC can factually be deemed as a proper safeguard instead of PS (despite the conflict with common sense), why CoC cannot?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.