An article by Claus-Dieter Ulmer, Global Data Privacy Officer and Senior Vice President Group Privacy.
The EU cloud Code of Conduct is synonymous with something essential, namely nothing less than Europe's digital sovereignty in cloud services. By this we mean complete control over stored and processed data, as well as independent decisions about who may access it. The prerequisite for this is clear rules and specifications. These are provided by the EU Cloud Code of Conduct (EU Cloud CoC). The European data protection supervisory authorities have authorized these rules of conduct. By signing the code, the signatory companies, including Deutsche Telekom, undertake to increase the level of data protection for cloud services. Here, too, the basis is the General Data Protection Regulation (GDPR). By signing the EU Cloud CoC, the signatory companies provide proof that they process data in accordance with the requirements of the GDPR. Compliance with the rules is verified by an independent body.
Another component of digital sovereignty is the Gaia-X project, of which Deutsche Telekom is a founding member. The goal is an open and transparent digital ecosystem in which data and services can be made available, merged, shared and used in a trustworthy manner. Gaia-X also addresses technology sovereignty, which is intended to reduce dependence on non-EU platforms. In order to meet this demand and the data protection requirements of Gaia-X, recognized standards, through which members can demonstrate their "compliance", will also play a decisive role under Gaia-X. One of these recognized standards is the EU Cloud CoC.
EU Cloud of Conduct complements other voluntary commitments
In addition to the EU Cloud CoC, there is the Cloud Infrastructure Services Providers in Europe, or CISPE. This is also a standard recognized by the European data protection supervisory authorities. This standard carries its content in its name, focusing on cloud infrastructure services. The EU Cloud CoC goes much further. It covers all types of offerings in the area of cloud computing. This fits much better with our cloud offerings and ensures a comprehensive view.
All the initiatives mentioned meet specific requirements and have their purpose. The EU Cloud CoC is an important building block for European digital sovereignty. This and Gaia-X are two sides of the same coin, complement each other and pay towards the same goal: secure, trustworthy and self-determined data processing, verifiable through Code of Conducts. For example, the "Auditor" initiative is a German research project with the participation of the Ministry of Economics. It aims to certify cloud products with a seal of approval on the basis of the General Data Protection Regulation. Unfortunately, the data protection authority of the German state of North Rhine-Westphalia and subsequently the European supervisory authority have yet to approve this project. I am therefore all the more pleased that we now have the EU Cloud CoC, which also includes an audit.
Benefits of the EU Cloud of Conduct for customerd and companies
Processing data in the cloud is not only about attractive services, but also about trust. We can thus make trust tangible and prove it After all, others are literally entrusting us with their data. They naturally want to know in advance whether this trust is justified. The commitment to the EU Cloud CoC documents that we mean business. We don't just claim to offer DSGVO-compliant cloud services, but we commit to audited, traceable rules, compliance with which is also independently verified.
The EU Cloud CoC helps build European solutions and thus strengthens trust in cloud solutions offered in Europe. Anyone who commits to these standards is committing to the European specifications. I'll mention Gaia-X again here. This is also an active step towards meeting the high requirements of the European Court of Justice (ECJ) for processing data outside the EU. The ECJ ruling is known as the Schrems II decision.
Perhaps another interesting aspect. The EU Cloud CoC is currently working on a further module to regulate data processing outside the EU. This would then be a further catalog of criteria that explicitly specifies the obligations from the GDPR and the ECJ ruling on Schrems II.
Finally, there remains the question of effectiveness, i.e., at what point does our commitment start to have a positive impact? A famous phrase comes to mind, loosely based on Günther Schabowski's 1989 comment on the new GDR Travel Act: "To the best of my knowledge - that's immediately, without delay."
