Non-personal data: economic value, security, and portability. Codes of conduct and certifications

Data is a key priority for the European Union for economic growth and the development of the digital economy. Cloud services are the central plank for extracting economic value from data and storing and sharing it.

In this sense, the Non-Personal Data Regulation (EU) 2018/1807 promotes in Article 6 the development of self-regulatory codes (also called Codes of conduct), in order to “contribute to a competitive data economy, based on the principles of transparency and interoperability (...)”.

For this purpose, in the context of non-personal data portability, the European Commission has set the following objectives:

• reduce the risk of vendor lock-in,
• smoothing the European market for cloud services,
• also enable small companies and new market entrants to compete in this field,
• identify minimum information requirements, thereby increasing the trust of customers of cloud services,
• promote approaches to certification systems, quality management, information security, business continuity, and environmental management.

In particular, the European Commission has identified two working groups, respectively for the development of self-regulatory codes and the development of security certification of cloud services:

• SWIPO Working Group - Switching from Provider and Porting non-personal data
• CSPCERT WG - Cloud Service Provider Certification Working Group.

SWIPO Working Group

The SWIPO AISBL group is a multi-stakeholder association of Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs).

After two years of work, the SWIPO group announced the publication of two codes of conduct: one on data portability and one on Cloud switching, resulting in a total of twenty-one declarations of adherence by Cloud service providers, as highlighted in an article of 12 May 2021 published on swipo.eu.

Specifically, the topic of portability is addressed in the Infrastructure as a Service (Iaas) Cloud Services Code and that of cloud switching in the Software as a Service (Saas) Cloud Services Code; these were first presented at the Data Economy Conference held in Helsinki at the end of the year 2019, to provide voluntary guidance for Cloud Providers and Cloud Customers, and especially to facilitate greater data flow and portability in compliance with the Non-Personal Data Regulation.

Both Codes envisage adherence by industry players on a completely voluntary basis and do not replace the “Cloud service agreement” (CSA), which consists of a formal agreement between the cloud service provider and the customer, by which the modalities through which the Cloud service will be provided are defined.

On April 12, 2022, at the Eurelectric meeting on the topic of the electricity sector on the cloud, Mr. Aniello Gentile (from ENEL), a member of the SWIPO AISBL Executive Committee, analysed the benefits of the SWIPO Codes of Conduct for electricity companies.

During this session, SWIPO Codes of Conduct were presented as a very effective solution to reduce lock-in risks in the adoption of cloud services.

CSPCERT Working Group

The CSPCERT group was created to develop a European Cloud certification scheme in the context of the Cybersecurity Act and to provide the European Commission and ENISA (European Union Agency for Cybersecurity) with a set of recommendations to be considered when implementing the Cloud certification scheme.

The idea behind the certification of cloud services is not to propose a completely new model to the European Commission, but rather to provide a scheme based on practices and standards that already exist and are used in the sector.

The final proposal drafted by the CSPCERT WG was finalised on 7 June 2019, and subsequently submitted to the European Commission and ENISA the following 12 and 13 June.

The final text presented by the working group, contains “recommendations for the implementation of the CSP certification scheme”, and specifically can be divided into three main documents:

1. The first document analyses the elaboration of the safety objectives that a European-wide certification scheme must include. These safety objectives are based on an analysis of existing standards, systems, and good practices;
2. The second document deals with the comparative analysis of the most relevant conformity assessment methodologies, their approaches, and distinguishing features;
3. Finally, the third document elaborates on the previous documents, the results of the open consultation held during January - February 2019, and provides additional content in the form of recommendations for the European Commission and ENISA. Among the CSPCERT WG's general recommendations to the European Commission, one can highlight that:

• Include the development of an EU-wide cloud security certification scheme in the EU rolling work program for European cybersecurity certification under the Cybersecurity Act;
• request ENISA to prepare a scheme based on the proposal submitted by the working group, as part of the execution of this Union rolling work program.

In conclusion, as stipulated in the European Non-Personal Data Regulation, the European Commission will assess the impact and effective implementation of the codes of conduct by 29 November 2022. This evaluation activity will focus in particular on the effects the codes of conduct will have on the fluidity and competitiveness of the Cloud market concerning the codes developed by the SWIPO working group, and on the exact coordination with cybersecurity law for the CSPCERT working group.