While many aspects of the European Union’s General Data Protection Regulation (GDPR) have been thoroughly investigated, codes of conduct remain under-researched. As corporate actors and regulatory authorities ramp up their usage, this academic lacuna needs to be urgently addressed.
By Carl Vander MaelenThere has been a flurry of activity regarding GDPR codes of conduct, which are found in articles 40-41 of the Regulation. In May 2021, the European Data Protection Board (EDPB) approved the first two transnational codes: the ‘EU Data Protection Code of Conduct for Cloud Service Providers’ (hereafter: EU Cloud Code) and the ‘European Code of Conduct for Cloud Infrastructure Providers’ (hereafter: CISPE Code) through respectively Opinions 16/2021 and 17/2021. Additionally, the EDPB has provided important guidance to both corporate actors and supervisory authorities. ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’ clarified many basic concepts. Most recently, in February 2022, ‘Guidelines 04/2021 on Codes of Conduct as tools for transfers’ were adopted. This now enables codes to be used as tools in the context of the GDPR’s Chapter V, enabling data transfers from the EU to third countries or international organisations.
European institutions have also expressed their belief that codes are vital for the GDPR’s wellbeing. The European Commission emphasized their importance for transnational sectors and activities,[1] and the ‘Multistakeholder Expert Group’ to the GDPR singles them out as consistency-boosting instruments.[2] Furthermore, upcoming regulatory proposals by the European Union place a heavy emphasis on the use of codes. Articles 35 and 36 of the proposed Digital Services Act and article 69 of the proposed Artificial Intelligence Act both encourage the development of codes of conduct.
But as corporate actors and supervisory authorities are moving ahead with codes, the academic world seems to be lagging behind. There is a need for academic research that studies GDPR codes of conduct from a theoretic and empirical perspective to understand the important ramifications of these instruments – also in the context of international data transfers.
A need for academic research
Although certification (articles 42-43 GDPR) has received scholarly attention,[3] codes of conduct remain under-researched. This is remarkable, since it has been well-established in scholarly literature that the EU employs a multi-level and multi-actor harmonization-oriented regulatory strategy,[4] making soft law an important aspect of any study relating to the EU’s regulatory clout. This is all the more important when regulating digital spaces where “states are not able to rely on traditional patterns of territorial sovereignty and depend more strongly on private actors”.[5]EU bodies themselves have stated that codes require further research – in particular their territorial features. The EDPB remarked that codes may have an impact on “the level of protection which the GDPR provides to the wider international community”,[6] and the European Commission considers codes one of the “international aspects of the GDPR” since they allow international data transfers.[7]
Part of the difficulty in kickstarting academic research on GDPR codes is that there is little to no work on codes of conduct under the 1995 Data Protection Directive either (the GDPR’s predecessor). The only relevant material consists of general reports and reviews of the Directive, where codes of conduct are only given a cursory glance.[8] Codes under the GDPR have also seen a limited analysis by scholars; they are usually discussed in the larger context of self-regulation and co-regulation without turning attention to codes’ specific characteristics.[9]
Importance for the European data economy
Additional research into codes is not only important from an academic point of view, but also for the actors ‘on the ground’. Engaging in international data transfers is a complex process. If there is no adequacy decision in place, actors are often confronted with a high degree of legal uncertainty. The publication of Guidelines 04/2021 has alleviated this to a large degree when using codes of conduct, clarifying the procedures and requirements to use codes for international data transfers.A striking passage in the Guidelines determines that data transfers on the basis of a code of conduct between a data exporter (i.e. an actor subject to the GDPR) and a data importer (i.e. an actor not subject to the GDPR) can take place as long as the importer adheres to the code. The exporter does not need to adhere to the code (see paragraph 7 of Guidelines 04/2021).
This implies that the EDPB not only acknowledges the ‘Brussels effect’ of the GDPR (and EU legislation in general) but actively uses the concept to expand the GDPR’s sphere of influence beyond the borders of the EU. At the same time, intra-EU, the European data economy is granted flexibility by the determination that the exporter does not necessarily need to adhere to the code – although the provisions of the GDPR must of course be respected. There is therefore no extra ‘burden’ on actors who are already subject to the GDPR (which is determined by the territorial scope of article 3 GDPR) to engage in data transfers.
An open call for research
Such matters on GDPR codes of conduct and their territorial facets raise intriguing research questions, and there are many more equally fascinating aspects to codes. What is the exact relationship between codes as ‘secondary’ instruments to the GDPR as the ‘primary’ instrument? Are the interactions between corporate actors and supervisory authorities less tense than under the 1995 Directive?[10] And if other EU legislation seeking to regulate the ICT sector have been described as showcasing ‘GDPR mimesis’[11] does this also apply to how those instruments set out codes?A particular challenge when researching codes, however, is that they are sectorial tools developed in cooperation between industry actors and supervisory authorities. This means that their development, implementation, monitoring and enforcement is influenced by dialectic processes that not only occur during formal, documented procedures, but also during undocumented (in)formal interactions.[12]
The motivations, discussions and results related to those interactions are vital to come to qualitative scientific findings, but require a research methodology that goes beyond desk research and a legal doctrinal method. Such research must embrace the methodologies and best practices that have been employed in fields such as anthropology, sociology, political sciences, and economics. Only then will we be able to accurately and holistically portray the unique characteristics of GDPR codes of conduct.
[1] European Commission, ‘Commission Staff Working Document Accompanying the Document Communication from the Commission to the European Parliament and the Council: Data Protection as a Pillar of Citizens’ Empowerment and the EU’s Approach to the Digital Transition - Two Years of Application of the General Data Protection Regulation’ (24 June 2020) 25.
[2] Multistakeholder Expert Group to support the application of Regulation (EU) 2016/679, ‘Contribution from the Multistakeholder Expert Group to the Commission 2020 Evaluation of the General Data Protection Regulation (GDPR)’ (17 June 2020) 35.
[3] Irene Kamara, ‘Misaligned Union Laws?: A Comparative Analysis of Certification in the Cybersecurity Act and the General Data Protection Regulation’ in Dara Hallinan, Ronald Leenes and Paul De Hert (eds), Data protection and privacy (Hart Publishing 2021); Eric Lachaud, ‘Adhering to GDPR Codes of Conduct: A Possible Option for SMEs to GDPR Certification’ (2019) 3 Journal of Data Protection & Privacy 1.
[4] Ramses A Wessel and Jan Wouters, ‘The Phenomenon of Multilevel Regulation: Interactions between Global, EU, and National Regulatory Spheres’ (2007) 2 International Organizations Law Review 257.
[5] Oskar Josef Gstrein and Andrej Janko Zwitter, ‘Extraterritorial Application of the GDPR: Promoting European Values or Power?’ (2021) 10 Internet Policy Review 22 <https://policyreview.info/articles/analysis/extraterritorial-application-gdpr-promoting-european-values-or-power> accessed 26 January 2022.
[6] European Data Protection Board, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 - Version 2.0 (Version Adopted after Public Consultation)’ (4 June 2019) 10.
[7] European Commission, ‘Communication: Data Protection as a Pillar of Citizens’ Empowerment and the EU’s Approach to the Digital Transition - Two Years of Application of the General Data Protection Regulation’ (26 June 2020) 11–12.
[8] See: Douwe Korff, ‘EC Study on the Implementation of Data Protection Directive - Report on the Findings of the Study’ (2002); Neil Robinson and others, ‘Review of the European Data Protection Directive’ (RAND Europe 2009); LRDP Kantor Ltd., ‘Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments - Final Report’ (European Commission 2010).
[9] See, for example: Eric Lachaud, ‘Adhering to GDPR Codes of Conduct: A Possible Option for SMEs to GDPR Certification’ (2019) 3 Journal of Data Protection & Privacy 1; Maximilian von Grafenstein, ‘Co-Regulation and the Competitive Advantage in the GDPR: Data Protection Certification Mechanisms, Codes of Conduct and the “State of the Art” of Data Protection-by-Design’ in Gloria González Fuster, Rosamunde Van Brakel and Paul De Hert (eds), Research Handbook on Privacy and Data Protection Law: Values, Norms and Global Politics (Edward Elgar Publishing (forthcoming)) <Electronic copy available at: https://ssrn.com/abstract=3336990>.
[10] Carl Vander Maelen, ‘Codes of (Mis)Conduct? An Appraisal of Articles 40-41 GDPR in View of the 1995 Data Protection Directive and Its Shortcomings’ (2020) 6 European Data Protection Law Review 231.
[11] Vagelis Papakonstantinou and Paul De Hert, ‘Post GDPR EU Laws and Their GDPR Mimesis. DGA, DSA, DMA and the EU Regulation of AI’ (European Law Blog, 1 April 2021) <https://europeanlawblog.eu/2021/04/01/post-gdpr-eu-laws-and-their-gdpr-mimesis-dga-dsa-dma-and-the-eu-regulation-of-ai/> accessed 18 January 2022.
[12] Tim Wu, ‘Agency Threats’ (2011) 60 Duke Law Journal 1841.
__________
Carl Vander Maelen
Cover Photo: Alexandre Lallemand / unsplash
