While many aspects of the European Union’s General Data Protection Regulation (GDPR) have been thoroughly investigated, codes of conduct remain under-researched. As corporate actors and regulatory authorities ramp up their usage, this academic lacuna needs to be urgently addressed.By Carl Vander Maelen
There has been a flurry of activity regarding GDPR codes of conduct, which are found in articles 40-41 of the Regulation. In May 2021, the European Data Protection Board (EDPB) approved the first two transnational codes: the ‘EU Data Protection Code of Conduct for Cloud Service Providers’ (hereafter: EU Cloud Code) and the ‘European Code of Conduct for Cloud Infrastructure Providers’ (hereafter: CISPE Code) through respectively Opinions 16/2021 and 17/2021. Additionally, the EDPB has provided important guidance to both corporate actors and supervisory authorities. ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’ clarified many basic concepts. Most recently, in February 2022, ‘Guidelines 04/2021 on Codes of Conduct as tools for transfers’ were adopted. This now enables codes to be used as tools in the context of the GDPR’s Chapter V, enabling data transfers from the EU to third countries or international organisations.
European institutions have also expressed their belief that codes are vital for the GDPR’s wellbeing. The European Commission emphasized their importance for transnational sectors and activities, and the ‘Multistakeholder Expert Group’ to the GDPR singles them out as consistency-boosting instruments. Furthermore, upcoming regulatory proposals by the European Union place a heavy emphasis on the use of codes. Articles 35 and 36 of the proposed Digital Services Act and article 69 of the proposed Artificial Intelligence Act both encourage the development of codes of conduct.
But as corporate actors and supervisory authorities are moving ahead with codes, the academic world seems to be lagging behind. There is a need for academic research that studies GDPR codes of conduct from a theoretic and empirical perspective to understand the important ramifications of these instruments – also in the context of international data transfers.
A need for academic researchAlthough certification (articles 42-43 GDPR) has received scholarly attention, codes of conduct remain under-researched. This is remarkable, since it has been well-established in scholarly literature that the EU employs a multi-level and multi-actor harmonization-oriented regulatory strategy, making soft law an important aspect of any study relating to the EU’s regulatory clout. This is all the more important when regulating digital spaces where “states are not able to rely on traditional patterns of territorial sovereignty and depend more strongly on private actors”.
EU bodies themselves have stated that codes require further research – in particular their territorial features. The EDPB remarked that codes may have an impact on “the level of protection which the GDPR provides to the wider international community”, and the European Commission considers codes one of the “international aspects of the GDPR” since they allow international data transfers.
Part of the difficulty in kickstarting academic research on GDPR codes is that there is little to no work on codes of conduct under the 1995 Data Protection Directive either (the GDPR’s predecessor). The only relevant material consists of general reports and reviews of the Directive, where codes of conduct are only given a cursory glance. Codes under the GDPR have also seen a limited analysis by scholars; they are usually discussed in the larger context of self-regulation and co-regulation without turning attention to codes’ specific characteristics.
Importance for the European data economyAdditional research into codes is not only important from an academic point of view, but also for the actors ‘on the ground’. Engaging in international data transfers is a complex process. If there is no adequacy decision in place, actors are often confronted with a high degree of legal uncertainty. The publication of Guidelines 04/2021 has alleviated this to a large degree when using codes of conduct, clarifying the procedures and requirements to use codes for international data transfers.
A striking passage in the Guidelines determines that data transfers on the basis of a code of conduct between a data exporter (i.e. an actor subject to the GDPR) and a data importer (i.e. an actor not subject to the GDPR) can take place as long as the importer adheres to the code. The exporter does not need to adhere to the code (see paragraph 7 of Guidelines 04/2021).
This implies that the EDPB not only acknowledges the ‘Brussels effect’ of the GDPR (and EU legislation in general) but actively uses the concept to expand the GDPR’s sphere of influence beyond the borders of the EU. At the same time, intra-EU, the European data economy is granted flexibility by the determination that the exporter does not necessarily need to adhere to the code – although the provisions of the GDPR must of course be respected. There is therefore no extra ‘burden’ on actors who are already subject to the GDPR (which is determined by the territorial scope of article 3 GDPR) to engage in data transfers.
An open call for researchSuch matters on GDPR codes of conduct and their territorial facets raise intriguing research questions, and there are many more equally fascinating aspects to codes. What is the exact relationship between codes as ‘secondary’ instruments to the GDPR as the ‘primary’ instrument? Are the interactions between corporate actors and supervisory authorities less tense than under the 1995 Directive? And if other EU legislation seeking to regulate the ICT sector have been described as showcasing ‘GDPR mimesis’ does this also apply to how those instruments set out codes?
A particular challenge when researching codes, however, is that they are sectorial tools developed in cooperation between industry actors and supervisory authorities. This means that their development, implementation, monitoring and enforcement is influenced by dialectic processes that not only occur during formal, documented procedures, but also during undocumented (in)formal interactions.
The motivations, discussions and results related to those interactions are vital to come to qualitative scientific findings, but require a research methodology that goes beyond desk research and a legal doctrinal method. Such research must embrace the methodologies and best practices that have been employed in fields such as anthropology, sociology, political sciences, and economics. Only then will we be able to accurately and holistically portray the unique characteristics of GDPR codes of conduct.
Carl Vander Maelen
Cover Photo: Alexandre Lallemand / unsplash