Since 2014, the GN4 project has been looking to revise the existing GÉANT Code of Conduct (CoCo) for Service Providers using identity federations. This has become necessary for range of reasons:
- The introduction of the General Data Protection Regulation (GDPR), rendering the current CoCo, which is tied to the Data Protection Directive (directive 95/46/EC), obsolete.
- The desire to extend CoCo beyond the boundaries of Europe.
- The extra powers the GDPR introduces to approved Codes of Conduct.
With this revision, the team had hoped to see version 2 of the Code of Conduct formally approved by the European Data Protection Board (EDPB). The benefits of this would be to:
- contribute to a controller demonstrating proper information security (GDPR Art 24, 28, 32).
- contribute to a controller’s the Data Protection Impact Assessment (GDPR Art 35).
- enable international transfers for controllers (GDPR Art 46). However, the data protection authorities’ guidelines on codes of conduct for international transfers are still pending.
A full history of the “version 2” project can be found on the REFEDS wiki.
After significant efforts, the CoCo project team and the GN4 Trust and Identity Workpackage leaders have decided not to pursue full ratification at this point in time. Version 2 of CoCo will instead be published as a best practice guide for the community, and the team will seek to revoke version 1 of the Code.
This decision has been made for the following reasons:
- There are no guidelines at an EU level of managing a Code of Conduct to support both intra-EU and third country transfers.
- There is no wide experience on requirements for Monitoring Bodies for such codes, specifically around issues such as independence of the body, managing liabilities, and extensiveness of compliance checks.
- The business and financial model for a Code of Conduct with a full supporting Monitoring Body need to be more fully developed and evidenced.
A full position paper has been developed with further information for the community. This decision does not close the door to a future formal approval of the Code of Conduct. The project team will continue to follow progress.
The Code of Conduct team will now be busy modifying the existing CoCo version 2 material to put forward as a best practice for the community, including supporting specifications such as a relevant entity category. We look forward to sharing more information with you all soon.
Questions and comments can be directed to: firstname.lastname@example.org.
About GN4: GN4 is funded to accelerate research, drive innovation and enrich education. As part of the GÉANT 2020 Framework Partnership Agreement (FPA), the project receives funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 856726 (GN4-3).
About REFEDS: REFEDS (Research and Education Federations) is an international community addressing the need of existing and emerging identity federations in the education and research sector worldwide to collaborate on policy issues. REFEDS is funded through the generosity of its sponsors.