Notes from Code of Conduct InfoShare
34 attendees
Q&A:
GDPR is a law – what does the CoCo add?
- GDPR gives extra powers to an approved code of conduct (see slide 5)
Monitoring Body – what should it do and can GÉANT do it?
- a 3-tier model has been planned for GEANT CoCo:
- Level 1: CoCo monitor that makes automated technical checks to eduGAIN metadata
- Level 2: Regular self assessments carried out by the SP administrators, potentially with an online tool
- Level 3: Ability to lodge a complaint to the monitoring body
- Level 1: CoCo monitor that makes automated technical checks to eduGAIN metadata
- Outcome of a monitoring failure would be loss of the CoCo tag
What would be the timescale?
- We can only give estimates
- For “option 1”: Non-international could be submitted in Autumn 2020. Likely to take a year or so to pass through Dutch DPA and EDPB.
- For “option 2”: International transfers could take a few years, we don't know when EDPB will publish the guidelines for international transfers.
What about the non-EU if we go ahead with “option 1”?
- Can we have a best practice for non-EU and approved “official” for EU?
- Yes but only approved codes provide appropriate safeguards for international transfers
Can we put pressure to move faster?
- Unlikely unless this comes from the EC.
Summary of the prefered options, from people that expressed their opinion during the infoshare:
- Option 1 was preferred one for four persons.
- On the question by Nicole if people felt that “option 1” should not be taken, nobody came forward.
Comments from the chat:
10:22:42 From *** : Question: any idea when those guidelines will become available ?
10:23:56 From *** : Did your answer got an answer?
10:24:16 From *** : kind of :)
10:25:14 From *** : I think a CoCo *with* a blessing from the official authorities would really add some value. So stopping is not a good idea IMO.
10:25:30 From *** : I agree with *** on this
10:25:54 From *** : +1
10:26:16 From ***: Since a lot of work has already been done and it's unclear when those guidelines would become available, I would be in favour of option 1. It's really unfortunate for all non-EU SPs :(
10:26:46 From ***: Option 3: ‘publish the current CoCo t’ =that is the updated version isn’t it?
10:26:56 From ***: I would also opt to proceed with the blessing of the official authorities. So option 1
10:27:39 From ***: Option 2 could take long
10:27:41 From ***: Question: any idea what a monitoring body should actually do? Is GEANT up for that task?
10:31:09 From ***: thanks :)
10:31:17 From ***: Also think Option 1 is the best. If there is a committment to update the new version as soon as guidelines etc. are ready, option 1 is not worse for Non-EU SPs than option 2...
10:35:03 From ***: Is there any direct effects of applying option 1 on non EU members?
10:36:30 From ***: I guess independent entities (approved by the monitoring body) should be able to perform compliance audits, to give a level of trust to this attachment
10:37:02 From ***: Could CoCo v1 and v2 co-exist for this interim period?
10:37:35 From ***: Was thinking about that too
10:41:49 From ***: UKf has a few Eps with code-of-conduct & there’s no guarantee we’ll have data adequacy agreement post-brexit
10:44:58 From ***: Thank you for the good presentation!
10:45:26 From ***: Excellent presentation - very clear, thanks !
10:45:37 From ***: Thanks all
10:45:37 From ***: Thanks Mikael and Nicole
10:45:39 From ***: Thank you, very interesting!
10:45:39 From ***: Thanks!
10:45:41 From ***: Thanks!
10:45:44 From ***: Thank you!
10:45:44 From ***: Thanks all