Should there ideally be a Pan-European accreditation for "privacy seal" providers when the EU General Data Protection Regulation comes into effect? One such provider, EuroPriSe, thinks so.
Articles 42 and 43 of the GDPR introduce official recognition for "certification bodies" that issue seals and marks to companies so that they can demonstrate their adherence to EU privacy standards. These certification bodies must themselves be accredited. Per the EU legislation, this must come either from a competent data protection authority, the national accreditation body in the relevant country, or a combination of the two. However, there are as yet no official guidelines on how the accreditation will work in practice or how widely it will be recognized.
According to EuroPriSe, a privacy seal provider that spun out of the data protection authority of Germany's Schleswig-Holstein state a few years ago, the industry is eagerly waiting for guidance to emanate from the Article 29 Working Party of EU data protection authorities later this year.
"For us, it's not a very nice situation, because we have quite some demand already for certification under the GDPR, with customers asking all the time when we will be able to provide this," EuroPriSe Chief Sebastian Meissner said. "We can tell them we are in contact with all the players out there, but there is nothing final to be announced at this point."
Ideally, Meissner said, accreditation should come from the European Data Protection Board — the entity that will supersede the Article 29 Working Party. "The law does not directly say the board can accredit … but it says the board can come up with criteria for accreditation," he said. "We have to wait and see whether the board says [it] can accredit or whether it will be a route of mutual recognition. In my opinion, it only makes sense if a seal is valid throughout the EU because this is what the GDPR is about.
"We think the only useful approach is to go for some kind of EU baseline certification that is to be observed by all certification bodies."
Meissner also pointed out that the European Commission "would have the power to intervene here" by issuing a delegated and implementing act on the matter. The Privacy Advisor has asked the commission's justice directorate whether it is considering such a move but had not received an answer at the time of writing.
Without a harmonized approach, Meissner suggested, fragmentation is a threat. This seems apparent even when considering the German-speaking market. Meissner noted that accreditation in Germany was slated to come from a collaboration of local data protection authorities and the country's national accreditation body, DAkkS, whereas in Austria it would be down to the national data protection authority. "In my opinion, it's not good to have different approaches, but it is a fact that the GDPR gives leeway on this matter to the member states," he said.
The companies pitching privacy seals say they could demonstrate good intent on the certified company's part as seal providers conduct audits of their customers and withdraw their seals if they misbehave.
"When a data protection authority considers fining a company, the GDPR says a seal can be considered. Probably, if [the violation] is not about malicious intent, then a seal will be considered a positive," Meissner said.
"There are several legal incentives," he added. "You can use that as an element for demonstrating compliance, and also in the fine context, a seal can provide a legal ground for a third-country transfer together with some binding commitments by the company that wants to go for the seal [and] is located outside the EU."
However, companies considering seals and similar certifications will want to know how far their reach really goes. With the current uncertainty over how accreditation will work — and the fact that no certifying body can be accredited before the GDPR comes into effect on May 25, 2018, anyway — the pitches of EuroPriSe and its competitors will remain frustratingly incomplete for the time being.
photo credit: Berlaymont via photopin (license)