The EU is moving ever closer to having a widely recognized privacy seal scheme – or rather, several of them – for web services.
EuroPriSe is a company that spun out the data protection authority of Germany's Schleswig-Holstein state a few years back, with funding from the European Commission. It's pushing to expand its scope across the EU and beyond, and last month it started offering website operators a privacy seal indicating to the world that they stick to EU data protection law.
This follows on from EuroPriSe's certification program for products and services, which has been in operation for around a decade. The new scheme is supposed to also target small- and medium-sized businesses, costing €10,000 ($11,300) for a seal that's valid for two years.
Like EuroPriSe's costlier service, the new program sees a team of legal and technical experts (around 100 of them, across 18 countries including the U.S.) conduct evaluations to check out websites' practices. They focus on the interactions between the website users and the site, said EuroPriSe's Sebastian Meissner, looking at things like cookies and social plugins.
EuroPriSe is hoping to overcome the traditional weaknesses of privacy seal schemes, which is that they tend to certify an organization at a certain point in time, then not take account of changes to their practices.
"Seal holders are obliged to inform us of any changes," said Meissner, adding that EuroPriSe's experts would do spot-checks to see if websites' practices have changed. If EuroPriSe is informed of changes during a website's two-year certification period, "early recertification is required." If they intentionally breach the system, EuroPriSe can withdraw the seal.
"If they really misbehave, we do not accept them as our customer anymore," Meissner said.
EuroPriSe's seal indicates its validity period and a unique number, and users will be able to click through to learn more about what the website gets up to. However, it does not include very much information in the seal itself.
Around the same time as EuroPriSe launched its scheme, the U.K.'s House of Lords said in report about platforms that privacy seals were a good idea, as they would help organizations "give consumers confidence that they comply with data protection rules."
The report suggested that the U.K. Information Commissioner's Office and the government should work with the European Commission to develop a privacy seal or kitemark scheme that incorporates a traffic-light-style graded scale, to indicate levels of data protection.
The ICO is already working on the idea, and has indeed been doing so for the last few years. This would not involve the ICO itself issuing seals – rather, it would certify third-party operators to do so.
When asked about progress, the commissioner's office did not indicate any great leaps forward had been made, but did suggest that the EU General Data Protection Regulation's encouragement for such schemes had been helpful.
"The ICO continues to work on its Privacy Seals project," a spokesperson said via email. "We have covered a lot of ground from identifying a sound legal basis that will ensure our regulatory independence through to the types of seal marks that would gain most recognition by the public. But there is still more work to do to draw these component parts together and make sure that the privacy seals framework delivers in practice.
"The current EU data protection reforms that encourage certification mechanisms and data protection seals and marks show that this is a regulatory incentive whose time has come."
The U.K.'s government-sponsored "Digital Catapult" data-sharing initiative has also been working with the British Standards Institution (BSI) to create an icon scheme that would help organizations convey their privacy policies and practices.
Interestingly, this scheme would not dictate what the icons should look like, but it will say what information needs to be indicated, such as "this service collects personal data but does not disclose it to third parties," and so on.
"We hope an icon, maybe a traffic light, scheme should enhance consumer transparency and choice and thus also improve consumer trust, in digital markets like telecoms, retail and social networking where trust has been damaged by the current miasma uncertainty around what happens to your privacy online," said Lilian Edwards, the chair of internet governance at Strathclyde University and a consultant to the Digital Catapult.
"It should hopefully be a cheap and quick win-win for both consumers and businesses and we’ll be trialling it with several household name businesses."
Does EuroPriSe intend to incorporate more of a traffic-light-like element to its seal? "It's worth thinking about," said Meissner.
Edwards said the BSI/Digital Catapult initiative was not aligned to the ICO although "we do expect to have ICO representation in the stakeholder group of course." An ICO representative also acts as an observer on EuroPriSe's advisory council, which includes among its members representatives of the Schleswig-Holstein DPA and CNIL, the French DPA – which also has its own privacy seal scheme.
Europe's privacy kitemark scene may be fragmented and in its early stages, but at least the many players are talking to one another. At some point, we may even see seals that Europeans will widely recognize and understand.