TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout


The EU is moving ever closer to having a widely recognized privacy seal scheme – or rather, several of them – for web services.

EuroPriSe is a company that spun out the data protection authority of Germany's Schleswig-Holstein state a few years back, with funding from the European Commission. It's pushing to expand its scope across the EU and beyond, and last month it started offering website operators a privacy seal indicating to the world that they stick to EU data protection law.

This follows on from EuroPriSe's certification program for products and services, which has been in operation for around a decade. The new scheme is supposed to also target small- and medium-sized businesses, costing €10,000 ($11,300) for a seal that's valid for two years.

Like EuroPriSe's costlier service, the new program sees a team of legal and technical experts (around 100 of them, across 18 countries including the U.S.) conduct evaluations to check out websites' practices. They focus on the interactions between the website users and the site, said EuroPriSe's Sebastian Meissner, looking at things like cookies and social plugins. 

EuroPriSe is hoping to overcome the traditional weaknesses of privacy seal schemes, which is that they tend to certify an organization at a certain point in time, then not take account of changes to their practices.

"Seal holders are obliged to inform us of any changes," said Meissner, adding that EuroPriSe's experts would do spot-checks to see if websites' practices have changed. If EuroPriSe is informed of changes during a website's two-year certification period, "early recertification is required." If they intentionally breach the system, EuroPriSe can withdraw the seal.

"If they really misbehave, we do not accept them as our customer anymore," Meissner said.

EuroPriSe's seal indicates its validity period and a unique number, and users will be able to click through to learn more about what the website gets up to. However, it does not include very much information in the seal itself.

Around the same time as EuroPriSe launched its scheme, the U.K.'s House of Lords said in report about platforms that privacy seals were a good idea, as they would help organizations "give consumers confidence that they comply with data protection rules." 

The report suggested that the U.K. Information Commissioner's Office and the government should work with the European Commission to develop a privacy seal or kitemark scheme that incorporates a traffic-light-style graded scale, to indicate levels of data protection.

The ICO is already working on the idea, and has indeed been doing so for the last few years. This would not involve the ICO itself issuing seals – rather, it would certify third-party operators to do so.

When asked about progress, the commissioner's office did not indicate any great leaps forward had been made, but did suggest that the EU General Data Protection Regulation's encouragement for such schemes had been helpful.

"The ICO continues to work on its Privacy Seals project," a spokesperson said via email. "We have covered a lot of ground from identifying a sound legal basis that will ensure our regulatory independence through to the types of seal marks that would gain most recognition by the public. But there is still more work to do to draw these component parts together and make sure that the privacy seals framework delivers in practice.

"The current EU data protection reforms that encourage certification mechanisms and data protection seals and marks show that this is a regulatory incentive whose time has come." 

The U.K.'s government-sponsored "Digital Catapult" data-sharing initiative has also been working with the British Standards Institution (BSI) to create an icon scheme that would help organizations convey their privacy policies and practices.

Interestingly, this scheme would not dictate what the icons should look like, but it will say what information needs to be indicated, such as "this service collects personal data but does not disclose it to third parties," and so on.

"We hope an icon, maybe a traffic light, scheme should enhance consumer transparency and choice and thus also improve consumer trust, in digital markets like telecoms, retail and social networking where trust has been damaged by the current miasma uncertainty around what happens to your privacy online," said Lilian Edwards, the chair of internet governance at Strathclyde University and a consultant to the Digital Catapult.

"It should hopefully be a cheap and quick win-win for both consumers and businesses and we’ll be trialling it with several household name businesses."

Does EuroPriSe intend to incorporate more of a traffic-light-like element to its seal? "It's worth thinking about," said Meissner. 

Edwards said the BSI/Digital Catapult initiative was not aligned to the ICO although "we do expect to have ICO representation in the stakeholder group of course." An ICO representative also acts as an observer on EuroPriSe's advisory council, which includes among its members representatives of the Schleswig-Holstein DPA and CNIL, the French DPA – which also has its own privacy seal scheme.

Europe's privacy kitemark scene may be fragmented and in its early stages, but at least the many players are talking to one another. At some point, we may even see seals that Europeans will widely recognize and understand.

photo credit: Sea Puppy via photopin (license)


If you want to comment on this post, you need to login.

  • comment Martin Hoskins • May 25, 2016
    And how many data controllers are realistically going to spend some €10,000 on a privacy seal that hardly any consumer recognises and will only be valid for 2 years? Get real! There's more chance of the European Courts recognising the validity of model contracts than there is of many organisations spending €10,000 on a privacy seal.
  • comment Amalia Steiu • May 25, 2016
    I would like to take the broader approach to what the "cost" really provides - what are the benefits? In fact, if you "recalibrate" your privacy program to meet the requirements of EuroPrise or SOC2 for Privacy, you in fact embed best practices of privacy into the organization. Whether the seal is recognized or not, is secondary  (in my personal view) - the requirements in the seal are important. The trust your clients will start showing in their dealings with you will be a recognition of your efforts and due diligence to introduce and implements best practices for personal data handling and protection. The cost of hiring someone external to do audits on an ongoing basis, far exceeds the listed price in the comment.
  • comment Andrew Sanderson • May 27, 2016
    Websites are an ongoing building site: PII elements are constantly added and removed. For example: Remove the registration form for last month's event; add a new form to capture customer interest in product X. Re-certification after every change? Not with my marketing budget, thanks. Marketers expect the Return on Invest to be a multiple of money spent - I don't see the value. Last not least, marketing budget is allocated annually; paying alternate years for a 2-year validity is not a convenient business model.
  • comment Sheila Dean • Jun 8, 2016
    It's social innovation in its rough stages.  It would be great to see a business in the US coordinate a standardized program for consumer grades of privacy.  For instance, I think Consumer Reports would have excellent infrastructure to import a grading system for privacy businesses and products, if someone would sell them on the system. In California, they have  A - D grades for restaurant health and safety from local government.  A = completely above board and D= You take your life into your own hands.  The first example is a self regulatory badge. The second is government notification at work.  Consumers benefit from each.