The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
This is the ninth in a series of articles addressing the top 10 operational impacts of the GDPR.
Codes of Conduct and certifications may provide efficient means to demonstrate compliance
Confirming each data controller’s or processor’s compliance with the GDPR’s many protections for data subjects would exceed the capacity of any regulator. The GDPR therefore endorses the use of codes of conduct and certifications to provide guidance on the GDPR’s requirements, signal to data subjects and regulators that an organization is in compliance with the Regulation, and offer third-party oversight as another check on controllers’ and processors’ data handling practices.
These tools are likely to feature prominently in company plans for legitimate cross-border data transfers. Should they prove effective, moreover, they may underlie global data transfer mechanisms – consistent with systems already used in the U.S. and under the Asia Pacific Economic Cooperative – and lower costs of privacy compliance worldwide.
Codes of conduct and certifications may both be used to demonstrate compliance, but there are subtle differences between them and how the GDPR envisions their deployment. Although codes of conduct were featured in the Directive, they played only a minor role compared to their prominence in the Regulation. Certifications, moreover, are familiar to EU privacy and security regimes, but make their debut in the GDPR as a formal component of data protection regulation.
By officially recognizing these tools, the EU adopts a legal construct more familiar to U.S. privacy law, namely the notion that through regulatory enforcement mechanisms, companies may be held to keep binding promises made to non-governmental third parties. Still, the GDPR maintains a heavy dose of regulatory oversight and guidance into these third-party-managed programs, creating essentially a hybrid co-regulatory public/private system to develop a meaningful, binding and enforceable data protection regime that empowers data subjects, third-party administrators, and regulators alike. Surrounded by these systems, data controllers and processors face opportunities to demonstrate GDPR compliance—as well as potential pitfalls.
Codes of Conduct
- What are codes of conduct under the GDPR?
Articles 40 and 41 are the primary sources of authority for establishing approved codes of conduct to serve as compliance-signaling tools for controllers and processors.
Preliminarily, the Regulation directs data protection regulators at all levels—Member States, supervisory authorities, the European Data Protection Board, and the Commission—to encourage development of codes of conduct to assist with the GDPR’s “proper application.” These codes may be created by the regulators themselves, but the GDPR expressly authorizes “associations or other bodies representing controllers or processors” to draw up codes of conduct or amend existing ones to implement the GDPR’s particular requirements. Such codes should address, among other things:
- Fair and transparent processing.
- The legitimate interests pursued by controllers in specific contexts.
- The collection of personal data.
- The pseudonymisation of personal data.
- The information provided to the public and to data subjects.
- The exercise of the rights of data subjects.
- Information provided to and the protection of children and the manner in which the consent of the holders of parental responsibility over children is to be obtained.
- General data protection obligations of data controllers, including privacy by design and measures to ensure security of processing.
- Notification of personal data breaches to supervisory authorities and communication of such personal data breaches to data subjects.
- Transfer of personal data to third countries or international organizations.
- Out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to the processing, without prejudice to the rights of data subjects.
When private associations prepare codes of conduct or amend existing ones for the purposes of allowing members to indicate GDPR compliance, Recital 99 encourages them to “consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.” A draft code must also be submitted to the appropriate supervisory authority to determine whether it provides “sufficient appropriate safeguards.” When the draft code relates to processing activities in several Member States, the supervisory authority must, before approval, submit it to the European Data Protection Board for an opinion as to the code’s compliance with the Regulation. Thereafter, the European Commission must review it.
Approved codes of conduct will receive publicity from the Commission, and be published in a register created and maintained by the Board.
Up to this point, the procedures in the GDPR are relatively consistent with those of the Directive, which also encouraged preparation and approval of codes of conduct, although the Directive empowered the Article 29 Working Party to approve EU-wide codes.
- In what situations are codes of conduct useful?
The GDPR more actively than the Directive incorporates codes of conduct into its compliance and enforcement mechanisms. These codes seem particularly well suited to setting forth and then demonstrating compliance with security risks associated with data processing.
Recital 77 encourages use of approved codes of conduct by both controllers and processors. These codes may demonstrate that a controller or processor has identified any risk related to data processing; assessed the origin, nature, likelihood, and severity of the risk; and determined how best to mitigate the risk. Article 32 expressly acknowledges adherence to an approved code of conduct as one means for demonstrating compliance with the Regulation’s data security obligations.
Article 24, which sets forth the controller’s primary responsibilities with regard to processing personal data, also encourages codes of conduct to demonstrate GDPR compliance. Article 28 and Recital 81, moreover, expressly provide that a processor’s adherence to an approved code of conduct is “an element to demonstrate compliance” with the controller’s obligations. Processors eager to keep controllers as clients will therefore soon be in the market to join associations maintaining a GDPR-approved code of conduct.
Adherence to these codes can create market efficiencies. The association creating them conducts extensive reviews of any applicant seeking membership or otherwise desiring to claim compliance with the code. This saves a controller, for example, from having to conduct its own review of a potential data processor’s systems. The controller can simply shop for processors who are already deemed to satisfy the code’s requirements, and rely on the association to police the processor’s compliance.
- Cross-border data transfers
Approved codes of conduct will also facilitate cross-border data transfers. Controllers or processors that are not otherwise subject to the GDPR may demonstrate, by adhering to a code of conduct, that they provide appropriate safeguards for personal data transfers to third countries or international organizations.
Under Article 46(2)(e), appropriate safeguards for a controller or processor based outside the EU may include adhering to an approved code of conduct pursuant to Article 30 “together with" making a "binding and enforceable commitment" to comply with the GDPR and respect data subjects' rights.
The GDPR references the “binding and enforceable” nature of codes of conduct only regarding their use for cross-border transfers. The Regulation does not elaborate, but the analog to this situation is of course Binding Corporate Rules. Controllers adopting BCRs must demonstrate their “bindingness” by creating internal compliance obligations for subsidiaries and employees, establishing third party beneficiary rights for data subjects, accepting liability and submitting to DPA jurisdiction, and confirming sufficient assets to pay damages for a breach.
- How is code of conduct compliance enforced and what are the consequences of non-compliance?
The GDPR’s key breakthrough with regard to codes of conduct is the notion that they can be made binding and enforceable—rather than merely voluntary and self-regulatory.
This is somewhat analogous to how the Federal Trade Commission (FTC) has viewed third party codes of conduct in the United States, such as adherence by online advertisers to the Network Advertising Alliance (NAI) principles. The FTC, pursuant to its authority under Section 5 of the Federal Trade Commission Act, can bring a deception action against a company that self-certifies under the NAI code but fails to comply. For example, the FTC pursued Google for allegedly misrepresenting its compliance with NAI’s code in the “Google Safari Hack” case. The case ultimately resulted in a $22.5 million settlement. The NAI may also refer its members to the FTC if they are in noncompliance with the NAI’s codes.
The GDPR similarly requires that approved codes of conduct must enable “the mandatory monitoring of compliance with its provisions.” The monitoring body must be accredited by the competent supervisory authority, after demonstrating “an appropriate level of expertise in relation to the subject-matter of the code.” Accreditation is available if the body (a) demonstrates “its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority”; (b) “has established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation”; (c) “has established procedures and structures to deal with complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make these procedures and structures transparent to data subjects and the public”; and (d) “demonstrates to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.”
The accredited body shall “take appropriate action” when a controller or processor “infringes” the code of conduct, including suspending or excluding the infringing party from the code. Thereafter the supervising authority must be notified of the infringement proceeding.
Enforcement by the accredited body is “without prejudice to the tasks and powers of the supervisory authority.”
When the accredited body or supervisory authority enforces code of conduct infringement, the enforcer’s interpretation—and not the drafter’s—will prevail. Controllers and processors adhering to an association’s code therefore face a risk that the association’s approval doesn’t guarantee regulatory compliance. NAI, for example, did not bring an enforcement action against Google for violating its standards even though the FTC did.
Membership in an association with an enforceable code of conduct may also generate a one-size-fits-all system not compatible with the GDPR’s aims. For instance, the European Interactive Digital Advertising Alliance allows consumers to click on an icon used by EDAA members and manage their controls for all EDAA members at once. This may allow broader opt-in features than the GDPR approves. Then again it may conveniently suit a data subject’s preferences and foster efficiency.
A supervisory authority can weigh code of conduct adherence in assessing the amount of an administrative fine. Article 83(2)(j) suggests compliance with a code of conduct is a mitigating factor, allowing for a lower penalty. Conceivably, however, non-compliance could be an aggravating one.
Pursuant to Article 83(4)(c), moreover, an accredited monitoring body faces fines up to 10,000,000 EUR for failing to “take appropriate action” when a controller or processor infringes a code of conduct.
Certifications/Seals/Marks
- What are certifications under the GDPR?
Certifications are a new feature of formal EU data protection law. Unlike the Directive, the GDPR expressly recognizes certifications (as well as seals and marks) as acceptable mechanisms for demonstrating compliance.
For years, certification marks and seals have served as useful signals for consumers interested in engaging with commercial entities that adhere to certain desirable principles or follow particular manufacturing, harvesting, or sourcing practices. In the food and beverage sector, for example, certifications may indicate “fair trade” or “GMO-free.”
In privacy, the EuroPriSe seal has been the principal European certification under the Directive. It aims to foster consumer trust in information-technology tools and services. Manufacturers and vendors of IT products and services undergo independent evaluation of their data privacy and security practices, following which they are eligible to display the EuroPriSe seal for two years before they must re-apply.
In the United States, TRUSTe provides one example of enterprise-level certification. TRUSTe offers compliance assessments with not only U.S. law but also the Directive, and has provided assistance with “Safe Harbor” self-certification with the U.S. Department of Commerce. It also offers APEC certification.
The GDPR provides, in Article 42, that Member States, supervisory authorities, the Board, and the Commission shall all “encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.”
Controllers and processors outside the EU engaging in international personal data transfers may also use such certifications, seals or marks to demonstrate GDPR compliance. As with codes of conduct, non-EU controllers and processors must also make “binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including as regards data subjects’ rights.” This is reinforced under Article 46(f), which provides that compliant cross-border data transfers may involve an approved certification mechanism but must also involve binding and enforceable commitments “in the third country.”
Certifications “shall be voluntary and available via a process that is transparent,” and do not serve to “reduce the responsibility of the controller or the processor for compliance” with the GDPR.
Certifications may be issued by either an accredited certification body, “the competent supervisory authority” on the basis of criteria it establishes, or by the Board, which may create a “common certification—the European Data Protection Seal.” It will be interesting to see whether controllers and processors favor government-sponsored certifications over private ones.
Accreditation is available to a certification body under Article 43 only if it: (a) demonstrates its “independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority”; (b) undertakes “to respect the criteria referred to in Article 42(5) and approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63”; (c) establishes “procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks”; (d) establishes “procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public”; and (e) demonstrates "to the satisfaction of the competent supervisory authority that [its] tasks and duties do not result in a conflict of interests.”
Accreditation is good for up to five years and may be renewed if the accrediting body maintains compliance with these standards.
Accrediting authority is granted at multiple regulatory levels. Supervisory authorities may create standards, and grant and withdraw accreditation, for certification bodies within their territories. The Board is also empowered to accredit certification bodies and maintain a register of accredited bodies.
When a certification body, supervisory authority, or Board award certification, it lasts for no more than three years at which time it may be renewed if the conditions and requirements are still met. Certification shall be withdrawn by the issuing body where the controller or processor no longer meets the requirements.
The GDPR directs the Board to “collect all certification mechanisms and data protection seals and marks in a register and … make them publicly available through any appropriate means.”
- In what situations are certifications useful?
Certifications assist controllers and processors in all the situations codes of conduct do, but in addition certifications—but not codes of conduct—may also be used to demonstrate compliance with Article 25, which governs data protection by design and by default.
According to Article 25(1), data controllers are obliged to implement “appropriate technical and organisational measures, such as pseudonymisation” designed to “integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” Under Article 25(2), a controller “shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” Approved certification mechanisms may be used to demonstrate compliance with both of these provisions.
- How is compliance with a certification enforced, and what are the consequences of non-compliance?
An accredited certification body is responsible for “proper assessment” leading to granting certification, and likewise leading to its withdrawal in the event of noncompliance. The body must inform the supervisory authority, and provide reasons, when it grants or withdraws certification from a controller or processor.
As with codes of conduct, award of certification by an accredited body is a factor to be considered in assessing an administrative fine. Article 83(2)(j) suggests certification adherence is a mitigating factor useful to limiting such fines.
Accredited certification bodies that violate their duties under the GDPR are subject to penalties up to 10,000,000 EUR.
Conclusion
The GDPR’s adoption of codes of conduct and certification mechanisms is a welcome development for controllers and processors seeking efficient means for compliance. There are of course upfront administrative burdens of establishing and maintaining compliance with a code of conduct or earning certification status. But these costs are offset by the ease of finding compliant processors, for example, via screening for those adhering to a code or displaying a certification seal. The codes and certifications also may serve as marketing tools, allowing data subjects to choose controllers signaling GDRP compliance via their membership in associations or their certified status. They also will likely play a significant role in facilitating cross-border data transfers.
The GDPR’s code of conduct and certification mechanisms create business opportunities for new third party administrators to establish membership associations or become accredited certification or enforcement bodies. They also represent acknowledgment that such third-party programs can be effective means for establishing binding promises by controllers and processors that regulators can enforce, consistent with regimes familiar to those operating in the US or under the APEC privacy framework. Globally consistent and familiar privacy regimes could ultimately improve the ease of legal compliance and in so doing lower compliance costs.