The EU General Data Protection Regulation has given a new impetus to codes of conduct. According to Article 40, “Associations and representative bodies may prepare codes for approval, registration and publication by a supervisory authority, or where processing activities take place across member states, by the European Data Protection Board. The EU Commission may declare codes recommended by EDPB to have general validity within the EU."

But what are the big benefits of codes over certification? How will they work, and who is most in need of them? All these questions have only started to be thrashed out in the first six months since the GDPR came into effect.

“A code of conduct is almost by definition sectorial,” explained Kristof Van Quathem, special counsel, Covington & Burling. “Specifically, a code that works well for a sector is one that addresses specific concerns or practices of that sector in order to make it GDPR compliant. The health sector, the financial sector, some parts of the service sector, direct marketing sectors — essentially areas that are very exposed to data protection law — would all benefit. Those whose work with personal data is basically their lifeblood."

“A code helps to narrow down what the law means for an industry,” added Géraldine Proust, EU affairs manager, Federation of European Direct and Interactive Marketing, the only organization to have a code approved on e-commerce and interactive marketing under the old regime, pre-GDPR. “Codes can provide a practical guidance in clear and simple terms with examples taken from our industry on how the GDPR applies. Codes are particularly relevant for SMEs, who are searching to do the right thing and sustain consumer trust,” she continued.

Kim Smouter-Umans, head of public affairs and professional standards at ESOMAR, said that certification and codes of conduct “can be quite complementary, but the process of establishing a code is different because it requires consultation with a significant number of stakeholders, and there's scrutiny.

"A lot of the sectors that have potential derogations or a national variation seem quite interested in codes of conduct," he said. "I think you really see that it's in sectors where the GDPR hasn't been very precise and has left lots of room for interpretation,” he continued.

So who are the key stakeholders?

"From FEDMA’s experience, regulator support is extremely important. We hope and encourage DPAs to provide face-to-face meetings with authors of codes," said Proust. "Once the draft code is considered admissible, the organizations need to work as directly as possible with the EDPB. Expected EDPB guidance on codes will help us know what the process is and will streamline the process (for example, by avoiding the addition of new steps once the procedure is started). With the GDPR, the European Commission can now give a code general validity. This is a new dimension where further information would also be welcome. Self-regulation also requires industry support,” said Proust.

Smouter-Umans agrees that regulators will be important stakeholders "because they will more or less define what the minimal societal expectation might be. And of course they'll be your regulator in terms of implementing and enforcing the code of conduct moving forward.”

But in terms of the other stakeholders, is there a risk that codes of conduct will be driven by the bigger players, and smaller organizations or even civil society won’t have as much sway?

“I think that the risk is definitely there," said Smouter-Umans. "And I think that the way you counterbalance that is by having a fairly robust, fair and democratic consultative process so that all the players have enough place to express their wishes and to be able to influence the final outcome. I think it should be an approach where none of them can individually block the whole process moving forward."

Van Quathem said someone has to take the lead to get things done and prepare the code of conduct itself. "You need a sector that has a certain organization behind it to bring these stakeholders together to align on a code that they can live with, and then present it to the authorities for approval.”

But will there be competition between codes within sectors, or is it likely that organization will pan out in reality?

Smouter-Umans said perhaps one code will become sort of the de facto standard, but, "the risk of fragmentation is very real, and I think is already under way. There's going to be competition I think between different sectoral associations, but hopefully they they have the wisdom to try to come up with just one code for each sector. But we are already seeing a potential conflict between a national code and a European code. And in certain sectors you might have different national codes which undermines a bit the objective of GDPR. There are already plenty of examples where GDPR is looking more and more like a directive by the day, and I'm concerned that potentially codes of conduct would be another place where this might happen.”

Van Quathem added that he hopes codes will be more successful under the GDPR than its predecessor.

“The concept of codes of conduct was already in the directive, but it wasn't a big success," he said. "The hope is that under the GDPR it will be more successful because it's more developed as a concept. There's a clear procedure for its adoption. There's also language in the GDPR saying that regulators should encourage the adoption of a code, so you would hope that there is a positive vibe around because of that.”

However, he added, in the past, regulators haven't been keen to approve them. He noted a mobile health code that went nowhere after the regulator indicated it wasn't up to par.

"So the expectations appeared to be quite high. There’s a bit of concern that with codes of conduct [that] the expectation will be to increase protection even beyond GDPR rather than making the GDPR operational. These are two different things," he said. "You can increase protection by making it easier to comply with the GDPR. Or you can increase protection by increasing the burden and increasing the standard. In my mind, the code of conduct should do the first – it should make it easier to comply with existing standards."

So when will a stable status quo emerge?

“It's really hard to say,” said Van Quathem. “I think the first one will have the hardest time. The timing will also depend on the sector, as some sectors are more sensitive or more complicated than others, so will take more time internally to align everyone, let alone negotiate with the regulators.”

“GDPR codes of conduct may take some time, agreed Proust. “Many stakeholders wish for codes immediately. However, the success of code also lies in the procedure itself, ensuring an open and trusted dialogue between DPAs and the industry. This dialogue can in turn support consistent pan-European interpretation on the GDPR,” she explained.

photo credit: Binary code via photopin (license)