Certification and the new General Data Protection Regulation
In less than a month, the long-awaited General Data Protection Regulation starts applying to the EU Member States. While the GDPR follows the rationale, principles, and structure of the previous regime, that is the Data Protection Directive, one cannot but highlight several promising novelties: accountability coupled with elements such as data protection impact assessments and data protection officers, a new European Data Protection Board equipped with legal personality and of course high fines. Certification is among the novelties of the new data protection law. The new Regulation introduces certification mechanisms, seals, and marks in art. 42-43.
What is in there for controllers and processors?
Certification in the GDPR is voluntary. The first question that a controller or processor would ask itself is what is the driver to go through a GDPR certification process and have its processing certified. The GDPR provides two of what we can call as regulated benefits. The first is that certification can play a role in determining fines. A supervisory authority must consider several factors, when deciding whether to impose a fine and the amount of the fine (art. 83). One of those factors is whether the controller or processor under scrutiny has adhered to approved certification mechanisms. By approved mechanisms is meant only the certifications that are in line with the conditions of Art. 42 and 43 GDPR, as explained later in this post. Not any type of certification (e.g. DPO certification) is a mitigating factor for GDPR fines. Thus, adherence to approved certifications is treated as an element of accountability or at least good will from the controller or processor to have its processing audited and go through a thorough certification process.
The second regulated ‘benefit’ is data transfers. Approved certification, together with binding and enforceable commitments, provides a legal basis for transfers of personal data to third countries (art. 46). That is the case only for countries, for which the Commission has not issued an adequacy decision. Apart from these two benefits, certification is usually useful for B2B relationships, as it provides a clear image to the parties of each other’s state. If it is data security related certification for instance, it is important for a controller to know what measures its collaborator controller or processor is taking, and having that confirmed by an independent third party (an accredited certification body). Seals and marks, that is the visual representation of a successful certification process, can also play a role in providing information and transparency to some extent for data subjects. Of course, such role of certification depends on other factors as well, such as the reliability of the seal, the clarity of information, the potential for misconception or fraud etc.
Now, let’s turn to what are the main building blocks of the new certification system in the GDPR.
Building block 1: what is certified and what is the process?
The GDPR provides that a controller or processor can have its processing certified (Art. 42). That means that a company for example can have its data collection and/or storage for instance certified that it complies with a set of criteria, based on the GDPR. The aim of certification is thus not to help controllers or processors comply with the GDPR (although this might be a side-effect of certification in some cases) but to show that they have taken measures to comply with the GDPR, by conforming to GDPR-based criteria.
Regarding the certification process, there are two or three main actors involved: the data protection authority, the data controller or processor (applicant for certification) and the accredited certification body. A certification body is an independent third party organization with expert auditors that assess whether the processing of the applicant conforms to certain pre-determined criteria (approved by the DPA) and grants the certification, together with a seal and/or a mark. The GDPR provides that a national supervisory authority (DPA) can also have that role. In fact, some data protection authorities already offered certification themselves, before the GDPR. The French DPA is a good example. In the cases that an accredited certification body provides the certification services, the DPA still has a role: it has the power to order the certification body not to issue a certification and to withdraw a certification, if the conditions or not or no longer met. Certification is valid for three years. When the European Data Protection Board is involved in the certification process (approves the certification criteria), instead of the national supervisory authorities, then certification is valid at EU level and called European Data Protection Seal.
Building block 2: certifying the certifiers (‘accreditation’)
An important safeguard of the GDPR certification system is the mandatory accreditation of the certification body. Accreditation guarantees that a certification body has the necessary expertise in the field of data protection to provide certification services, and fulfills organizational, due process, and integrity requirements. Among the obligatory elements of accreditation in Art. 43 is complaint procedures, procedures to handle conflicts of interest, period review and withdrawal of issued certifications. The GDPR provides three different models for accreditation and leaves the decision to the Member States on the preferred model in its jurisdiction. Accreditation can be provided by either the supervisory authority, the National Accreditation Body (in collaboration with the supervisory authority), or both. Currently, many MS, including the Netherlands, have opted for the model that involves the National Accreditation Body. Accreditation is issued for five years.
Building block 3: transparency and register-keeping
To address potential concerns relating to lack of transparency and confusion resulting from proliferation of GDPR certifications in the market, the GDPR introduces an obligation for the European Data Protection Board to keep a register with all approved certifications (art. 43) and accredited certification bodies (art. 70). It has also been suggested, to keep a public centralized register also with all granted certifications, so that data subjects and companies can easily verify whether a seal is original and DPA-approved.
The new certification system includes novelties, but also takes on the accumulated experience of established public National Accreditation Bodies, accredited certification bodies (that may have experience in areas such as cloud computing, information security, radio frequency identification and others) and broadly-used technical standards. The regulator calls the existing certification ecosystem to take part in the data protection certification mechanism. To ensure a high level of protection of the data subject rights and safeguard against non-transparent, fraudulent or deceptive cases, the regulator empowers supervisory authorities with significant powers to accredit, approve criteria, issue, review, renew and withdraw certificates. The new system does not come without drawbacks mainly relating to lack of the terms definitions of certifications, seals, and marks, risk of function creep for supervisory authorities, the relationship of national certifications with the European Data Protection Seal, and others. However, as with every new system, its success will only be determined in practice.
Researcher at Tilburg Institute for Law, Technology, and Society at Tilburg University
Fellow at Law, Science, Technology, and Society research group at Vrije Universiteit Brussel
This blog post is based on the publication: Kamara I., De Hert P. (2018) Data protection certification in the EU: Possibilities, Actors and Building Blocks in a reformed landscape, in Rodrigues R. and Papakonstantinou V. (eds) Privacy and Data Protection Seals, T.M.C. Asser Press.
The views expressed in this post are the author’s alone, and do not represent opinions of any employer or contractor, with whom the author collaborates or has collaborated in the past.