Without greater clarity, businesses might not be persuaded to engage with certification schemes under the new Regulation, which will apply from 25 May 2018.
The wording of the GDPR on certification scheme obligations and potential sanctions lacks sufficient detail. The new European Data Protection Board (EDPB) and national EU data protection authorities (DPAs) therefore have an important role to play in explaining how things will work in practice. Under the GDPR, the EDPB will act as a committee of representatives of DPAs from across the EU in a similar way to what the Article 29 Working Party does now, only with enhanced duties and powers.
Certification schemes and the GDPR
Basic rules on the establishment and operation of "data protection certification mechanisms and of data protection seals and marks" are set out under the GDPR.
Articles 42 and 43 of the GDPR provide for businesses to be able to voluntarily sign up for certification of their data protection practices. Only DPAs or independent accredited 'certification bodies', which must have "an appropriate level of expertise in relation to data protection", can operate certification schemes.
Where the schemes are run by certification bodies, the criteria for certification must be approved by a national DPA or the EDPB. The "European Data Protection Seal" is the term for certifications under EDPB-approved criteria.
To become accredited, certification bodies would have to show a DPA and/or a national accreditation body that they have put in place certain procedures, which include for handling complaints about non-compliance with conditions of certification and for "issuing, periodic review and withdrawal of data protection certification, seals and marks".
Businesses will be able to obtain certification for a maximum period of three years before they would need to go through a renewal process to remain certified.
The Regulation provides for the potential for the European Commission to set out further details on "the requirements to be taken into account for the data protection certification mechanisms" and on "technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks".
Woolly wording and potential sanctions
Under the GDPR, businesses face much stiffer sanctions for breaching EU data protection laws than what can be issued by DPAs currently.
A tiered sanctions regime has been written into the Regulation, which sets a different ceiling on the level of fine that can be issued for non-compliance dependent on what the nature of the breach is.
If data controllers, processors or even certification bodies breach their obligations under Article 42 or Article 43 of the GDPR they could face fines of up to €10m or 2% of their annual global turnover for the preceding financial year, whichever figure is the greater.
This is lower than what businesses could be issued with in other cases – the maximum penalty for non-compliance under GDPR is a fine of up to €20 million or 4% of annual global turnover – but the potential sanctions are nevertheless significant.
While it is clear from the provisions that non-compliance with the GDPR's certification obligations can lead to a fine, it is not clear at all what obligations businesses must adhere to to avoid a fine.
For example, will data controllers or processors face a fine if they obtain a GDPR certification but then breach the certification requirements or conditions? If the answer to that question is meant to be 'yes', it is not clear from the wording of the Regulation.
The only obvious obligation of controllers/processors under Article 42 is that they must provide the certification body with all information and access needed to conduct the certification procedure. They have no obligations under Article 43.
Article 43 is about the criteria and procedure for accrediting certification bodies. The only obvious obligations of certification bodies under that Article are that they "shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification" and notify DPAs of the reasons why they have granted or revoked certifications.
Clarity needed in GDPR guidance
The issue of certification schemes and potential sanctions under GDPR was discussed at a workshop organised by the Article 29 Working Party.
According to notes on the discussions held at the workshop (10-page / 515KB PDF), a question was raised as to what happens if businesses breach conditions of certification. No answer to the question was noted in the document. Instead the notes speculated as to whether a revocation of a business' certification would be "sufficient" where conditions of certification have been breached or whether it should carry with it "some additional sort of sanction such as an administrative fine".
Natural justice demands that the certification-related situations in which fines could be imposed should be defined much more clearly than they have been under the GDPR.
A lack of clarity also puts at risk many of the advantages certification schemes could bring.
In providing for certification schemes under the new Regulation, EU law makers seek to push businesses towards industry or sector-specific best practice frameworks on data protection, with the ultimate aim being to drive improved transparency and compliance with EU data protection law.
The GDPR even states that businesses that sign up to approved certification schemes can point to their certification as evidence demonstrating their compliance with a number of aspects of the Regulation, including ,for controllers, requirements on use of processors and the principle of privacy by design and, for both controllers and processors, the GDPR's security requirements. Also, having a GDPR-approved certification can be a mitigating factor to help reduce or even escape fines.
Businesses also stand to benefit from certification schemes beyond the issue of compliance. This is because they will be able to obtain and point to independent approval of their data protection practices in a world in which trust on privacy is becoming an increasingly important differentiator and vital to a company's brand.
However, the success of certification schemes will depend on their take-up by businesses. Without more detail about what obligations they will face and when potential sanctions could be imposed, businesses are unlikely to be drawn to participate in certification schemes, with take-up likely to be severely limited.
Similarly, if a certification body could be fined for inadequate assessments of applicants, or for ceasing to meet the accreditation conditions, then who would want to be a certification body? Uncertainties also arise with codes of conduct approved under Articles 40 and 41, which the GDPR seeks to encourage alongside certifications. Unlike with GDPR certifications, neither controllers nor processors can be fined for breaching GDPR-approved codes of conduct that they sign up to. However, a body accredited by a national DPA to monitor compliance with an approved code of conduct must take appropriate action on any infringement of the code by a controller or processor, informing the DPA of its actions and reasons. If it doesn't, it could be fined up to the greater of €10m or 2% of its last year's annual global turnover. So again, who would want to be a monitoring body for a code of conduct?
Earlier this year, the Article 29 Working Party - which will become the EDPB - said that it would prioritise the release of guidance on certification under GDPR, along with guidance on a small number of other aspects of the new framework.
To incentivise the take-up of certifications and codes, it is to be hoped that the Working Party guidance will offer the clarity that is needed.
Dr Kuan Hon is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.