Warning: The Eu Council Is Trying To Undermine Privacy Seals (And Through This, The Full General Information Protection Regulation)
November 27, 2018
Edit
Douwe Korff, Professor of International Law, Associate of Oxford Martin School, University of Oxford, in addition to Visiting Fellow, Yale University (Information Society Project). He helped to constitute the European Privacy Seal (EuroPriSe) scheme discussed inward the text.
I. Introduction
Some people, including myself, believe that goodness privacy seals, managed yesteryear the correct bodies, tin brand a serious contribution to high-level information protection – piece bad seals, issued yesteryear bodies that are to a greater extent than interested inward providing fig-leaves in addition to making money, tin seriously damage information protection. The arrangements for information protection certification inward the novel General Data Protection Regulation (hereafter: “the regulation”) are hence important. The original draft of the regulation, issued yesteryear the Commission inward Jan 2012, only said that certification schemes should live “encouraged” (although it provided for unopen to EU-level harmonisation of the frameworks).
The European Parliament’s amended text is much to a greater extent than ambitious inward this regard and, if adopted, would brand certification schemes both to a greater extent than integrated alongside the full general information protection regime in addition to stronger, also inward damage of ensuring that no seals could live issued inward i Member State that would undermine information protection inward other Member States.
Baca Juga
- Basic Information Protection Principles Inwards The Proposed Information Protection Regulation: Dorsum To The Future?
- Democracy In Addition To Its Discontents: Should The Results Of The European Parliament Elections Lift One's Heed The Adjacent President Of The European Commission?
- Can Thomas Piketty Reform Capitalism In Addition To Republic Inward The European Union?
However, the text begin inward an European Union Council document dated 26 September 2014 in addition to exactly leaked, shows that the Member States are trying to undermine the goodness proposals of Parliament.
At II, I offset briefly begin the problems alongside European privacy seal schemes nether the electrical flow rules. Next, at III, I analyse the relevant provisions inward the different versions of the regulation, adopted yesteryear the Commission, Parliament in addition to the Council. Finally, at IV, I conclude that if the Council text were to live adopted, the provisions on seals could move a Trojan Horse that could seriously undermine the inward regulation strong information protection regime inward the regulation (pace other watering-down attempts yesteryear the Council). This depository fiscal establishment complaint thus seeks to audio a alarm to those involved inward the upcoming trilateral negotiations on the regulation text, non to allow such a unsafe scheme (or rather, an ill-defined miscellany of schemes) to sideslip in.
II. Data protection seals in addition to the 1995 Data Protection Directive
There is no explicit provision on information protection- or privacy seals or certification schemes inward the top dog EC information protection directive (Directive 95/46/EC, hereafter “the directive”), although other self-regulatory mechanisms, such equally codes of bear in addition to contractual arrangements are encouraged nether it (see Art. 27 re codes; Art. 26(2) re “appropriate contractual clauses”). Nevertheless, the European Commission has inward practise encouraged the establishment of seals, inward particular yesteryear supporting the establishment of the “European Privacy Seal” (EuroPriSe) scheme nether an “e-TEN” programme; this was until of late operated yesteryear the information protection authorization of the German linguistic communication Land of Schleswig-Holstein, the Independent Centre for Privacy Protection (or ULD after its German linguistic communication initials), but has of late been passed on to a private German linguistic communication company, 2B.[1] The French information protection authority, CNIL, has also established a certification scheme, nether which controllers tin certify that they run across sure CNIL-specified criteria (but so far solely inward relation to privacy training, information protection audit, in addition to i product: cloud computing).[2]
This is non the house to evaluate these, or other, existing information protection- or privacy certification/seal systems.[3] Suffice it to depository fiscal establishment complaint that these schemes are limited inward their potential yesteryear iii factors inward particular:
- because the directive is withal implemented inward greatly divergent ways inward the Member States, a seal that certifies compliance alongside the standards begin inward the directive (such equally EuroPriSe) cannot guarantee that the certified production or service also complies alongside all the idiosyncracies of all the 30-odd national laws (some of which, inward unopen to respects, are non inward accordance alongside the directive); piece a seal that certifies compliance alongside i national police clit (such equally the CNIL’s Labels) does non guarantee compliance alongside the other laws (or necessarily alongside the directive);
- the electrical flow European rules make non afford seal holders whatever important commercial advantage, beyond demonstrating that a companionship is serious well-nigh its information protection compliance;[4] and
- serious seals (like EuroPriSe) are quite expensive inward damage of costs of experts inward particular, in addition to highly demanding inward fourth dimension in addition to effort on the component of the seal applicant.
Because of these factors, the uptake on the EuroPriSe in addition to CNIL-seals has been really limited and, indeed, disappointing.[5]
In short: privacy seals/certification schemes take maintain the potential to trim down regulatory in addition to enforcement burdens on supervisory authorities, create consumer- in addition to business-to-business trust in addition to confidence through improve information in addition to greater transparency in addition to reliable assurances from competent, respected bodies, in addition to facilitate merchandise (e.g., yesteryear providing the kinds of safeguards in addition to guarantees that the legal rules require inward sure respects, but make non ever spell out, e.g., equally regards processors, information transfers, or cloud computing). However, to appointment that potential has non been realised.
III. Data protection seals in addition to the draft General Data Protection Regulation
The adoption of a regulation to supersede the directive volition ameliorate the offset of the above-mentioned problems yesteryear its really nature: inward stead of 30-odd withal widely varying national laws transposing the directive inward different ways in addition to to different extents, in that location volition now, at to the lowest degree inward theory, live i set of direct applicable rules, begin inward the regulation. However, the regulation is withal replete alongside quite vague damage (“fair”, “adequate”, “necessary”, etc.), in addition to many terms, including pith definitions (such equally “personal [=identifiable] data”), withal require interpretation in addition to tin live applied inward different ways inward different contexts. It is hence absolutely crucial, in addition to commendable, that the regulation contains a machinery to ensure unopen cooperation in addition to usual assistance betwixt the national information protection authorities (and betwixt them in addition to the newly-to-be-created European Data Protection Board), in addition to a “consistency mechanism” through which the DPAs in addition to the Commission tin object to interpretations in addition to applications of the provisions inward the regulation yesteryear other DPAs alongside which they disagree, ultimately resulting inward a binding key ruling that must live adhered to yesteryear all.[6] In my opinion, the aim of the regulation – ensuring truthful in addition to total existent harmonisation – stands or falls alongside these mechanisms.
This ought to also apply to seals, if they are to take maintain whatever existent effect – a fortiori inward relation to seals that powerfulness live granted to products or services that are offered (by European or non-European controllers) to European citizens in addition to consumers: it should non live possible for a seal to live issued inward i province for such a product, supposedly certifying that the production meets the requirements of the regulation, without the other countries (and the other countries’ DPAs) agreeing that that certification is justified. Rather, information protection seals should either live issued at the European level, through a key European trunk (at to the lowest degree for products in addition to services that are offered inward to a greater extent than than i Member State, e.g., online), or seals that may live offered at the national grade should live acre of study to the cooperation- in addition to consistency mechanisms (again at to the lowest degree when they relate to products offered inward several European Union states or online).
However, the consistency machinery inward particular tin solely live invoked inward relation to “measures” adopted yesteryear DPAs that take maintain “legal effects” (Art. 58(2), initial sentence). As nosotros shall see, this has of import implications inward relation to seals.
I volition at i time hash out to what extent this is reflected inward the different versions of the regulation.
Certification inward the Commission text
As already noted, the European Commission published the text of the proposed General Data Protection Regulation (GDPR) inward Jan 2012.[7] This text essentially only requires the Member States in addition to the Commission to “encourage, inward particular at European level, the establishment of information protection certification mechanisms in addition to of information protection seals in addition to marks, allowing information subjects to chop-chop assess the grade of information protection provided yesteryear controllers in addition to processors.” (Art. 39(1) Commission text), although it also envisages the adoption, yesteryear the Commission, of “delegated acts” at unopen to hereafter time, “for the role of farther specifying the criteria in addition to requirements for [these] information protection certification mechanisms” (Art. 39(2)); in addition to the issuing yesteryear the Commission of “technical standards for certification mechanisms in addition to information protection seals in addition to marks in addition to mechanisms to promote in addition to recognize certification mechanisms in addition to information protection seals in addition to marks” (Art. 39(3)).
The Commission text does non advert whatever specific, concrete, legally binding consequences of the awarding of seals: equally nether the electrical flow schemes, all they make nether this text would live to render unopen to full general assurance of compliance. Seals would non amount to a finding of compliance alongside whatever “legal effect”. The delegated acts in addition to farther specifications relating to seals, exactly mentioned, would, it would appear, non live able to create such effects.
The “encouragements” in addition to arrangements envisaged inward the Commission text thus autumn considerable curt of the sort of certification/seal schemes I mentioned earlier, that would live acre of study to cooperation in addition to consistency mechanisms.
Certification inward the EP text
The LIBE Commitee of the European Parliament agreed on an amended text inward Oct 2013,[8] in addition to this text was adopted inward March this twelvemonth yesteryear the Parliament equally a whole.[9] The EP text significantly amends the proposal inward honour of certification schemes, in addition to strengthens the seals.
The amended version of the Regulation adopted yesteryear the European Parliament thus, offset of all, stipulates that seals must live issued DPAs:[10]
Any controller or processor may asking any supervisory authority inward the Union, for a reasonable fee taking into employment organisation human relationship the administrative costs, to certify that the processing of personal information is performed inward compliance alongside this Regulation, inward particular alongside the principles begin inward Article 5, 23 in addition to 30, the obligations of the controller in addition to the processor, in addition to the information subject’s rights.
(Article 39(1a) inward the Consolidated LIBE version of the Regulation, emphasis added)
This is non affected yesteryear the stipulation that the basic evaluations needed for the seals may live left to third-party accredited experts or “auditors” (Art. 39(1d) of the EP text): nether the EP text, the seals volition withal take maintain to live issued yesteryear the DPAs, i.e., the DPAs must at to the lowest degree double-check or certify the evaluation reports of the auditors (similar to the way inward which the Schleswig-Holstein DPA, ULD, has until of late certified the European Privacy Seals). This is expressly reaffirmed inward the lastly judgement of Article 39(1d):
The lastly certification shall live provided yesteryear the supervisory authority.
This is of import because, secondly, nether the EP text, seals would also take maintain legal effects inward unopen to regards:
- a seal volition live able to “demonstrate” that a processor offers “sufficient guarantees” inward relation to the processing the processor is asked to undertake, to allow the controller to enlist the processor’s services inward compliance alongside Article 26(1) (see Art. 26(3a) of the EP text);
- in relation of a information transfer to a province without adequate information protection, a seal that covers the relevant processing yesteryear both the controller (the EU-based information exporter) in addition to the recipient (the information importer inward the tertiary country) volition inward itself render “appropriate safeguards” inward honour of the protection of the data; in addition to processing covered yesteryear a seal would thus live allowed without farther ado.
In other words, nether the EP text, a processor who has been issued alongside a seal could non live held to live lacking inward “sufficient guarantees” (at to the lowest degree inward honour of the processing for which the seal was issued, if that did non embrace the processor’s operations generally), equally long equally the processor complied alongside the weather condition etc. provided for in addition to assessed inward the certification process; in addition to transfers of information for which a seal has been issued could non live held to live inward breach of the in-principle prohibition on transfers, at i time contained inward Article 42 of the regulation (unless of class the parties failed to run across the weather condition etc. provided for in addition to assessed inward the certification process). The seals envisaged inward the EP text would thus clearly offering concrete legal benefits to seal-holders.
The EP text adds that:
The supervisory authorities in addition to the European Data Protection Board shall cooperate nether the consistency machinery pursuant to Article 57 to guarantee a harmonised information protection certification machinery including harmonised fees inside the Union.”
(Article 39(1c) EP text);
and that
The Commission shall live empowered to adopt, after requesting an persuasion of the European Data Protection Board in addition to consulting alongside stakeholders, inward particular manufacture in addition to non-governmental organisations, delegated acts inward accordance alongside Article 86 for the role of farther specifying the criteria in addition to requirements for the information protection certification mechanisms referred to inward paragraph 1-1h, including requirements for accreditation of auditors, weather condition for granting in addition to withdrawal, in addition to requirements for recognition inside the Union in addition to inward tertiary countries. These delegated acts shall confer enforceable rights on information subjects.
(Article 39(3) EP text)
However, equally the wording of these provisions brand clear, these harmonising measures relate solely to the parameters in addition to technical details of the certification scheme (similar to the stipulations inward the Commission text, although the EP text rightly allows for improve input from the EDPS in addition to other stakeholders).
It is hence of import to depository fiscal establishment complaint that nether the EP text the actual issuing of a seal yesteryear a DPA would constitute an administrative human activity of such an authority: the issuing of seals is component of each DPA’s brief to implement in addition to apply the Regulation inside their jurisdiction (cf. Art. 53(1)(ia) of the EP text).
This inward plough volition hateful that the cooperation- in addition to consistency mechanisms begin inward Chapter VII of the regulation volition apply to the issuing of private seals. The EP text indeed amends the provisions on these mechanisms in addition to distinguishes betwixt cooperation inward private cases (Arts. 54a, 55 in addition to 56 EP text), consistency inward matters of full general application (Art. 58 EP text), in addition to consistency inward private cases (Art. 58a EP text). This results inward the next scheme:
- In deciding on whether to number a seal inward relation to processing yesteryear a controller who is established inward to a greater extent than than i Member State, or who processes personal information on residents of to a greater extent than than i Member State – i.e., inward relation to whatever cross-border operating company, including particularly companies offering products in addition to services throughout the European Union (and beyond) over the Internet – in that location volition live a demand to offset constitute who is the “lead authority”; in addition to next, that Pb authorization volition live required to consult “all other competent supervisory authorities” on whether or non a seal should live issued (cf. Art. 54a(1) in addition to (2) of the EP text). Those other authorities must in addition to so render “mutual assistance” equally required (Art. 55); in addition to the DPAs may create upwardly one's head to bargain alongside the affair through a “joint operation” (Art. 56);
- At the asking of whatever DPA, the EDPB tin number an persuasion on which DPA should live regarded equally the Pb authority; in addition to inward the end, the EDPB tin create upwardly one's head the affair (Art. 54(3) in addition to (3a) EP text);
- Moreover, since (as exactly shown) nether the EP text seals volition ship sure legal effects, inward particular inward relation to processors in addition to information transfers, the issuing of a seal volition constitute a “measure intended to make legal effects inside the pregnant of Article 54a”. Consequently, inward such cases – i.e., inward casu, inward relation to seals applied for yesteryear cross-border-operating companies in addition to Internet-based companies – the “consistency mechanism” provided for inward Article 58a of the EP text comes into play. Under this mechanism, the relevant Pb authorization must inform the other DPAs of the intended mensurate – i.e., of his intention to number a seal for such a companionship – in addition to the other DPAs tin in addition to so refer the affair to the newly-to-be-created European Data Protection Board, if they take maintain “serious objections” to the measure, i.e., to the seal beingness awarded to the company, service or production inward question.
Clearly, the seals envisaged inward the EP text are much to a greater extent than serious in addition to ship much to a greater extent than weight than the largely unspecified ones that the Commission text “encourages”, inward particular inward relation to cross-border-operating and/or online companies (including non-EU companies): a seal issued nether the EP text to such companies, either without objection from whatever other DPAs than the seal-issuing “lead authority”, or after having gone through the consistency machinery in addition to having been found to live inward accordance alongside the regulation, clearly has strong legitimacy throughout the EU/EEA: it volition really demonstrate total compliance alongside the regulation, throught the EU/EEA, in addition to it volition take maintain the stipulated legal effects throughout the EU/EEA.
The seals envisaged inward the EP text thus address all the issues mentioned before that take maintain to information hampered certification schemes:
- They would convincingly certify compliance alongside the fully harmonised rules inward the regulation; in addition to this would live accepted, or would take maintain to live accepted, yesteryear all DPAs (either because they did non object to the seal beingness issued after having been notified of the intended awarding of the seal, or because the issuing of the seal was ruled to live inward accordance alongside the regulation nether the consistency mechanism);
- The seal would bestow clear in addition to valuable legal in addition to commercial benefits on the seal-holder; and
- This would warrant the costs in addition to effort involved inward obtaining the seal.
Moreover, I believe that such “heavy” seals, thus seriously embedded inward the harmonised European Union rules, would offering truthful assurances to citizens in addition to business, in addition to seriously positively contribute to ensuring information protection at a high level.
In my opinion, the EP text inward this regard thus promises of import benefits to employment organisation in addition to consumers alike.
Certification inward the Council text
On 26 September 2014, a Council document was produced yesteryear the Council information protection committee, DAPIX, that dealt alongside the chapter inward the regulation dealing (inter alia) alongside certification schemes (Chapter IV).[11] This internal, restricted (“Limité) but chop-chop leaked document contains specific texts for the relevant provisions on seals inward the regulation.
Essentially, they demo that the Council wants to turn down the EP proposals for a strong scheme of harmonised, consistent information protection seals alongside existent effects, in addition to to revert dorsum to the vague promisses of “encouragement” inward the Commission text – if anything watering the scheme downwardly fifty-fifty further.
Thus, offset of all, the Council text, similar the Commission text, only calls upon the Member States in addition to the Commission to “encourage” the establishment of information protection certification schemes (while adding the EDPB to the addressees for this call) (Art. 39(1) Council text). The solely departure is that Council text calls for this to live done “in particular at Union level”, where the Commission text referred to “in particular at European level” (idem). Thus, the Council wants to take the EP stipulation that DPAs must (“shall”) implement certification (cf. Art. 52(1)(ja) EP text).
Secondly, nether the Council text seals may live issued either yesteryear a DPA or yesteryear unopen to other “certification body” approved yesteryear an official national accreditation trunk (such equally the U.K. Accreditation Service, UKAS).[12] In other words, nether the Council text, certification schemes could live essentially almost completely “out-sourced” to a trunk other than the national DPA, equally long equally the trunk was accredited (i.e., coming together appropriate organisational in addition to administration in addition to fiscal requirements) in addition to met whatever specific requirements set downwardly yesteryear the DPA (but the assessment of which would also live left to the accreditation body). Specifically, although the relevant DPA would live “provide[d] ... alongside the reasons for granting or withdrawing [a] requested certification” (Art. 39(5) Council text), inward countries that opted for such an out-sourced scheme, the seal would live issued yesteryear the accredited certification body, in addition to non yesteryear the DPA.
Not suprisingly, nether such a scheme, the DPA would non inward whatever way live jump yesteryear the assessment of the certification trunk that the assessed production or service meets the requirements of the regulation: view Article 39(2) Council text, which expressly stipulates that:
A certification ... is without prejudice to the tasks in addition to powers of the [competent] supervisory authority.
There is a proffer to the reverse inward Article 39(1) of the Council text, where this says that
seals or marks may also live established for the role of demonstrating the existence of appropriate safeguards provided yesteryear controllers or processors that are non acre of study to this Regulation (emphasis added)
As nosotros take maintain seen, nether the EP text, seals tin indeed “demonstrate”, inward a legally binding way, that sure requirements of the regulation are met.
However, nether the Council text, seals would non take maintain whatever such existent effects. Rather, seals could exactly live taken into employment organisation human relationship inward assessing compliance. As the Council text puts it explicity inward relation to a diversity of issues, inward identical terms, “An approved certification machinery pursuant to Article 39 may live used equally an chemical constituent to demonstrate compliance” alongside relevant requirements such as: compliance alongside a code of bear (Art. 22(2b) Council text); compliance alongside privacy-by-design in addition to –default requirements (Art. 23(2a)); alongside the requirement of processors to offering “sufficient guarantees” (Art. 26(2aa)); alongside information safety requirements (Art. 30(2a)); in addition to presumably alongside requirements relating to information transfers to countries without adequate protection (but the relevant provisions are non covered yesteryear the Council document).
The indicate to live made hither is that allowing seals to live taken into employment organisation human relationship inward this way, equally an “element” inward a wider assessment, agency that the seals yesteryear themselves lonely are non seen equally “demonstrating” the affair inward question. In other words, although they may take maintain unopen to legal weight, they make non inward themselves take maintain whatever “legal effects”.
For both reasons – the seals non beingness issued yesteryear a DPA, in addition to the seals non having legal effects – the issuing of seals nether the Council text would non constitute an administrative human activity alongside legal effects on the component of the DPA inward countries that select this selection (as the U.K. inward particular appears to desire to do).
Consequently, the issuing of seals inward such countries would non live acre of study to either the cooperation or the consistency mechanisms inward the regulation. The DPAs would non take maintain to inform other DPAs of the fact that they were asked to number a seal inward relation to a controller offering products or services also inward other Member States (or online), or processing personal information on information subjects inward other Member States; they would non take maintain to consider whether they would live the appropriate (lead) authorization to bargain alongside such a request; they would non take maintain to inquire for, permit lonely heed, the views of other DPAs on the issuing of the seal; in addition to they could non live made to bargain alongside the proposed issuing of a seal to such a companionship nether the consistency mechanism; the determination could non live overruled from Brussels.
Yet at the same time, inward spite of such seals non having whatever formal standing, inward practise the DPA inward the province inward inquiry (who was after all informed of the reasons for granting the seal, yesteryear a trunk appointed yesteryear that DPA itself) would live unlikely to convey enforcement activeness against a companionship alongside the seal, equally long equally the companionship adhered to the weather condition etc. begin inward the seal.
IV. Conclusions
The inward a higher house analyses of the different versions of the regulation shows ii clearly opposed views of certification schemes. On the i hand, the European Parliament wants to innovate a strong certification scheme, operated yesteryear the DPAs inside a harmonised European Union framework. Seals would live given real, of import legal effects, of existent make goodness to companies – but (in particular inward honour of cross-border-operating or online companies, including non-EU ones) solely if they were acre of study to unopen scrutiny yesteryear all the European Union DPAs, in addition to the EDPB, in addition to if it were agreed betwixt them, or decided nether the consistency machinery at the highest [Brussels] grade that it was appropriate to number the seal inward the particular instance. Such seals would hence also offering existent assurances to consumers nd citizens.
By contrast, the Council would allow Member States to either opt for relatively strong seals issued yesteryear DPAs (such equally the French Labels), or for an almost completely out-sourced certification scheme nether which seals would live issued yesteryear an accredited certification trunk dissever from the DPA (and non acre of study to directions from the DPA, other than inward damage of full general guidance). The out-sourced seals would take maintain no formal legal effect – but would also by-pass all European cooperation in addition to consistency mechanisms. Yet they would withal inward practise largely exempt the companies that were awarded such seals from enforcement activeness yesteryear the DPA inward inquiry (as long equally they complied alongside the weather condition etc. begin inward the seals).
In my opinion, a certification scheme allowing the latter kinds of seals would innovate a Trojan Horse into the novel European Union information protection regime. International companies, including the so-called “Internet giants” (Microsoft, Google, Yahoo, Facebook, Twitter, etc.) could – in addition to almost sure would, exactly equally at i time – pick in addition to select to apply for seals inward European Union states inward which they would hope to live given relatively lax treatment; where they experience they tin relatively easily obtain a seal – from an out-sourced body. The DPAs inward other countries would non live asked to give their views; they could non challenge the issuing of the seal (indeed, fifty-fifty the DPA inward the province inward inquiry would solely live informed of the issuing of the seal in addition to the reasons for it). Yet they would in addition to so of class rely on the seal, or seals, they obtained to struggle that their operations are fully compliant alongside the regulation. DPAs inward other Member States, in addition to the European Union bodies concerned (including the Commission) would likely live less inclined to pursue such companies inward such circumstances for non-compliance.
I would urge those who are going to live involved inward the upcoming trilateral negotiations over the lastly text of the regulation in addition to who convey information protection to heart, to turn down the Council text in addition to back upwardly the EP i inward honour of certification schemes.
That is non to say that unopen to compromises are impossible. For instance, a Member State could withal largely outsource a certification scheme to an accredited certification trunk (so equally to avoid imposing farther burdens on its DPA), yet retain the advantages of the EP scheme, if it left the lastly determination on each seal to its DPA, acting on the “recommendation” of the certification body. That way, it would withal live the DPA that took the decision. If at the same time, such a seal would live given the effect of demonstrating compliance inward sure contexts (rather than exactly beingness allowed to live an “element” inward evidence), that would hateful that the cooperation in addition to consistency mechanisms would withal come upwardly into play – which volition ensure that appropriately high-level pan-EU scrutiny would live applied, inward particular to cross-border in addition to online companies. I hope this depository fiscal establishment complaint volition induce that debate.
[3] A written report of an EU-commissioned study into privacy seals (Service Contract Number: 258065) is due out shortly. This also discusses the myriad of other, to a greater extent than oft than non to a greater extent than limited schemes inward Europe, in addition to the (generally weak) non-European schemes.
[4] By contrast, the information protection police clit of the little German linguistic communication Land of Schleswig-Holstein expressly allows world authorities to give preferences to products in addition to services which take maintain been granted the local (Schleswig-Holstein) seal yesteryear the local information protection authorization (ULD). ULD has issued to a greater extent than than lxxx such local seals, including several to Microsoft, see: https://www.datenschutzzentrum.de/guetesiegel/register.htm
[5] According to its 2012 annual report, CNIL had received 25 seal applications in addition to had issued 10 seals (as at xv Feb 2013; no afterward information available). EuroPriSe has issued 31 seals (not counting re-certifications) (last checked 01 Oct 2014).
[6] See Chapter VII of the draft regulation.
[8] See:
[9] See:
[10] Article 39(2a) adds that “The European Data Protection Board may on its ain maiden certify that a information protection-enhancing technical criterion is compliant alongside this Regulation.” But this solely applies to “technical standards”, non to seals for products or services.
[11] Presidency Note to COREPER, Brussels, 26 September 2014 (original: English), institutional file number 2012/0011(COD), document number 12312/3/14REV3 (hereafter referred to equally the “Council text”),
The document also deals alongside of import other issues addressed inward Chapter Iv of the regulation, including information protection yesteryear blueprint in addition to default, articulation controllers, information security, information breach notification, information protection impact assessments in addition to prior consultation, in-house information protection officers, but these are non discussed here.
[12] See: http://www.ukas.com/ The Council text refers to a greater extent than specifically to “the National Accreditation Body named inward accordance alongside Regulation (EC) 765/2008 of the European parliament in addition to the Council of ix July 2008 setting out the requirements for accreditation in addition to marketplace position surveillance relating to the marketing of products inward compliance alongside EN-ISO/IEC 17065/2012 in addition to alongside the additional requirements established yesteryear [the DPA of the Member State inward question].” (Art. 39a(1)(b) Council text).
