Skip to main content
SpringerLink
Log in

Data Protection Certification: Decorative or Effective Instrument? Audit and Seals as a Way to Enforce Privacy

  • Chapter
  • First Online:
Enforcing Privacy

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 25))

Abstract

This chapter will explore the elements necessary to achieve privacy enforcement through privacy certification. What makes a privacy seal effective and what are the components and effects of successful certification schemes? The chapter will explain how privacy seals can (1) support and ease the work of DPAs by providing relevant and structured information and (2) provide guidance to the private (and public) sector (especially DPOs) on how to demonstrate compliance to DPAs. The focus will be on the structural elements of a privacy seal report which aims at delivering the information relevant for prior authorisation, DPIA, an inspection or the work of a data protection officer, and on how this documentation can be used in practice.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Dix, Alexander, “Betroffenenrechte im Datenschutz”, in Jan-Hinrik Schmidt and Thilo Weichert (eds.), Datenschutz, Bundeszentrale für politische Bildung, Bonn, 2012, pp. 290–297 [p. 296].

  2. 2.

    The Japan Information Processing Development Center (JIPDEC) established, and has been operating, the “PrivacyMark System” since 1 April 1998, cf. http://english.jipdec.or.jp/pmark.html

  3. 3.

    Rossnagel, Alexander, “Datenschutz-Audit”, Datenschutz und Datensicherheit DuD, 2007, pp. 505 ff.; Bäumler, Helmut, “Datenschutzgesetze der dritten Generation”, in Helmut Bäumler and Albert von Mutius (eds.), Datenschutzgesetze der dritten Generation, Luchterhand, Neuwied, Kriftel, 1999, p. 7. Schleswig-Holsteinisches Gesetz zum Schutz personenbezogener Informationen (Landesdatenschutzgesetz) of 9 February 2000, GVBl, 2000, p. 169.

  4. 4.

    Cf. Connolly, Chris, Trustmark Schemes Struggle to Protect Privacy, Pyrmont, Australia, 2008, pp. 22 f.

  5. 5.

    Article 39, European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, Brussels, 25 January 2012.

  6. 6.

    Cf. Wright et al., EU Privacy seals study, Inventory and analysis of privacy certification schemes, Final Report, Study Deliverable 1.4, Luxembourg, 2013.

  7. 7.

    European Parliament Resolution of 15 December 2010 on the impact of advertising on consumer behaviour, 2010/2052(INI). http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference =P7-TA-2010-0484&language=EN

  8. 8.

    Germany introduced the possibility of data protection certification and audits in section 9a of the Federal Data Protection Act of 2003, yet failed to introduce a running system ever since. In 2012, the German parliament set aside a fund to sponsor a seal system by initiating the “Stiftung Datenschutz”. From the beginning, it was clear that neither the monetary means nor the funded number of stuff would be in a position to actually produce a running system.

  9. 9.

    McCarthy, Jamie, “TRUSTe decides its own fate today”, Slashdot, 8 Nov 1999. http://yro.slashdot.org/story/99/11/05/1021214/truste-decides-its-own-fate-today

  10. 10.

    Connolly, 2008, p. 22.; Feik, Sebastian, and Kai von Lewinski, “Der Markt für Datenschutz-Zertifizierungen”, BvD-News, Issue 2, 2014, pp. 47–50.

  11. 11.

    European Commission, Proposal for a Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, COM(2012) 11 final, 25 January 2012, Article 39, Recital 77.

  12. 12.

    European Parliament , Committee on Civil Liberties, Justice and Home Affairs, Draft Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation),COM(2012)0011 – C7-0025/2012–2012/0011(COD) 2012/0011 (COD), 17 December 2012.

  13. 13.

    Bock, Kirsten, “Marktwirtschaftlicher Datenschutz”, pp. 310–321 [p. 312].

  14. 14.

    The wording of Article 39 and 39a as proposed by the Council of the European Union as achieved under the Greek presidency constricts the scope to audits, i.e., internal processing operations, without acknowledging certification of products and services which form a substantial number of targets of certification (privacy by design ) with much influence on the data processing operations.

  15. 15.

    Bock, Kirsten, “Marktwirtschaftlicher Datenschutz”, pp. 310–321 [310 f].

  16. 16.

    Council of the European Union, Proposal for a Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 9398/15, 29 May 2015.

  17. 17.

    I follow the distinction of privacy and data protection made in the EU Charter of Fundamental Rights as explicated by Kokott and Sobotta (2013): Privacy “does not necessarily include all information on identified or identifiable persons” [p. 225], it concentrates on the individual to fight back against infringements of private life. Data protection refers to the social context of information processing which addresses the (informational) asymmetry in power to safeguard self-determination and privacy by preventing organisations to (mis-)use their po wer advantage towards individuals in their respective roles as citizens, patients, employees, etc.

  18. 18.

    A suggestion introduced by Connolly 2008, p. 18 ff.

  19. 19.

    Cf. European Commission, Communication to the European Parliament and the Council on Promoting Data Protection by Privacy-enhancing Technologies (PETs), COM (2007) 228 final, Brussels, 2 May 2007. Connolly, Chris, Benchmarks for global Privacy Standards – Working Paper, Pyrmont, November 2009, p. 6; Rossnagel, A., p. 511 f.

  20. 20.

    Information Commissioner’s Office (ICO), Framework criteria for an ICO-endorsed privacy seal scheme, draft for consultation , Vo1. 3, 2 Sept 2014. http://ico.org.uk/about_us/consultations/~/media/documents/library/Data_Protection/Research_and_reports/framework-criteria-for-an-ico-endorsed-privacy-seal-scheme.pdf

  21. 21.

    Cf. ULD Guetesiegel for TGPopen v2.0, Short Public Report, p. 5. https://www.datenschutzzentrum.de/guetesiegel/kurzgutachten/g090805/090805-kurzgutachten-tgpopen_2013.pdf; TeamDrive v3 only applicable to its versions TeamDrive Free, TeamDrive Personal and TeamDrive Professional. https://www.datenschutzzentrum.de/guetesiegel/register.htm; short public report, https://www.datenschutzzentrum.de/guetesiegel/kurzgutachten/g050302/g050302-rezertifizierang-teamdrive-2013.pdf

  22. 22.

    Wright et al.

  23. 23.

    Especially ISO security evaluation reports are hard to obtain. Also cf. Privacy Seals Study TASK 4 – Proposals and evaluation of policy options, May 2014, p. 77ff.

  24. 24.

    To generate trust , certification needs to be directed to the public, which is an aspect of transparency . Cf. Bock, Kirsten, “EuroPriSe Trust Certification”, Datenschutz und Datensicherheit – DuD, 2008, p. 610 ff.

  25. 25.

    The distinction between a data protection certification or audit and an inspection by a data protection authority consists in a mutual understanding between the parties involved that the evaluation is conducted voluntarily and on a co-operative basis. Voluntary evaluation does not imply legal sanction s, which is why evaluations are more likely to identify serious shortcomings.

  26. 26.

    Bock, Kirsten, “Marktwirtschaftlicher Datenschutz”, p. 315f.

  27. 27.

    Rodrigues et al., p. 100.

  28. 28.

    Certification criteria generated by the applicant or by the issuer exclusively for the applicant usually lack overall substance and are therefore not discussed in this paper.

  29. 29.

    Criteria catalogues based on common standards such as ISO do not facilitate compliance with European data protection law per se due to a lack of comprehensiveness and accumulation of rather unspecific measures.

  30. 30.

    With respect to current developments, e.g., of big data , not only risks concerning the individual but risks towards society should be considered. However, policy-makers in Europe have been reluctant so far to acknowledge societal threats (e.g., risks for the solidarity principle regarding health insurance by discounts for consent to monitor behaviour, or accumulation of and access to knowledge) to data protection laws and jurisdiction in Europe.

  31. 31.

    For a first, but not yet systematic attempt to include protection goals into a non-binding criteria catalogue , see http://www.datenschutzzentrum.de/uploads/guetesiegel/guetesiegel-anforderungskatalog.pdf

  32. 32.

    Cf. Federrath, Hannes, and Andreas Pfitzmann, “Gliederung und Systematisierung von Schutzzielen in IT-Systemen”, Datenschutz und Datensicherheit – DuD, Vol. 26, Issue 12, 2000, pp. 704–710. Rost, Martin, and Andreas Pfitzmann, “Datenschutz-Schutzziele revisited”, Datenschutz und Datensicherheit – DuD, Vol. 33, Issue 6, 2009, pp. 353–358.

  33. 33.

    For example, see Centre for Information Policy Leadership, Hunton & Williams, “The role of risk management in data protection”, November 2014. See http://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Role_of_Risk_Management_in_Data_Protection.pdf, which neglects to mention that in Europe personal data processing is subject to permission.

  34. 34.

    Bock, Kirsten, and Sebastian Meissner, “Datenschutz-Schutzziele im Recht – Zum normativen Gehalt der Datenschutz-Schutzziele”, Datenschutz und Datensicherheit – DuD, Vol. 36, Issue 6, p. 425ff.

  35. 35.

    Cf. section 5, para 1, No. 1–6, Data Protection Act Schleswig-Holstein , Gesetz- und Verordnungsblatt (GVOBl), 2000, p. 169; and concerning transparency , intervenability and unlinkability , see Article 10, para 2, (a)–(c), Data Protection Act Lichtenstein. https://www.gesetze.li/DisplayLGBl.jsp?Jahr=2002&Nr=102

  36. 36.

    They can, of course, also be used for data protection inspection s or by the legislator to compose data protection legislative propositions or to check existing data protection legislation in terms of completeness.

  37. 37.

    Cf. Rost and Bock, “Privacy by Design and the New Protection Goals”, in: Datenschutz und Datensicherheit DuD, 2011/01.

  38. 38.

    Cf. Rost and Bock 2012, p. 243f.

  39. 39.

    Even though the 11 principles in ISO 29100 convey some truth, as a set of principles they lack legal foundation. Their nature as well as the relationship between each other is unclear. ISO does not provide an approach for balancing the principles and its interpretation is non-binding. Different from the protection goals, which always require a whole-set approach, the missing relationships between the principles does not induce an emphasis on any one of them. However, the principles are useful when privacy and data protection are not provided by fundamental rights.

  40. 40.

    CNIL .

  41. 41.

    Cf. Probst, Thomas, “Generische Schutzmaßnahmen für Datenschutz-Schutzziele”, Datenschutz und Datensicherheit – DuD, Vol. 36, Issue 6, p. 439 ff.

  42. 42.

    Rost, Martin, “Standardisierte Datenschutzmodellierung”, Datenschutz und Datensicherheit DuD, Vol. 36, Issue 6, June 2012, pp. 433–438. Rost, Martin, “Datenschutz in 3D – Daten, Prozesse und Schutzziele in einem Modell”, Datenschutz und Datensicherheit DuD, Vol. 35, Issue 5, May 2011, pp. 351–355.

  43. 43.

    Mandatory document, cf., e.g., section 6, para 1, State Data Protection Act (LDSG) in connection with section 3, para 2, nr. 5, Data Protection Ordinance (DSVO) Schleswig-Holstein , Germany . An Active Directory or a Lightweight Directory Access Protocol (LDAP) is a tool for such allocations.

  44. 44.

    In Germany , an attempt to pass an audit act failed in July 2009 mainly because the certificate was to be issued before an evaluation took place. See http://dip21.bundestag.de/dip21/btd/16/120/1612011.pdf; http://dip21.bundestag.de/dip21/btd/16/136/1613657.pdf. Self-assertion to comply with the Safe Harbor requirements (US-EU Safe Harbor Framework, Guide to self-certification , p. 4) has been qualified as ineffective. http://www.datenschutz-berlin.de/attachments/710/Resolution_DuesseldorfCircle_28_04_2010EN.pdf?1285316129

  45. 45.

    Cf. section 38 paragraph 1 sentence 2, Federal Data Protection Act of Germany; Art. 28 para 3, second bullet, 95/46/EU.

  46. 46.

    As there are currently no formally approved standard measures catalogues available, it will be left to the future to assess the effectiveness.

  47. 47.

    In Germany , an attempt to pass an audit act failed in July 2009 mainly because the certificate was to be issued before an evaluation took place. http://dip21.bundestag.de/dip21/btd/16/120/1612011.pdf; http://dip21.bundestag.de/dip21/btd/16/136/1613657.pdf. In the US-EU Safe Harbor , self-assertion to comply with the Safe Harbor requirements (US-EU Safe Harbor Framework, Guide to self-certification, p. 4) is ineffective. http://www.datenschutz-berlin.de/attachments/710/Resolution_DuesseldorfCircle_28_04_2010EN.pdf?1285316129

  48. 48.

    The most well known example is the Safe Harbor self-certification process that does not provide a third-party evaluation at all.

  49. 49.

    Cf. German BT-DRs. 4/09, p. 4f.

References

  • Bäumler, Helmut, “Datenschutzgesetze der dritten Generation”, in Helmut Bäumler and Albert von Mutius (eds.), Datenschutzgesetze der dritten Generation, Luchterhand, Neuwied, Kriftel 1999, pp. 1–9.

    Google Scholar 

  • Bock, Kirsten, “Marktwirtschaftlicher Datenschutz”, in Jan-Hinrik Schmidt and Thilo Weichert (eds.), Datenschutz, Bundeszentrale für politische Bildung, Bonn, 2012, pp. 310–321.

    Google Scholar 

  • Bock, Kirsten, EuroPriSe Trust Certification, Datenschutz und Datensicherheit - DuD, Vol. 32, Issue 9, September 2008, pp. 610–614.

    Google Scholar 

  • Bock, Kirsten, and Sebastian Meissner, “Datenschutz-Schutzziele im Recht - Zum normativen Gehalt der Datenschutz-Schutzziele”, Datenschutz und Datensicherheit – DuD, Vol. 36, Issue 6, June 2012, pp. 425–431. http://www.maroki.de/pub/other/2012-06-DuD-SDMRecht.html.

    Google Scholar 

  • Centre for Information Policy Leadership, Hunton & Williams, The role of risk management in data protection, Paper 2 of the Project on Privacy Risk Framework and Risk based Approach to Privacy, Brussels, November 2014. http://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Role_of_Risk_Management_in_Data_Protection.pdf

  • Connolly, Chris, Trustmark Schemes Struggle to Protect Privacy, Pyrmont, Australia, 2008.

    Google Scholar 

  • Connolly, Chris, Benchmarks for Global Privacy Standards – Working Paper, Pyrmont, November 2009.

    Google Scholar 

  • Council of the European Union, Proposal for a Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 9398/15, 29 May 2015.

    Google Scholar 

  • Council of the European Union, Proposal for a Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 15039/15, 15 December 2015.

    Google Scholar 

  • Dix, Alexander, “Betroffenenrechte im Datenschutz”, in Jan-Hinrik Schmidt and Thilo Weichert (eds.), Datenschutz, Bundeszentrale für politische Bildung, Bonn 2012, pp. 290–297.

    Google Scholar 

  • European Commission, Communication to the European Parliament and the Council on Promoting Data Protection by Privacy-enhancing Technologies (PETs), COM (2007) 228 final, Brussels, 2 May 2007.

    Google Scholar 

  • European Commission, Joint Research Centre, Institute for the Protection and Security of the Citizen, EU Privacy seals study, Inventory and analysis of privacy certification schemes, Final Report Study Deliverable 1.4, Luxembourg, 2013. http://trilateralresearch.com/tenders/#eu-study-on-privacy-seals

  • European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(2012) 11/final, Brussels, 25 January 2012.

    Google Scholar 

  • European Parliament and the Council, Directive 95/46/EC of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, Brussels, 23 November 1995.

    Google Scholar 

  • Feik, Sebastian, and Kai von Lewinski, “Der Markt für Datenschutz-Zertifizierungen”, BvD-News, Issue 2, 2014, pp. 47–50.

    Google Scholar 

  • Kokott, Juliane, and Christoph Sobotta, “The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR”, International Data Privacy Law, Vol. 3, No. 4, 2013, pp. 222–228.

    Article  Google Scholar 

  • Probst, Thomas, “Generische Schutzmaßnahmen für Datenschutz-Schutzziele”, Datenschutz und Datensicherheit – DuD, Vol. 36, Issue 6, June 2012, pp. 439–444.

    Google Scholar 

  • Rodrigues, Rowena, David Wright and Kush Wadhwa, “Developing a privacy seal scheme (that works)”, International Data Privacy Law, Vol. 3, Issue 2, February 2013, pp. 100–116.

    Google Scholar 

  • Rossnagel, Alexander, “Datenschutz-Audit”, Datenschutz und Datensicherheit – DuD, Vol. 21, Issue 9, September 1997, pp. 505–515.

    Google Scholar 

  • Rost, Martin, “Schutzziele”, in Jan-Hinrik Schmidt and Thilo Weichert (eds.), Datenschutz, Bundeszentrale für politische Bildung, Bonn, 2012, pp. 353–362.

    Google Scholar 

  • Rost, Martin, “Standardisierte Datenschutzmodellierung”, Datenschutz und Datensicherheit DuD, Vol. 36, Issue 6, June 2012, pp. 433–438. http://www.maroki.de/pub/privacy/2012-06-DuD-SDM.html

    Google Scholar 

  • Rost, Martin, “Datenschutz in 3D – Daten, Prozesse und Schutzziele in einem Modell”, Datenschutz und Datensicherheit DuD, Vol. 35, Issue 5, May 2011, pp. 351–355. http://www.maroki.de/pub/privacy/DuD2011-05_DP-3D.html

    Google Scholar 

  • Rost, Martin, and Andreas Pfitzmann, “Datenschutz-Schutzziele – revisited”, Datenschutz und Datensicherheit – DuD, Vol. 33, Issue 6, July 2009, pp. 353–358.

    Google Scholar 

  • Rost, Martin, and Kirsten Bock, “Privacy By Design und die Neuen Schutzziele – Grundsätze, Ziele und Anforderungen”, Datenschutz und DatensicherheitDuD, Vol. 35, Issue 1, January 2011, pp. 30–35. EN: “Privacy by Design and the New Protection Goals – Principles, Goals, and Requirements”. http://www.maroki.de/pub/privacy/BockRost_PbD_DPG_en_v1f.html

  • Rost, Martin, and Kirsten Bock, “Impact Assessment im Lichte des Standard-Datenschutzmodells”, Datenschutz und DatensicherheitDuD, Vol. 36, Issue 10, October 2012, pp. 472–477. http://www.maroki.de/pub/privacy/2012-10_DuD-PIA.html

  • US Department of Commerce, US-EU Safe Harbor Framework, Guide to self-certification, Washington DC, March 2009.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. ULD, Holstenstr. 98, 24103, Kiel, Germany

    Kirsten Bock

Authors
  1. Kirsten Bock
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kirsten Bock .

Editor information

Editors and Affiliations

  1. Trilateral Research, London, United Kingdom

    David Wright

  2. Vrije Universiteit Brussel Law, Science, Technology & Society (LSTS), Brussels, Belgium

    Paul De Hert

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Bock, K. (2016). Data Protection Certification: Decorative or Effective Instrument? Audit and Seals as a Way to Enforce Privacy. In: Wright, D., De Hert, P. (eds) Enforcing Privacy. Law, Governance and Technology Series(), vol 25. Springer, Cham. https://doi.org/10.1007/978-3-319-25047-2_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25047-2_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25045-8

  • Online ISBN: 978-3-319-25047-2

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation