Skip to main content
SpringerLink
Log in

Could the CE Marking Be Relevant to Enforce Privacy by Design in the Internet of Things?

  • Chapter
Data Protection on the Move

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 24))

Abstract

This paper aims at evaluating the relevance of using the CE marking process to enforce Data Protection by Design principles suggested by Article 23 of the proposed General Data Protection Regulation in connected devices involved in the Internet of Things. The CE marking is a conformity assessment process (A quick presentation of the basic principles of the CE marking is available on the website of the European Commission. Accessed June 14, 2015 http://europa.eu/legislation_summaries/other/l21013_en.htm. More information can be found within the recently updated guide issued by the European Commission’s “Guide to the implementation of directives based on the New Approach and the Global Approach”, 2014. Accessed May 21, 2015 http://ec.europa.eu/enterprise/newsroom/cf/itemdetail.cfm?item_id=7326.) designed by the European Commission during the 1980s to allow manufacturers to voluntarily demonstrate their compliance with mandatory regulations on safety, health and environment. This process offers some interesting features for the enforcement of data protection rules in products especially in the context of the globalization of trade. It promoted a co-regulation process between public and private stakeholders and contributed to the spreading of European technical standards worldwide. However, it does not fully address data protection issues raised by the IoT and it has been criticized for its lack of reliability. Moreover, this process has never been designed to include an unlimited list of requirements and adding data protection requirements could undermine it. Another option might be to transform the CE marking in an overarching European mark housing different certification schemes dedicated to the compliance of products. This option might preserve the existing process and offer the opportunity to set up a scheme arranged according a similar process but dedicated to the enforcement of Data Protection by Design principles.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Deloitte “Tech Trends 2014, Inspiring Disruption” (Deloitte’s annual Technology Trends report 2014), 55. Accessed June 14, 2015. http://dupress.com/wp-content/uploads/2014/02/Tech-Trends-2014_FINAL-ELECTRONIC_single.2.24.pdf.

  2. 2.

    “Internet of Things is a new revolution of the Internet. Objects make themselves recognizable and they obtain intelligence thanks to the fact that they can communicate information about themselves and they can access information that has been aggregated by other things” in Ovidiu Vermasen “Europe’s Internet of things Strategic Research Agenda 2012” “in Internet of Things 2012” ed. by Ian G. Smith (New Horizons, 2012). “We are only in the very nascent stage of the so-called “Internet of Things,” when our appliances, our vehicles and a growing set of “wearable” technologies will be able to communicate with each other” in John Podesta et al. “Big Data: Seizing Opportunities, Preserving Values”, 2014 (Executive Office of the President). Accessed June 14, 2015 http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf.

    A study led in 2013 estimated that 4 billion objects were connected in 2010, 15 billion in 2012 and 80 billion are expected to be connected in 2020 in IDATE “Internet of things: Outlook for the top 8 vertical markets”, 2013. Accessed June 14, 2015 http://www.idate.org/fr/Research-store/Collection/In-depth-market-report_23/Internet-of-Things_785.html.

  3. 3.

    “The Internet of Things promises to bring smart devices everywhere, from the fridge in your home, to sensors in your car; even in your body. Those applications offer significant benefits: helping users save energy, enhance comfort, get better healthcare and increased independence: in short meaning happier, healthier lives. But they also collect huge amounts of data, raising privacy and identity issues”. Foreword of Nelly Kroes in Ian G. Smith “Internet of Things”, 2012 (New Horizons). See Janna Anderson and Lee Rainie “The Internet of Things Will Thrive by 2025”, 2014 (Pew Internet Project report). Accessed February 21, 2015. http://www.pewinternet.org/files/2014/05/PIP_Internet-of-things_0514142.pdf.

  4. 4.

    “Smart objects can accumulate a massive amount of data, simply to serve us in the best possible way. Since this typically takes place unobtrusively in the background, we can never be entirely sure whether we are being (observed) when transactions take place” in Riad Abdmeziem and Djamel Tandjaoui “Internet of Things: Concept, Building blocks, Applications and Challenges”, 2014 (Cornell University Library). arXiv preprint arXiv:1401.6877. Accessed June 14, 2015. http://arxiv.org/pdf/1401.6877v1.pdf. See also: European Commission fact sheet “IoT Privacy, Data Protection, Information Security” for an overview of the different threats rose by IoT”. Last accessed June 14, 2015 http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1753; Federal Trade Commission. “Internet of Things: Privacy and Security in a Connected World”. FTC Staff Report, 2015. Last accessed June 14, 2015. http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf. See also Harald Sundmaeker et al. “Vision and Challenges for Realising the Internet of Things”, 2010. (CERP-IoT—Cluster of European Research Projects on the Internet of Things). Last accessed June 14, 2015 http://bookshop.europa.eu/en/vision-and-challenges-for-realising-the-internet-of-things-pbKK3110323/.

  5. 5.

    Data Protection by Design and Data Protection by default represents the European interpretation of the concept of Privacy by Design primarily elaborated by the Privacy Commissioner of Ontario at the end of the 1990s. This approach encourages controllers and processors at including data protection measures from the design stage of their products and services. Since 2009, this approach has been strongly supported by the European authorities and has been integrated into the reform of the European data protection framework in 2012. Article 23 of proposed regulation prefers talking about data protection rather than privacy to be consistent with other provisions and the European approach considering privacy as larger than data protection. Article 23 also makes a difference between Data Protection by Design and Data Protection by Default. The latter requires that the safeguards be applied without any intervention of the end user. The 7 Foundational Principles leading the implementation of Privacy by Design are presented on the dedicated website of the Commissioner of Ontario. Last accessed May 21, 2015 https://www.privacybydesign.ca/index.php/about-pbd/7-foundational-principles/. The European counterpart has recently been detailed in ENISA, 2015. Privacy and Data Protection by Design—from policy to engineering. European Union Agency for Network and Information Security. December 2014, p. iii. Last accessed May 21, 2015 https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design.

  6. 6.

    Article 23 of the proposed General Data Protection Regulation (hereinafter GDPR) in amended version of the European Parliament requires controllers to “implement appropriate and proportionate technical and organizational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject” Accessed June 14, 2015 http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/comp_am_art_01-29/comp_am_art_01-29en.pdf.

  7. 7.

    Recital 61 of the Parliament version of the proposed GDPR also states that “The principle of data protection by design require data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal”.

  8. 8.

    On the basis of Article 4 of the Directive 95/46/EC. See Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things”, 2014, 10.

  9. 9.

    Article 22 of the Parliament version of the proposed GDPR states that “the controller shall adopt appropriate policies and implement appropriate and demonstrable technical and organizational measures to ensure and be able to demonstrate in a transparent manner that the processing of personal data is performed in compliance with this Regulation”.

  10. 10.

    83 % of users of mobile services in Europe are concerned by collection of data and 65 % check the data collected by their smartphone’s apps in GSMA “Mobile Privacy: Consumer research insights and considerations for policy makers”, 2014. Accessed June 14, 2015 http://www.gsma.com/publicpolicy/wpcontent/uploads/2014/02/MOBILE_PRIVACY_Consumer_research_insights_and_considerations_for_policymakers-Final.pdf; TRUSTe “UK Consumer Confidence Privacy Report”, 2014. Accessed June 14, 2015 http://info.truste.com/lp/truste/Web-Resource-HarrisConsumerResearchUK-ReportQ12014_LP.html; TRUSTe “Internet of Things Privacy Index—US Edition”, 2014 underlines that 83 % of the 2000 people surveyed are concerned by the idea that personal information are being collected by smart devices. Accessed June 14, 2015 http://www.truste.com/resources/?doc=468; Sciencewise. Big Data, Public views on the collection, sharing and use of personal data by government and companies, April 2014. Assed May 21, 2015 http://www.sciencewise-erc.org.uk/cms/assets/Uploads/SocialIntelligenceBigData.pdf; Cited in Data Protection Rights: What the public want and what the public want from Data Protection Authorities. Prepared by the ICO for the European conference of Data Protection Authorities, Manchester, May 2015. Accessed May 21, 2015.

  11. 11.

    The apparent failure of Google+ network and the changes suggested by Facebook’s founder in his last keynote of April 30, 2014 seems at suggesting a slight inflexion—to be confirmed—in the way data are shared by people on social media. Accessed June 14, 2015 http://newsroom.fb.com/news/2014/04/f8-introducing-anonymous-login-and-an-updated-facebook-login/. The public have also developed strategies in order to avoid the full disclosure of their personal data. See Symantec—State of Privacy Report 2015 (February 2015) http://www.symantec.com/content/en/us/about/presskits/b-sta.

  12. 12.

    A quick presentation of the basic principles of the CE marking is available on the website of the European Commission. Accessed June 14, 2015 http://europa.eu/legislation_summaries/other/l21013_en.htm. More information can be found in the European Commission’s “Guide to the implementation of directives based on the New Approach and the Global Approach”, 2014. Accessed June 14, 2015 http://ec.europa.eu/enterprise/newsroom/cf/itemdetail.cfm?item_id=7326.

  13. 13.

    ANEC “Caveat Emptor—Buyer Beware” 2012 (The European Association for the Co-ordination of Consumer Representation in Standardization). Accessed June 14, 2015 http://www.anec.eu/attachments/ANEC-SC-2012-G-026final.pdf. See also Consumer Research Associates Ltd. “Certification and Marks in Europe”, 2008 (Study commissioned by EFTA), 11. Accessed June 14, 2015 http://www.efta.int/sites/default/files/publications/study-certification-marks/executive-summary.pdf.

  14. 14.

    “Regulation framework of IoT has to be global because IoT has no border especially with globalization” in Rolf. H Weber “Internet of Things—New security and privacy challenges”, Computer Law & Security Review, Volume 26, Issue 1, January 2010, pp. 23–30.

  15. 15.

    Rolf. H Weber “Internet of Things—Need for a New Legal Environment”, 2009, Computer Law & Security Review, Volume 25, Issue 6, November 2009: 522–527.

  16. 16.

    CASAGRAS—Coordination and support action for global RFID-related activities and standardisation. European Internet of things Initiative. Accessed June 14, 2015 http://www.iot-i.eu/iot-database/all/organizations/internet-of-things-initiative/fines-future-internet-enterprise-systems/casagras.

  17. 17.

    Harald Sundmaeker et al. “Vision and challenges for realising the Internet of Things”, 2010. CERP-IoT—Cluster of European Research Projects on the Internet of Things European Commission—Information Society and Media DG–EUR-OP, 2010, 43. Accessed June 14, 2015. http://www.theinternetofthings.eu/sites/default/files/Rob%20van%20Kranenburg/Clusterbook%202009_0.pdf.

  18. 18.

    Rolf. H. Weber “Internet of Things—New security and privacy challenges” 2010, 23.

  19. 19.

    Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things.” 2014, 5.

  20. 20.

    GSM, Bluetooth, Wifi 802.11, NFC to cite only the most known.

  21. 21.

    Article 3.2 (a) of the Parliament version of the GDPR states: “This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union”.

  22. 22.

    Working Party “Opinion 8/2014, 11” see Footnote 17 for details.

  23. 23.

    Article 23.1 and Recital 61 of the draft GDPR.

  24. 24.

    Article 23.1 states that “Data protection by design shall have particular regard to the entire lifecycle management of personal data from collection to processing to deletion, systematically focusing on comprehensive procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of personal data.” Article 23.2 states that “The controller shall ensure implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected, or retained or disseminated beyond the minimum necessary for those purposes.” Recital 61 states that “the principle of data protection by default requires privacy settings on services and products which should by default comply with the general principles of data protection, such as data minimization and purpose limitation”.

  25. 25.

    Article 23.1 and Recital 61 of the Draft GDPR.

  26. 26.

    Article 22 requires controllers to be accountable of their compliance. Article 39 encourages the set up of certification schemes dedicated to data protection.

  27. 27.

    Working Party “Opinion 8/2014, 24” see Footnote 17 for details.

  28. 28.

    Speech of Viviane Reding, former Vice-President of the European Commission, EU Commissioner for Justice “Data protection reform: restoring trust and building the digital single market- European Commission” 2013 (SPEECH/13/720-17/09/2013). Accessed June 14, 2015 http://europa.eu/rapid/press-release_SPEECH-13-720_en.htm.

  29. 29.

    Article 3.2 (a) of the Parliament version of the GDPR states “This Regulation applies to the processing of personal data of data subjects in the Union by a controller or processor not established in the Union”.

  30. 30.

    The New Approach policy has been adopted in Europe by the Council Resolution 85/C136/01 of 7 May 1985. This policy has been set up to speed-up the harmonization of EU requirements for product safety and reduce the technical barriers between member states in order to realize the single market before 1992. The “New Approach” Legislative Commission has defined four main principles: (i) The products must at least comply with the principles laid down in directives before to be introduced on the market; (ii) These principles are defined in the Directives so-called “New Approach”. They are available at the request of the legislator in technical standards by the European standardization bodies. These standards are technical specifications designed to facilitate compliance with the principles set out in the Directives “New Approach”. These standards called harmonized standards are mandatory in all member states. Member states must repeal that all texts that contradict these harmonized standards; (iii) The application of standards remain voluntary; (iv) The products that comply with the standards benefit of a «presumption of conformity» with the principles set out in the Guidelines. They can be distributed in all the Member states. In Mark. R. Barron. “Creating Consumer Confidence or Confusion? The Role of Product Certification in the Market Today”, 2007 (Marquette Intellectual Properties Maw review, Volume 11 Issue 2), 427. A full presentation of the foundations of the CE marking process can be found in the ‘Blue Guide’ on the implementation of EU product rules issued by “the European Commission” 2014, 6. Accessed June 14, 2015 http://ec.europa.eu/enterprise/newsroom/cf/itemdetail.cfm?item_id=7326. See also Jacques Pelkmans “The New Approach to Technical Harmonization and Standardization”. Journal of Common Market Studies, XXV, No 3, 3 March 1987. Accessed June 14, 2015. https://courses.washington.edu/eulaw09/supplemental_readings/Pelkmans_New_Approach_Harmonization.pdf.

  31. 31.

    An interesting example of wording of essential requirements can be found into the annex of the Directive 2006/95/EC Low voltage. Accessed June 14, 2015. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:374:0010:0019:EN:PDF.

  32. 32.

    The European Committee for Standardization called Comité Européen de Normalisation (CEN) has been created in 1961 in order to harmonize technical standards drafted in Europe. The CEN is headquartered in Brussels. He is composed of the 28 members of the European Union and the EFTA countries (Iceland, Norway and Switzerland). The CEN like the ISO is working with two sectorial partners: The Comité de Normalisation Electrotechnique (CENELEC) who is composed of the National Electrotechnical Committees of 30 European countries. The CENELEC is responsible for developing standards in electrotechnical area on behalf of the CEN. The European Telecommunications Standards Institute (ETSI) is responsible for developing standards in telecommunications. This process involves over 600 companies and institutions from 55 European countries. For instance, the ETSI is at the origin of the DECT and GSM standards.

  33. 33.

    Regulation 765/2008/EC of July, 9 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93. Accessed June 14, 2015. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:218:0030:0047:en:PDF. See also the accreditation process in the Blue Guide on the implementation of EU product rules p. 73.

  34. 34.

    Colin Bennett. “International Privacy Standards: Can Accountability Be Adequate”, 2010 (Privacy Laws and Business International), 3.

  35. 35.

    Dennis D. Hirsch. “The Law and Policy of Online Privacy: Regulation, Self-Regulation or Co-Regulation?” 2010 (ExpressO), 7. Accessed June 14, 2015 http://works.bepress.com/dennis_hirsch/1.

  36. 36.

    Conformity assessment under the CE marking could be carried out, at the manufacturer's discretion, with respect to the harmonized standards or directly against essential requirements included into the Directive. The provisions of the Directive can also serve as requirements of substitution in case of absence of standards in this arena. In order to be assessable, new approach Directives must be written in such way that they can be easily audited by the certification bodies. In Section III of the Council Resolution of May 7, 1985 states “They (the Directives) should be so formulated as to enable the certification bodies straight away to certify products as being in conformity, having regard to those requirements in the absence of standard”.

  37. 37.

    Council Decision 93/465/EEC July 22, 1993 concerning the modules for the various phases of the conformity assessment procedures and the rules for the affixing and use of the CE conformity marking, which are intended to be used in the technical harmonization directives. Accessed June 14, 2015 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1993:220:0023:0039:EN:PDF.

  38. 38.

    The different levels of assessment are called assessment modules in the European regulation. Module (A) requires the manufacturer to conduct itself a conformity assessment of its product in order to establish a Self-Declaration of Conformity (SdoC). At the other end, module (H) requires the manufacturer to set up a Total Quality Management (TQM) system in which a third party body certifies each unit of product. For a detailed presentation of the Global Approach and associated assessment modules, see European Commission “Guide to the Implementation of Directives Based on the New Approach and the Global Approach” 2014, 28. Accessed June 5, 2015. http://ec.europa.eu/enterprise/policies/single-market-products/files/blue-guide/guidepublic_en.pdf.

  39. 39.

    John Wagley “EU Privacy Proposal Criticized”, 2013 (Security Management website magazine).

  40. 40.

    ICO “Comparative analysis of the European Commission text and the European Parliament’s LIBE (civil liberties) Committee amendments of Proposed draft EU General Data Protection Regulation and ‘law enforcement’ Directive”, 2013, 2.

  41. 41.

    Neil Robinson et Al. “Review of the European data protection directive” 2009. (Cambridge: RAND), X. Accessed June 5, 2015 http://www.rand.org/pubs/technical_reports/TR710.html.

  42. 42.

    Privacy & Information Security Law Blog “Council of the European Union Proposes Risk-Based Approach to Compliance Obligations” Posted on February 2, 2015. Accessed June 5, 2015 https://www.huntonprivacyblog.com/2014/10/29/council-european-union-proposes-risk-based-approach-compliance-obligations/. See also European Delegations’ comments regarding risk based approach. European Council Accessed June 5, 2015 http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2012267%202014%20REV%202.

  43. 43.

    Article 29 data protection working party, 2014 ‘Statement on the role of a risk-based approach in data protection legal frameworks’ WP 218 Adopted on 30 May 2014 http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf.

  44. 44.

    See Footnote 28 section (ii).

  45. 45.

    The ratcheting effect can be defined as the influence played by the regulation of one region or country on some others. One observes a ratcheting effect when “businesses adopt a uniform set of data practices that satisfy the rules of the most protective jurisdiction”. To use words of economics, there is a ratcheting effect when “regulations in one jurisdiction create positive externalities in another jurisdiction” in Mark Rotenberg and Daniel Jacobs “Updating the Law of Information Privacy: The New framework of The European Union”, 2012 Harvard Journal of Law & Public Policy, Vol. 36, 637–641.

  46. 46.

    The Vienna agreement has been signed in 1991 by the International Standardization Organisation (ISO) and the Comité Européen de Normalisation (CEN) and renewed in 2001. The Dresden Agreement has been signed in 1996 between the International Electrotechnical Committee (IEC) and the Comité de Normalisation Electrique (CENELEC). These agreements allow international standards to become European standards and vice versa when relevant. An interesting abstract of the content of these agreements has been published by the American standardization body ANSI. Accessed June 14, 2015 http://publicaa.ansi.org/sites/apdl/…/ISO-CEN-Vienna.doc‎.

  47. 47.

    Streamlining procedure reminded by Scott Taylor, representing Hewlett Packard during “Accountable organisations deserve benefits from regulators” panel at CPDP 2015. Brussels, January 22, 2015.

  48. 48.

    The influence of European data protection regulation on the other frameworks is already underway underlined Mark Rotenberg and Daniel Jacobs in “Updating the Law of Information Privacy: The New framework of The European Union”, 2012 Harvard Journal of Law & Public Policy, Vol. 36, 637–641.

  49. 49.

    The supplier self declares the conformity of its product with the requirements of applicable legislation without any mandatory third party intervention. In European Commission DG Trade “European Commission submission to the WTO about ‘Supplier’s Self Declaration of Conformity”, 2003, 1.

  50. 50.

    Charith Perera et al. “Privacy of Big Data in the Internet of Things Era” 2015. (IEEE IT Special Issue Internet of Anything), 6. Accessed May 27, 2015. http://arxiv.org/abs/1412.8339.

  51. 51.

    95 % of the declaration of conformity in the CE marking process result from self-assessment processes in Consumer Research Associates Ltd. “Certification and Marks in Europe”, 2008 (A Study commissioned by EFTA), 11. See also ANEC. “Caveat Emptor—Buyer Beware”, 2012 (The European Association for the Co-ordination of Consumer Representation in Standardization. Accessed June 14, 2015 http://www.anec.eu/attachments/ANEC-SC-2012-G-026final.pdf.

  52. 52.

    The American authorities recently authorize manufacturers to remove certification sign from marketed devices and display these signs on accompanying documentation. “Obama signs E-Label Act, allows manufacturers to remove rear logos”, 2014, Electronista.com website. Accessed June 14, 2015 http://www.electronista.com/articles/14/11/27/regulatory.symbols.on.devices.can.be.removed.shown.in.software.instead/#ixzz3QW0GCzju.

  53. 53.

    This definition is confirmed in Article 2.20 of Regulation 765/2008 of July,9 2008 stating that the CE marking is “a marking by which the manufacturer indicates that the product is in conformity with the applicable requirements set out in Community harmonization legislation providing for its affixing”.

  54. 54.

    See Footnote 50.

  55. 55.

    The European Consumer Consultative Group (ECCG). “ECCG, Opinion on CE Marking”, 2008. Accessed June 14, 2015 http://ec.europa.eu/consumers/cons_org/associations/committ/opinions/eccg_op_02022008_en.pdf.

  56. 56.

    The European Consumer Consultative Group (ECCG), 1.

  57. 57.

    ISO 9000 standard series offers to manage the quality of production systems rather than the quality of the products. For this reason, some authors call them “metastandards”. Mr Uzumeri for instance defines the metastandards as “lists of design rules to guide the creation of entire classes of management systems. Since systems theorists use the term metasystem for lists of this type, it follows that this type of management standard should be referred to as a metastandard”. Mustata Uzumeri “ISO 9000 and Other Metastandards: Principles for Management Practice?”, 1997 Academy of Management Executive, 11(1): 21–36.

  58. 58.

    This blurring has certainly also participated to the confusion of the public in the actual purposes of the CE marking.

  59. 59.

    Commission Staff Working Document on Knowledge-Enhancing Aspects of Consumer Empowerment 2012–2014, “Consumer attention and understanding of labels and logos”, 2012 (SWD, Final, 19.7.2012 4.1), 26.

  60. 60.

    P.T. van der Zeijden et al. “Keurmerken, erkenningsregelingen en certificaten; klare wijn of rookgordijn? Zoetermeer: EIM Onderzoek voor Bedrijf en Beleid”, 2002.

  61. 61.

    NF mark (FR) is recognised by 64, 5 % of the people interviewed. The Kitemark (UK) by 44, 7 %. The KEMAKEUR (NL) by 39, 4 %. The GS Mark (Germany) by 28, 2 % in “Eurobarometer Europeans and EC logos”, 2000 (INRA for The Directorate-General for Health and Consumer Protection). Accessed June 14, 2015 http://ec.europa.eu/public_opinion/archives/ebs/ebs_137_en.pdf.

  62. 62.

    Consumer Research Associates Ltd. “Certification and Marks in Europe”, 40.

  63. 63.

    Commission Staff Working Document on Knowledge-Enhancing Aspects of Consumer Empowerment 2012–2014, SWD (2012) Final, 19.7.2012 cited in ANEC. “Caveat Emptor—Buyer Beware”.

  64. 64.

    “What does the acronym “CE” represent? Although no explanation is provided in Regulation 765/2008, it is thought to mean “Conformité Européenne”. The absence of clear explanation as to its exact meaning contributes to the confusion around what CE Marking is.” in ANEC “Caveat Emptor—Buyer Beware”, 5.

  65. 65.

    The article dedicated to the CE marking in the English edition of Wikipedia underlines that “in former German legislation, the CE marking was called “EG-Zeichen” meaning “European Community mark”.

  66. 66.

    The principle of withdrawal is defined by Article 21b of Directive 93/68/EEC.

  67. 67.

    «The results of the study research conducted on behalf of Teknikföretagen, the Association of Swedish Engineering Industries shows that a lack of efficient market surveillance on the Internal Market is undermining confidence in CE marking» in Consumer Research Associates “Certification and Marks in Europe”, 43.

  68. 68.

    The study conducted by Teknikföretagen confirmed the demand of additional marks because of a lack of confidence in CE marking. In Consumer Research Associates “Certification and Marks in Europe”, 18.

  69. 69.

    The German GS mark. A co-regulated certification mark monitored by German ministry of Industry has a growing success in Europe for these reasons. In Consumer Research Associates “Certification and Marks in Europe”, 43.

  70. 70.

    “The proliferation of labels may create confusion rather than facilitate purchasing. Organisations, surveys and studies point to a risk of information overload and the need for clearer and more reliable labels”. In Commission Staff Working Document on Knowledge-Enhancing Aspects of Consumer Empowerment 2012–2014, SWD(2012) Final, 27.

  71. 71.

    The ANEC is the European consumer association involved in standardization. A presentation of its action is available on its website. Accessed June 14, 2015 http://www.anec.eu.

  72. 72.

    ANEC “Caveat Emptor—Buyer Beware”. See Footnote 46.

  73. 73.

    Article 2.4 of the COM/2003/0240 final—Communication from the Commission to the Council and the European Parliament—Enhancing the Implementation of the New Approach Directives http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=en&type_doc=COMfinal&an_doc=2003&nu_doc=240.

  74. 74.

    Christian Bock “CE Marking: What can legal metrology learn from intellectual property”—Milestone in Metrology III—Rotterdam conference 2009. Accessed June 14, 2015 http://fr.slideshare.net/cbock/ce-marking-what-can-legal-metrology-learn-from-intellectual-property.

  75. 75.

    Jacques Ghestin “Normalisation et contrat”, ed. “Le droit des normes professionnelles et techniques”,1985, (Bruylant), 504.

  76. 76.

    Article 8 of the Directive 2001/95/EC of the European Parliament and of the Council of December, 3 2001 on general product safety.

  77. 77.

    Stephen Pericles Ladas. “Patents, trademarks and related rights”, 1975, Vol. II, p. 1290 et seq.—Harvard: Cambridge University Press. Larry Allman “Callman on Unfair Competition, Trademarks and Monopolies” 1998 (4th ed., St Paul: West Group) Vol 3, Par. 17.18, p. 76 and R. Rozas et Al. “Impact of Certification on Innovation and The Global Market Place” 1997, 598 and N. Dawson “Certification Trade Marks Laws and Practice”, 1988 (Intellectual Property Publishing, Ltd, London), 11 in Jeffrey Belson “Certification Marks”, 2002. (Sweet and Maxwell—London), 73.

  78. 78.

    Jeffrey Belson “Certification Marks”, 73.

  79. 79.

    Some certification schemes like Google Trusted Stores or Trusted Shops Gmbh in Germany offer complete refund of the purchase when a buyer make the request. Google Trusted Stores “How the program works”. Accessed June 14, 2015 https://support.google.com/trustedstores/answer/1669761?hl=en.

  80. 80.

    “A certificate is only an indication of the situation at a given moment in time (t) at which it is checked whether a product, process or person meets the requirements. It does not give any guarantee that such a product, process or person functions that well at t + 1.” In Meike Bokhorst “Effectiveness of certification and accreditation as a public policy instrument in the Netherlands” (Paper presented at ECPR conference in Reykjavik, 2010), 12.

  81. 81.

    Germany, The Netherlands, Belgium, Luxembourg, UK, Portugal, Spain and France have established a dedicated legal framework to certification. In Astrid Cormoto Uzcategui Angulo “Las marcas de certificacion”. (PhD diss., Universidad Federal de Santa Catarina—Brasil, 2006), 62.

  82. 82.

    B. Brett Heavner “World-wide Certification-Mark Registration A Certifiable Nightmare”, Bloomberg Law Reports, December 14, 2009.

  83. 83.

    European Commission 2014. The Blue Guide on the implementation of EU product rules, 32.

  84. 84.

    Directive 2000/14/EC of the European Parliament and of the Council of 8 May 2000 on the approximation of the laws of the Member States relating to the noise emission in the environment by equipment for use outdoors—OJ L 87 of 31/03/2009.

  85. 85.

    Rodrigues, R., Wright, D., Barnard-Wills, De Hert, P., D., Remoti, L., Damvakeraki, T., Papakonstantinou, V., Beslay, L., Dubois, N., 2014. EU privacy seals project: Challenges and possible scope of an EU privacy seal scheme: final report study deliverable 3.4, 25.

  86. 86.

    “…The controller or the processor acting on the controller’s behalf shall carry out an assessment of the impact of the envisaged processing operations on the rights and freedoms of the data subjects, especially their right to protection of personal data” states the Commission and the Parliament version of Article 33.1. Accessed June 14, 2015 http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/comp_am_art_01-29/comp_am_art_01-29en.pdf. “…The controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” states the Council version of Article 33.1 in Council of the European Union, 2014. Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [First reading] Chapter I, 27. Accessed June 14, 2015 http://data.consilium.europa.eu/doc/document/ST-13772-2014-INIT/en/pdf.

  87. 87.

    “The assessment shall be documented and lay down a schedule for regular periodic data protection compliance reviews” states Article 33.3b of Parliament version of the GDPR.

  88. 88.

    “The controller and the processor and, if any, the controller’s representative shall make the assessment available, on request, to the supervisory authority” states Article 33a of Parliament version of the GDPR.

  89. 89.

    The Privacy and Data Protection Impact Assessment Framework for RFID Applications issued in 2011. Accessed June 14, 2015 http://cordis.europa.eu/fp7/ict/enet/documents/rfid-pia-framework-final.pdf. See also ISO 22307:2008—Financial services—Privacy impact assessment issued in 2008. A quick presentation of the content of the standard is available on the website of the ISO. Accessed June 14, 2015 http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1133.

  90. 90.

    The ISO/IEC WD 29134—Privacy impact assessment—Methodology is still a Working Draft (WD) in the drafting process of the International Standardization Organization. Accessed June 14, 2015.

  91. 91.

    Manufacturers are also required in the CE marking process to document the procedures they followed to ensure their conformity and keep this documentation available on request to the authorities.

  92. 92.

    Article 33.1 of the Council version of the GDPR says “Where a type of processing in particular using new technologies, and taking into account the nature, scope or purposes of the processing, is likely to result in a high specific risks for the rights and freedoms of individuals”.

  93. 93.

    “…The controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the rights and freedoms of the data subjects, especially their right to protection of personal data” states the Commission and the Parliament version of Article 33.1. Accessed June 14, 2015 http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/comp_am_art_01-29/comp_am_art_01-29en.pdf.

  94. 94.

    Recital 61 of the Council version of the GDPR introduces a list of principles to apply while the Commission and Parliament version does not provide any details on the measures to implement. Article 23.2 in all versions requires applying data minimisation and transparency in the processing of personal data. The measures suggested in the Council version of Recital 61 consist at “minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features”.

  95. 95.

    During the plenary meeting of CEN-CENELEC JWG 8 ‘Privacy management in products and services’ took place in Paris on March, 5 2015, the Standardization bodies jointly accepted the standard request on ‘Privacy management in the design and development and in the production and service provision processes of security technologies’. “The request aims at the implementation of Privacy-by-design principles for security technologies and/or services lifecycle. The new standardization deliverables are intended to define and share best practices balancing security, transparency and privacy concerns for security technologies, manufacturers and service providers in Europe”. Accessed June 14, 2015 http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Privacy/Pages/default.aspx. See also the standardization request issued by the European Commission. Accessed June 14, 2015 ftp://ftp.cencenelec.eu/EN/EuropeanStandardization/Fields/Privacy/EN_privacy.pdf.

  96. 96.

    Module (A) of the assessment modules requires the manufacturer to conduct itself a conformity assessment of its product in order to establish a Self-Declaration of Conformity (SdoC). See Footnote 38.

  97. 97.

    The European Commission created an original mechanism of accreditation of Conformity Assessment Bodies in order to facilitate mutual recognition of conformity assessment within the CE marking process. Every Conformity Assessment Bodies authorized in a Member State to verify the conformity of products with essential requirements must be prior declared and recognised—notified in the European Commission language—by the European Commission. Once accepted by the Commission, conformity assessments realized by the notified bodies are recognised in all member states.

  98. 98.

    Most of the certification schemes in food safety, building, housing industry and sanitary certification do not issue a seal. A recent study led by the European Commission found 464 agrifood certification schemes active in the UE in which a large majority of them do not deliver a sign. See “the Inventory of certification schemes for agricultural products and foodstuffs marketed in the EU Member States”—Study conducted by Areté for DG AGRI? Accessed June 14, 2015 http://ec.europa.eu/agriculture/quality/certification/inventory/inventory-data-aggregations_en.pdf.

  99. 99.

    News on Electronista.com, November, 27 2014 “Obama signs E-Label Act, allowing manufacturers to remove rear logos”. Accessed June 14, 2015 http://www.electronista.com/articles/14/11/27/regulatory.symbols.on.devices.can.be.removed.shown.in.software.instead/#ixzz3QW0GCzju. See the full text of the act on the website of the US Senate. Accessed June 14, 2015 http://www.fischer.senate.gov/public/_cache/files/4b6e357d-1414-4974-b1c7-9b0751cdd931/071014---e-label-act.pdf.

  100. 100.

    Article 52 1 (a) of the Parliament version of the proposed regulation states that the role of DPAs consist to “monitor and ensure the application of this Regulation” and to “monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices” adds subsection 1 (d).

  101. 101.

    See the recent experiment led by Microsoft Bing team which implemented a so called Legalease meta-language in order to translate data protection requirements in encoded instructions. See Shayak Sen et Al. “Bootstrapping Privacy Compliance in Big Data Systems”, 2014 (SP ’14 Proceedings of the 2014 IEEE Symposium on Security and Privacy, Oakland): 327–342. See also the experiment of INRIA team which suggest a log architecture in order to implement “strong accountability” in Denis Butin et al. “Log Design for Accountability”. Article presented at the 4th International Workshop on Data Usage Management, 2013. Accessed June 14, 2015 http://www.ieee-security.org/TC/SPW2013/papers/data/5017a001.pdf.

  102. 102.

    Bert J. Koops and Ronald Leenes “Privacy regulation cannot be hardcoded. A critical comment on the “privacy by design” provision in data protection law”, 2013. International Review of Law, Computers & Technology.

  103. 103.

    Jaap-Henk Hoepman “Privacy Design Strategies” Article Presented at the Privacy Law Scholars Conference (PLSC) 2013. Accessed June 14, 2015. http://arxiv.org/abs/1210.6621.

  104. 104.

    The blockchain in the Bitcoin project is a “public ledger of all Bitcoin transactions that have ever been executed. It is constantly growing as ‘completed’ blocks are added to it with a new set of recordings. The blocks are added to the blockchain in a linear, chronological order”. Investopedia entry for Blockchain, http://www.investopedia.com/terms/b/blockchain.asp.

  105. 105.

    Smart contracts are “computer protocols that facilitate, verify, or enforce the negotiation or performance of a contract” says the Wikipedia entry—http://en.wikipedia.org/wiki/Smart_contract. See also the contributions of the American economist Nick Szabo on its blog. Accessed June 14, 2015 http://szabo.best.vwh.net/idea.html. See also the Ethereum project which offers an open source framework for developers to easily design smart contracts in their applications. Accessed June 14, 2015 https://www.ethereum.org.

  106. 106.

    Charith Perera (2015). “Privacy of Big Data in the Internet of Things Era.” 2015 (IEEE IT Special Issue Internet of Anything), 6.

Bibliography

  • Abdmeziem, R., and D. Tandjaoui. 2014. Internet of things: concept, building blocks, applications and challenges, Cornell University Library. arXiv preprint arXiv:1401.6877. http://arxiv.org/pdf/1401.6877v1.pdf. Accessed 14 June 2015.

  • Allman, L. 1998 Callman on unfair competition, trademarks and monopolies, vol. 3, 4th edn. St Paul: West Group.

    Google Scholar 

  • Anderson, J.A., et al. 2014. The internet of things will thrive by 2025, 2014 (Pew Internet Project report). http://www.pewinternet.org/files/2014/05/PIP_Internet-of-things_0514142.pdf. Accessed 21 Feb 2015.

  • ANEC. 2012. Caveat emptor—buyer beware. The European Association for the Co-ordination of Consumer Representation in Standardization. http://www.anec.eu/attachments/ANEC-SC-2012-G-026final.pdf. Accessed 14 June 2015.

  • Barron, M. 2007. Creating consumer confidence or confusion? The role of product certification in the market today. Marquette Intellectual Properties Maw Review 11(2).

    Google Scholar 

  • Belson, J. 2002. Certification marks. Certification marks. London: Sweet and Maxwell.

    Google Scholar 

  • Bennett, C.J. 2010. International Privacy Standards: can accountability be adequate (Privacy Laws and Business International).

    Google Scholar 

  • Bock, C. 2009. CE marking: what can legal metrology learn from intellectual property. Milestone in Metrology III—Rotterdam conference 2009.

    Google Scholar 

  • Bokhors, M. 2010. Effectiveness of certification and accreditation as a public policy instrument in the Netherlands. Paper presented at ECPR conference in Reykjavik.

    Google Scholar 

  • Consumer Research Associate Ltd. 2008. Certification and marks in Europe. A study commissioned by EFTA.

    Google Scholar 

  • Dawson, N. 1988. Certification trade marks laws and practice. In: Trade marks laws and practice. London: Intellectual Property Publishing Ltd.

    Google Scholar 

  • European Commission. 2014. The Blue Guide on the implementation of EU product rules. http://ec.europa.eu/enterprise/newsroom/cf/itemdetail.cfm?item_id=732. Accessed 22 May 2015.

  • Ghestin, J. 1985. Normalisation et contrat, ed. Le droit des normes professionnelles et techniques (Bruylant).

    Google Scholar 

  • Heavner, B. 2009. World-wide certification-mark registration a certifiable nightmare. Bloomberg law reports, 14 Dec 2009.

    Google Scholar 

  • Hirsch, D.D. 2010 The law and policy of online privacy: regulation, self-regulation or co-regulation? (ExpressO), 7. http://works.bepress.com/dennis_hirsch/1. Accessed 14 June 2015.

  • Hoepman, J.-H. 2013. Privacy design strategies. Article presented at the privacy law scholars conference (PLSC). http://arxiv.org/abs/1210.6621. Accessed 14 June 2015.

  • Jacobs, D. 2012. Updating the law of information privacy: the new framework of the European Union. Harvard Journal of Law & Public Policy 36.

    Google Scholar 

  • Koops, B.-J., and R. Leenes. 2013. Privacy regulation cannot be hardcoded. A critical comment on the “privacy by design” provision in data protection law, 2013. International Review of Law, Computers & Technology.

    Google Scholar 

  • Ladas, S. 1975. Patents, trademarks and related rights, 1975, vol. II, p. 1290 et seq. Harvard: Cambridge University Press.

    Google Scholar 

  • Pelkmans, J. 1987. The new approach to technical harmonization and standardization. Journal of Common Market Studies XXV(3), 3 March 1987. https://courses.washington.edu/eulaw09/supplemental_readings/Pelkmans_New_Approach_Harmonization.pdf. Accessed 14 June 2015.

  • Perera C., et al. 2015. Privacy of big data in the internet of things era. IEEE IT Special Issue Internet of Anything 6. http://arxiv.org/abs/1412.8339. Accessed 14 June 2015.

  • Podesta, J., et al. 2014. Big data: seizing opportunities, preserving values (Executive Office of the President). http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf. Accessed 14 June 2015.

  • Robinson, N. 2009. Review of the European data protection directive. Cambridge: RAND. X. http://www.rand.org/pubs/technical_reports/TR710.html. Accessed 14 June 2015.

  • Rodrigues, R., D. Barnard-Wills, D. Wright, P. De Hert, L. Remoti, T. Damvakeraki, V. Papakonstantinou, L. Beslay, and N. Dubois. 2014. EU privacy seals project : challenges and possible scope of an EU privacy seal scheme: final report study deliverable 3.4. Trilateral research, Vrije Universiteit Brussel for the Institute for the Protection and Security of the Citizen (IPSC).

    Google Scholar 

  • Rozas, R., et al. 1997. Impact of certification on innovation and the global market place. London: Intellectual Property Publishing Ltd.

    Google Scholar 

  • Sundmaeker, H., et al. 2010. Vision and challenges for realising the Internet of Things. CERP-IoT—Cluster of European Research projects on the internet of things European Commission—Information Society and Media DG-EUR-OP. http://www.theinternetofthings.eu/sites/default/files/Rob%20van%20Kranenburg/Clusterbook%202009_0.pdf. Accessed 14 June 2015.

  • Uzcategui-Angulo, A.C. 2006. Las marcas de certificacion. PhD diss., Universidad Federal de Santa Catarina, Brasil.

    Google Scholar 

  • Uzumeri, M. 1997. ISO 9000 and other metastandards: principles for management practice? Academy of Management Executive 11(1).

    Google Scholar 

  • Van der Zeijden, P.T., et al. 2002. Keurmerken, erkenningsregelingen en certificaten; klare wijn of rookgordijn? Zoetermeer: EIM Onderzoek voor Bedrijf en Beleid.

    Google Scholar 

  • Wagley, John. 2013. EU privacy proposal criticized (Security Management website magazine).

    Google Scholar 

  • Weber, Rolf. H. 2009. Internet of things—Need for a new legal environment. Computer Law & Security Review 25(6), Nov 2009.

    Google Scholar 

  • Weber, Rolf. H. 2010. Internet of things—New security and privacy challenges.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University, P.O. Box 90153, 5000 LE, Tilburg, The Netherlands

    Eric Lachaud

Authors
  1. Eric Lachaud
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eric Lachaud .

Editor information

Editors and Affiliations

  1. Law, Science, Technology and Society (LSTS), Faculty of Law and Criminology, Vrije Universiteit Brussel, Brussels, Belgium

    Serge Gutwirth

  2. Tilburg Institute for Law, Technology, and Society, Tilburg University, Tilburg, The Netherlands

    Ronald Leenes

  3. Law, Science, Technology and Society, Faculty of Law and Criminology, Vrije Universiteit Brussel, Brussels, Belgium

    Paul De Hert

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer Science+Busines Media Dordrecht

About this chapter

Cite this chapter

Lachaud, E. (2016). Could the CE Marking Be Relevant to Enforce Privacy by Design in the Internet of Things?. In: Gutwirth, S., Leenes, R., De Hert, P. (eds) Data Protection on the Move. Law, Governance and Technology Series(), vol 24. Springer, Dordrecht. https://doi.org/10.1007/978-94-017-7376-8_6

Download citation

Publish with us

Policies and ethics

Search

Navigation