EU Certificate May Be U.S. Data Transfer Alternative

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Aug. 3 — A European Union-administered privacy trust mark system might provide a viable data transfer alternative to the new but potentially vulnerable EU-U.S. Privacy Shield.

A trust seal program might provide privacy compliance certainty for U.S. companies and their EU associates, help provide a more widespread and effective EU enforcement mechanism and expand the alternatives for legally transferring data to the U.S., privacy attorneys and officials told Bloomberg BNA.

EU privacy regulators said they will release guidance by the end of 2016 on how a trust seal program could work under the new EU General Data Protection Regulation (GDPR).

EU privacy seal

D. Reed Freeman, a partner and co-chair of the Cybersecurity, Privacy and Communications practice at Wilmer Cutler Pickering Hale and Dorr LLP in Washington told Bloomberg BNA that companies would welcome a wider choice when it comes to mechanisms to legitimize their data transfers.

“There is a vacuum to be filled here. More options in the market is something the market always likes. In general, where compliance certainty can be provided, you'll see widespread adoption,” he said.

Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party of privacy officials and president of France's privacy office (CNIL), told Bloomberg BNA that a certification program would help U.S. companies and might even influence privacy leaders in Asia to increase privacy certification efforts.

But some EU privacy officials and attorneys said a trust mark system would be more expensive for U.S. companies to implement than the Privacy Shield.

Fragile Privacy Shield?

The Privacy Shield was launched as a replacement for the U.S.-EU Safe Harbor program. The Safe Harbor was invalidated by the European Court of Justice, the EU's top court.

More than 4,000 U.S. companies and tens of thousands of EU companies that relied on the Safe Harbor to legitimize their transfers of the personal data of EU citizens to the U.S. were left with a limited menu of alternatives. Many U.S. companies are expected to join the U.S. Department of Commerce-administered Privacy Shield, but that may only be a temporary fix if the replacement program is itself invalidated by the ECJ.

Commerce opened the doors to the Privacy Shield self-certification scheme Aug. 1.

The Privacy Shield stands on fragile legal ground according to some EU privacy officials, privacy advocacy groups and attorneys, although EU privacy officials recently announced a one-year moratorium on legal challenges to the program (15 PVLR 1547, 8/1/16).

Another legal alternative, standard contractual clauses (SCCs) may also be in trouble.

SCCs are model contracts established by the European Commission, the EU's executive arm, that companies may adopt in individual business agreements to prove their adherence to principles of the 1995 EU Data Protection Directive (95/46/EC). But the Irish High Court is expected in early 2017 refer SCCs to the ECJ for a ruling on whether they sufficiently protect EU privacy rights.

EU Privacy Reg Foundation

The GDPR, which is set to take effect in May 2018, authorizes a privacy certification program overseen by EU privacy regulators.

The GDPR foresees development of codes of conduct and privacy seals, which may be applied broadly for international data transfers.

GDPR Article 42 states that approved codes of conduct and privacy seals that place “binding and enforceable commitments” on data controllers or processors in non-EU countries, and that protect the rights of data subjects, will be recognized as valid for EU data exports.

Carlo Piltz, an information technology and data protection law lawyer with JBB in Berlin, told Bloomberg BNA that privacy certifications under the GDPR would be overseen by privacy regulators or recognized certification bodies and might “be a smooth way to legitimize data transfers.”

The EU, however, has limited experience of developing official privacy certification schemes. The predecessor Data Protection Directive authorized development of codes of conduct for EU companies but didn't mention privacy seals.

The GDPR sets up a much more formalized and rigorous architecture for codes of conduct and privacy certification, with privacy regulators playing a central role.

Codes of conduct would be drawn up by industry sectors, or could cover specific types of data processing, and would be validated by the new European Data Protection Board (EDPB) and the European Commission, which would issue a legal act recognizing each code of conduct.

The GDPR also creates obligations for privacy regulators or accreditation bodies to monitor, revoke and record codes of conduct. The EDPB will be the successor body to the Article 29 Working Party of EU privacy officials. Unlike the Art. 29 Party, the EDPB will have some power to resolve disputes among privacy offices from EU countries.

In addition to codes of conduct, certification and data protection seals would be a separate option. Privacy regulators and/or third parties accredited by the regulators would offer certification, which would be valid for a maximum of three years.

Large-Scale Application

The overall impact would be greater powers for privacy regulators and the EDPB to legitimize data processing operations, including those carried out in non-EU countries. But the ability to utilize third parties to administer a trust seal system may be the most compelling reason for privacy officials to push for an international data transfer trust seal program.

Falque-Pierrotin said that privacy certification is “a way to ensure compliance efforts on a large scale.”

It is “unrealistic to believe that only the regulators can do the job” of ensuring compliance, and through certification mechanisms, the job would in effect be outsourced, she said. Under the GDPR, privacy offices and the EDPB would be able to recognize certification schemes managed by accreditation bodies.

However, certification “needs to be in an architecture that is defined” by privacy officials and lawmakers, Falque-Pierrotin said. “Certification as an activity needs to be organized. It has to be in a framework,” she added.

The forthcoming Art. 29 guidance on codes of conduct and certification will “clarify how we view this activity of certification,” Falque-Pierrotin said. The guidance will set out parameters on issues such as criteria for certification bodies and what guarantees they should provide to privacy officials, she said.

The EU interest in certification programs may be influential in Asia, where countries are “very much interested in certification,” Falque-Pierrotin said.

French Certification Experience

France has been active in its own privacy certification program so stands in a strong position to shepherd any move towards an EU-wide trust mark system.

CNIL is a rarity among EU privacy regulators in that it already issues certification, covering four types of activity:

  •  privacy audits;
  •  privacy training;
  •  data protection and respect for privacy rights in organizational governance; and
  •  the use of “digital safes” for secure online data storage.

In each of these areas, CNIL issues lists of requirements that organizations must meet to obtain certification and the accompanying trust seal label issued by the privacy office.

Gwendal Le Grand, CNIL director of technology and innovation, told Bloomberg BNA that CNIL's organizational governance certification may in principle cover international data transfers and would be “recognized as being sufficient in many countries” as a safeguard of data subjects' rights.

France's experience of certification “will be very useful” in the expansion of certification across the EU, and the CNIL certification for organizational governance “probably can be quickly Europeanized,” Le Grand said

The certification is grounded in France's data protection law that transposed the expiring EU Data Protection Directive into national law. That national law will be replaced by the GDPR.

If modified to be in line with the GDPR and recognized by the EDPB, CNIL certification may become available across the EU and could be the basis for a European Data Protection Seal.

“The regulation is drafted in such a way to allow this European seal to emerge,” Le Grand said.

CNIL certification takes up to eight months and is free of charge, though “we don't know yet if the CNIL's work will continue to be free,” after the transition to the GDPR, Le Grand said.

Trust Marks More Expensive

Another form of certification available in the EU is offered by Bonn, Germany-based EuroPriSe, an independent privacy certification organization spun out of an EU-funded project. EuroPriSe offers a “European Privacy Seal” to information technology products and services, including websites. The seal is valid only in the EU.

Sebastian Meissner, head of EuroPriSe, told Bloomberg BNA certification might replace the Privacy Shield.

However, different transfer mechanisms will co-exist. Obtaining privacy office-approved EU certification may be “a tougher task than to comply with Privacy Shield,” Meissner said. Certification as foreseen under the GDPR would involve “some cost and effort and not all companies are ready to take that road,” he said.

Piltz agreed. He said “the implementation of such seals or certifications might turn out to be costly in terms of time and effort.”

By comparison, the implementation of SCCs “is very easy for companies” and may be done “without much effort,” Piltz added.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security