Comments by Schellman & Company, LLC on the European Data Protection Board’s Annex 1 of the “Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation 2016/679”
On 4 December 2018, the European Data Protection Board (“EDPB”) adopted a version of Annex 1 of the “Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation 2016/679” for public consultation. Schellman & Company, LLC submits the following comments regarding Annex 1 of the Guidelines on accreditation.
Schellman would like to thank the European Data Protection Board for the opportunity to submit comments on the previously adopted Guidelines on certification and now, Annex 1 of the Guidelines on accreditation. As a non‐EU organization impacted by the General Data Protection Regulation, such public consultation efforts are greatly appreciated.
In Schellman’s prior comments submitted regarding guidelines for potential certification criteria, Schellman supported a single European Data Protection seal framework by the European Union rather than several certification schemes by DPAs. Schellman continues to advocate for unification in any certification efforts and would encourage either an EDPB‐led seal or a collaborative pan‐EU/EEA certification scheme established by all EU DPAs acting collectively. Certification criteria devised by individual EU DPAs would almost certainly decrease the certifications’ quality and consistency of rigor, although the scenario of greatest concern would be that described in Section 4.5 of the Guidelines on accreditation, in which supervisory authorities perform both accreditation of certification bodies and certification issuance to data controllers and processor as a certification body. It is in apprehension of this scenario that Schellman will focus its comments.
Quality, Consistency, and Simplicity
Section 1 of the Guidelines stipulates that certification “should not lead to a lowering of the requirements of the GDPR,” which Emeritus Professor of International Law Douwe Korff, at London Metropolitan University, has astutely recognized as a concern for supervisory authority certification in his comments to the Article 29 Working Party regarding the draft of WP261: “a proliferation of national schemes could lead to a race to the bottom, with controllers and processors – including non‐EU/EEA controllers and processors – looking for the ‘easiest’, least‐demanding certification schemes as a way to reduce their obligations under the GDPR (possibly even avoiding full compliance).”
A primary goal in the GDPR’s replacement of the previous Directive was to eliminate such inconsistent implementation: “The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the way data protection is implemented across the Union.” The GDPR was intended to restore unity and eliminate the “differences in the level of protection of the rights and freedoms of individuals” under the Directive. However, DPA‐issued certifications for controllers and processors could threaten the unification which the GDPR was intended to, and ultimately did, achieve.
Privacy Shield’s Ideal Replacement
In spite of this agreement with Professor Korff, Schellman must dissent with his belief that certifications issued by independent organizations would not provide sufficient protections for data transferred to countries determined to lack adequate data protection. Professor Korff’s comparison to the problematic Privacy Shield program and its predecessor, Safe Harbor, is flawed as both the GDPR and the very nature of an ISO‐based certification framework would allow for oversight currently lacking in the Privacy Shield.
Privacy Shield suffers from a problem of scale: an inflexible program negotiated once at the national level, with only a biennial review resulting in the continuation or revocation of the program. In contrast to this infrequent and binary oversight option, an adaptive certification scheme allowing certification by accredited third‐party assessors would grant unprecedented levels of oversight by any DPA at any time necessary. Per Article 58(2)(h) of the GDPR, any relevant supervisory authority may order the withdrawal of a certification or preemptively order a certification body not to issue one. This is, potentially, an even greater level of corrective oversight than DPA‐issued certifications would provide, as the consistency mechanism of Recital 135 may complicate such a challenge of another supervisory authority’s certificate issuance.
Additionally, Sections 4 and 6 of the Annex provide extensive and well‐considered safeguards and requirements for the procurement and maintenance of certification body accreditation. In the event an incompetent or unethical certification body was accredited, withdrawal of accreditation per Section 18.104.22.168 of the Annex would be an efficient recourse mechanism. Not only did Privacy Shield allow any US company to obtain a self‐certified seal without independent assessment, there was never a recourse mechanism for revocation of the seal from the EU, as only the US Department of Commerce (DOC) could remove an organization’s seal. Simply put, what went wrong with Privacy Shield cannot go wrong with a seal issued by independent certification bodies, as DPAs would be the deciding parties in any case.
Avoiding Conflicts of Interest
Many foreign regulatory bodies and organizations such as Schellman look to the European Union as the current vanguard for personal data protection as a human right. To avoid compromising the pursuit of such an admirable ideal, Schellman believes that supervisory authorities should be discouraged from a scenario which would result in actual or perceived conflicts of interest. There is an unfortunate misconception among some foreign organizations compelled to abide by the GDPR, where potential fines are viewed as an avenue to bring international money into the EU. If certifications were issued only by European supervisory authorities, only EU organizations would have the option of obtaining a certification from a local assessor. This could appear protectionist to any doubtful foreign businesses.
To dispel the myths of the GDPR as a source of unscrupulous EU income, the EDPB could ensure that foreign organizations can obtain a certification from a trusted local certification body with whom they may already have an established relationship. Foreign organizations on the brink of pulling operations from the EU entirely may be tipped into isolationism if expected to pay both certification fees and potential fines to the same Member State. Many US companies will make a final decision on participation in the EEA market based on the availability of a certification mechanism. A Silicon Valley startup is more likely to ignore the EEA market entirely than struggle against a nine‐hour time zone offset to obtain a certification from a German supervisory authority. This outcome would run counter to one stated goal of the GDPR: to increase economic activity in the EEA single market.
In addition to problems of perception, the GDPR as a globally enforceable regulation should be matched with a globally available certification mechanism. It would be an unfair burden upon, for example, to force small and medium Pakistani, Ecuadorian, or Kenyan organizations to struggle against time zones, geographic distance, cultural differences, and language barriers in pursuit of a certification from an unfamiliar foreign government rather than using a local certification body equipped to manage these challenges and offered for a regionally‐appropriate cost. Supervisory authorities issuing certifications may have to conduct the assessment remotely with a lower standard of rigor, outsource the fieldwork to a qualified local firm (which could have completed the entire assessment), conduct the assessment at a net financial loss, or charge an exorbitant fee for an on‐site assessor, acting as a prohibitive and punitive cost to organizations in poor or remote locations such as Africa, Oceania, and South America.
Certification bodies such as audit firms and accredited assessors also play a critical role in developing the regional expertise of data protection professionals, who often move between assessment and industry roles in a data controller or processor organization. If the EU truly values the global advancement of data protection for European Union data subjects, it should support and encourage a global ecosystem of privacy professionals actively practicing and advocating for the GDPR through certification activities in every country. These professionals can best represent and locally implement the GDPR’s principles.
Budgetary and Resource Limitations
In addition to the theoretical concerns of DPA‐issued certifications, Schellman would oppose placing any additional logistical strain on the financial and human resources of supervisory authorities who would become responsible for a substantial administrative burden when issuing certifications directly. As an audit firm specializing in privacy and security assessments, Schellman can attest to the level of effort and resources necessary to rigorously assess an organization processing personal data in a complex technical system. Experienced personnel with the technical and legal knowledge to manage such an undertaking may be difficult for supervisory authorities to recruit, retain, and pay without operating at a loss. Existing independent assessors have the resources and experience to offer certification services at the most efficient price. Additionally, organizations may view the reasonable cost of such a comprehensive assessment to be an unfair requirement from the same regulatory body which would investigate its compliance failures and determine punitive fines influenced by the very certification status in question.
Complaint investigations by supervisory authorities are already an arduous, backlogged process. Schellman strongly supports both the legislative and regulatory roles of the DPAs in implementing the GDPR and would be disappointed to see critical resources diverted away from pending investigations of legal transgressions and toward the issuance of certifications. Independent assessors are much better prepared to execute certification issuance, without imposing another task on the overburdened DPAs.
Schellman & Company implores the European Data Protection Board to disallow or discourage supervisory authorities from directly issuing certifications to data controllers and processors, and also mandate the accreditation of some portion of domestic and non‐EU certification bodies. A broad range of international accredited certification bodies will best ensure compliance with the requirements of the GDPR, encourage global participation in the EEA market, and strengthen data protection for EU data subjects’ personal information. In Section 4.5 of the Guidelines on accreditation, the EDPB asks supervisory authorities to “anchor and facilitate certification mechanisms while taking precautions to avoid conflicts of interest that may arise from these tasks.” Schellman & Company holds the position that to genuinely avoid conflicts of interest, supervisory authorities should focus on establishing accreditation for independent certification bodies and entrust the certification practices to competent independent assessors.