Abstract
This chapter gives an overview of the certification and audit mechanisms which are envisioned by Articles 42 and 43 of the new General Data Protection Regulation (GDPR). Audit and certification mechanisms are means of co-regulation and aimed at creating market incentives. This optional enforcement layer is meant to enhance the standard of privacy protection. The reason why this goal was not widely achieved in the past was mainly due to the lack of common standards with regard to the informative value of privacy seals and marks. In the first section the authors highlight key cornerstones of European and in particular German data protection law with regard to the fundamental right to informational self-determination. Differences and similarities between audit and certification concepts with regard to scope, mode and standard of examination, verifying authority and legal effects will then be explained in the second section. The general approach and specific aspects of the GDPR with regard to certification mechanisms are examined in the final section. Although the certification and audit mechanisms envisioned by the GDPR are limited to demonstrate mere adherence to data protection law, the authors emphasize the key merit of Articles 42 and 43 GDPR, which is the opportunity to create transparency through a system of harmonized standards with regard to privacy seals and marks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Reg (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, [2016] OJ L 119/1.
- 2.
Dir (EU) 2016/680 on the protection of natural persons with regard to processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, [2016] OJ L 119/89.
- 3.
Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, [2008] OJ L 350/60.
- 4.
Kühling and Martini (2016), pp. 448, 449.
- 5.
- 6.
See Hornung (2011), p. 51; this is now addressed by Art 25 GDPR (“data protection by design and by default”).
- 7.
On the economic perspective on privacy seals cf. Waelbroeck (2018), p. 133.
- 8.
Bock (2016), p. 335.
- 9.
- 10.
- 11.
- 12.
Cavoukian and Chibba (2018), p. 59 ff.
- 13.
- 14.
Lachaud (2016), p. 814.
- 15.
Bundesverfassungsgericht (BVerfG), 15.12.1983, 65 Entscheidungen des Bundesverfassungsgerichts 1; on this “fundamental rights innovation” cf. Hornung (2015), p. 266 ff.
- 16.
Germany already had a Federal Data Protection Act before the population census decision. It was enacted in 1977, but had to be completely revised after the population census decision. The new Data Protection Act entered into force in 1990. After the Data Protection Directive 95/46/EC had been enacted in 1995, it took the German federal legislator 6 years to transpose this directive into a new Data Protection Act.
- 17.
This is not to say that the Bundesverfassungsgericht invented all those principles, since it could resort to the works of scholars, but it made those principles mandatory even for the legislator.
- 18.
Arts 10, 11, 12, 14, 18 of Dir 95/46/EC.
- 19.
Art 6(1)(b) of Dir 95/46/EC.
- 20.
Art 6(1)(c) of Dir 95/46/EC.
- 21.
BVerfG (n 15) 46 f.
- 22.
Hornung and Schnabel (2009), pp. 84, 88.
- 23.
- 24.
Bird & Bird (2016), p. 54.
- 25.
Bird & Bird (2016), p. 47.
- 26.
- 27.
In Germany, the respective national laws were enacted very quickly. § 26 of the new Federal Data Protection Act (Bundesdatenschutzgesetz) makes use of the opening clause of Art 88 GDPR.
- 28.
Some of the ideas mentioned in this section are based on Hornung and Hartl (2014), p. 219.
- 29.
Roßnagel (2000), p. 65 ff.
- 30.
With regard to § 9a FDPA, the term “product audit” is also used, see Scholz (2014), margin note 24.
- 31.
ENISA (2017), p. 13.
- 32.
See the economic analysis by Waelbroeck (2018), pp. 135 ff., 141 ff.
- 33.
Hornung and Hartl (2014), p. 220.
- 34.
- 35.
- 36.
Schläger (2004), p. 460.
- 37.
On the example of cyber-physical systems, see Barnard-Wills (2018), p. 113.
- 38.
Roßnagel (2011), p. 267.
- 39.
- 40.
Roßnagel (2000), p. 141 f.
- 41.
Weichert (2010), margin note 11.
- 42.
In the context of the 2009 amendment of the German FDPA this ‘minimum standard’ was rejected and regarded as a ‘bureaucratic duplication’ of the duty to observe the law, see Grentzenberg et al. (2009), pp. 535, 542.
- 43.
This is for example the case in the existing scheme of Schleswig-Holstein, cf. Hansen (2018), p. 40 f. One could also consider mixed models and the (advisory) participation of additional institutions such as consumer protection organisations or foundations (e.g. the German data protection foundation).
- 44.
This would be Roßnagel’s concept. Hammer and Schuler (2007), p. 81 use a different terminology.
- 45.
Hammer and Schuler (2007), p. 78 f. with regard to “fiberizing” of certificates.
- 46.
This was also criticized in the course of the 2009 amendment of the German FDPA, see Hammer and Schuler (2007), p. 78 f.
- 47.
- 48.
Dieterich (2016), p. 260.
- 49.
Windmann (2010), pp. 396, 401 f.
- 50.
In an alternative model, the verifying authority would be liable for flawed audits and certificates. With regard to difficulties of proof and the sparsely developed concept of liability in data protection law, this approach does not seem practicable, see AG Rechtsrahmen des Cloud Computing (2012), p. 18.
- 51.
- 52.
Bräutigam and Sonnleithner (2011), pp. 240, 242.
- 53.
- 54.
As is the case in the German Länder of Bremen, Mecklenburg-Vorpommern and Schleswig-Holstein.
- 55.
- 56.
Currently, these privileges do not exist. As a result, existing private seals regarding commissioned data processing are tainted with lacking legal certainty, see Borges and Brennscheidt (2012), p. 68.
- 57.
For example Lepperhoff and Jaspers (2013), p. 617; a current standard (together with a seal) was developed in 2013 by the German associations GDD and BvD and coordinated by the Data Protection Commissioner of Nordrhein-Westfalen (Der LfDI Nordrhein-Westfalen 2014, p. 6), for further information see www.dsz-audit.de.
- 58.
- 59.
- 60.
Roßnagel (2011), p. 275.
- 61.
Roßnagel (2000), p. 140.
- 62.
Scholz (2014), margin note 8 with further references.
- 63.
See, for example, the comment by the German association DVD e.V.: Schuler (2007), pp. 181, 182: “It may be doubted […] that the voluntary certificate is already issued for compliance with data protection law. This means, that one certifies that there is no infringement of law. Apart from sending the wrong message, there is no additional advantage that can be gained for consumers”.
- 64.
BT-Drs. 16/12011.
- 65.
BT-Drs. 16/12011, 38.
- 66.
Roßnagel (2011), p. 277.
- 67.
Grentzenberg et al. (2009), p. 542 with further references.
- 68.
See n 58.
- 69.
- 70.
For further information and the list of products, see https://www.datenschutzzentrum.de/guetesiegel/index.htm; for figures and examples see Hansen (2018), p. 42 f.
- 71.
Holst (2014), p. 710.
- 72.
Meissner (2008), p. 525.
- 73.
- 74.
- 75.
See Art. 29 Working Party (2010), p. 9 and in particular 17 ff.
- 76.
See COM(2010) 609 final, 12 f.
- 77.
COM(2012) 11 final.
- 78.
- 79.
European Parliament Doc 7427/14.
- 80.
See Kamara and De Hert (2018), p. 12 f.
- 81.
Hornung and Hartl (2014), p. 223 f.
- 82.
Council Doc 9565/15; cf. Kamara and De Hert (2018), p. 13 and the analysis of Korff (3 October 2014), http://eulawanalysis.blogspot.nl/2014/10/warning-eu-council-is-trying-to.html.
- 83.
Spindler (2016), pp. 407, 408; Art 70(1) lit. n) GDPR contains a similar rule with regard to the European Data Protection Board.
- 84.
However, supervisory authorities, which are also considered certification bodies, are not accredited at all.
- 85.
Reg (EC) No 765/2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products [2008] OJ L 218/30, see ENISA (2017), p. 14.
- 86.
Cf. Kamara and De Hert (2018), p. 21 f.
- 87.
- 88.
Cf. ENISA (2017), p. 22.
- 89.
- 90.
- 91.
With regard to this “presumption of conformity” see Spindler (2016), p. 414.
- 92.
See, for example, CJEU, Case C-326/96 B.S. Levez vs. T.H. Jennings (Harlow Pools) Ltd., ECLI:EU:C:1998:577.
- 93.
- 94.
On the details of the process see Kamara and De Hert (2018), p. 22 ff.
- 95.
- 96.
See Lachaud (2016), p. 825.
- 97.
- 98.
- 99.
See Lachaud (2016), p. 818.
- 100.
See Kamara and De Hert (2018), p. 20 f.
- 101.
- 102.
See also ENISA (2017), p. 23 f.
- 103.
- 104.
Cf. Kamara and De Hert (2018), p. 24 ff.
- 105.
Spindler (2016), p. 413.
- 106.
- 107.
- 108.
See Kamara and De Hert (2018), p. 28 f.
- 109.
- 110.
On this perspective and the possibilities to transfer concepts and experiences in the area of data protection, see Balboni and Dragan (2018), p. 83 ff.
References
AG Rechtsrahmen des Cloud Computing. (2012). Datenschutzrechtliche Lösungen für Cloud Computing. http://www.tcdp.de/data/pdf/01_Thesenpapier_Datenschutzrechtliche-Loesungen-fuer-Cloud-Computing.pdf
Art. 29 Working Party, WP 173. (2010). Opinion 3/2010 on the principle of accountability. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173_en.pdf
Balboni, P., & Dragan, T. (2018). Controversies and challenges of trustmarks: Lessons for privacy and data protection seals. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 83). Berlin, Germany: Springer.
Barnard-Wills, D. (2018). The potential for privacy seals in emerging technologies. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 113). Berlin, Germany: Springer.
Bäumler, H. (2002). Marktwirtschaftlicher Datenschutz. Datenschutz und Datensicherheit, 325.
Bäumler, H. (2004). Ein Gütesiegel für den Datenschutz. Datenschutz und Datensicherheit, 80.
Bergt, M. (2017). ‘Art. 41’, ‘Art. 42’ and ‘Art. 43’. In J. Kühling & B. Buchner (Eds.), DS-GVO. Munich, Germany: C.H. Beck.
Bird & Bird. (2016). Guide to the general data protection regulation. https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird%2D%2Dbird%2D%2Dguide-to-the-general-data-protection-regulation.pdf?la=en
Bock, K. (2016). Data protection certification: Decorative or effective instrument? Audit and seals as a way to enforce privacy. In D. Wright & P. De Hert (Eds.), Enforcing privacy regulatory. Legal and technological approaches (p. 335). Heidelberg, Germany: Springer.
Borges, G., & Brennscheidt, K. (2012). Rechtsfragen des Cloud Computing – ein Zwischenbericht. In G. Borges & J. Schwenk (Eds.), Daten- und Identitätsschutz in Cloud Computing, E-Government und E-Commerce (1st ed., p. 43). Berlin, Germany: Springer.
Bräutigam, P., & Sonnleithner, B. (2011). Stiftung Datenschutz – Ein Schritt in die richtige Richtung. Anwaltsblatt, 240.
Carvais-Palut, J. (2018). The French privacy seal scheme: A successful test. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 49). Berlin, Germany: Springer.
Cavoukian, A., & Chibba, M. (2018). Privacy seals in the USA, Europe, Japan, Canada, India and Australia. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 59). Berlin, Germany: Springer.
Der LfDI Nordrhein-Westfalen. (2014). Datenschutzsiegel in Nordrhein-Westfalen. Datenschutz und Datensicherheit, 6.
Dieterich, T. (2016). Rechtsdurchsetzungsmöglichkeiten der DS-GVO Einheitlicher Rechtsrahmen führt nicht zwangsläufig zu einheitlicher Rechtsanwendung. Datenschutz und Datensicherheit ie, 260.
Eckhardt, J. (2017). Art. 42. In H. Wolff & S. Brink (Eds.), BeckOK Datenschutzrecht (22nd ed.). Munich, Germany: C.H. Beck.
European Union Agency For Network and Information Security (ENISA). (2013). On the security, privacy and usability of online seals. https://www.enisa.europa.eu/publications/on-the-security-privacy-and-usability-of-online-seals
European Union Agency For Network and Information Security (ENISA). (2017). Recommendations on European data protection certifications. https://www.enisa.europa.eu/publications/recommendations-on-european-data-protection-certification
Feik, S., & von Lewinski, K. (2014). Der Markt für Datenschutz-Zertifizierungen. Zeitschrift für Datenschutz, 59.
Grentzenberg, V., Schreibauer, M., & Schuppert, S. (2009). Die Datenschutznovelle (Teil II). Kommunikation und Recht, 535.
Hammer, V., & Schuler, K. (2007). Cui bono? – Ziele und Inhalte eines Datenschutz-Zertifikats. Datenschutz und Datensicherheit, 77.
Hansen, M. (2018). The Schleswig-Holstein data protection seal. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 35). Berlin, Germany: Springer.
Heilmann, S., & Schulz, W. (2018). ‘Art. 42’ and ‘Art. 43’. In S. Gierschmann, K. Schlender, R. Stentzel, & W. Veil (Eds.), Kommentar Datenschutz-Grundverordnung. Cologne, Germany: Bundesanzeiger Verlag.
Holst, S. (2014). Bremische Datenschutzauditverordnung in Kraft. Datenschutz und Datensicherheit, 710.
Hornung, G. (2011). Eine Datenschutz-Grundverordnung für Europa?. Zeitschrift für Datenschutz, 51.
Hornung, G. (2013). Regulating privacy enhancing technologies: Seizing the opportunity of the future European Data Protection Framework. Innovation The European Journal of Social Science Research, 26, 181.
Hornung, G. (2014). Europa und drüber hinaus – Konzepte für eine Neuregelung des Datenschutzes im Internet und in sozialen Netzwerken. In H. Hill & U. Schliesky (Eds.), Die Neubestimmung der Privatheit (p. 123). Baden-Baden, Germany: Nomos.
Hornung, G. (2015). Grundrechtsinnovationen. Tübingen, Germany: Mohr Siebeck.
Hornung, G. (2017). Art. 42. In M. Eßer, P. Kramer, & K. von Lewinski (Eds.), DSGVO BDSG (5th ed.). Cologne, Germany: Carl Heymanns Verlag.
Hornung, G., & Hartl, K. (2014). Datenschutz durch Marktanreize – auch in Europa? Stand der Diskussion zu Datenschutzzertifizierung und Datenschutzaudit. Zeitschrift für Datenschutz, 219.
Hornung, G., & Sädtler, S. (2012). Europas Wolken – Die Auswirkungen des Entwurfs für eine Datenschutz-Grundverordnung auf das Cloud Computing. Computer und Recht, 638.
Hornung, G., & Schnabel, C. (2009). Data protection in Germany I: The population census decision and the right to informational self-determination. Computer Law & Security Review, 25, 84.
Kamara, I., & De Hert, P. (2018). Data protection certification in the EU: Possibilities, actors and building blocks in a reformed landscape. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 7). Berlin, Germany: Springer.
Korff, D. (2014, October 3). Warning: The EU council is trying to undermine privacy seals (and through this, the General data protection regulation). EU Law Analysis Blog. http://eulawanalysis.blogspot.nl/2014/10/warning-eu-council-is-trying-to.html
Kühling, J. (2007). Datenschutz in einer künftigen Welt allgegenwärtiger Datenverarbeitung – Aufgabe des Rechts? Die Verwaltung, 40, 153.
Kühling, J., & Martini, M. (2016). Die Datenschutz-Grundverordnung: Revolution oder Evolution im europäischen und deutschen Datenschutzrecht? Europäische Zeitschrift für Wirtschaftsrecht, 448.
Kühling, J., Martini, M., Heberlein, J., Kühl, B., Nink, D., Weinzierl, Q., et al. (2016). Die Datenschutz Grundverordnung und das nationale Recht. Münster, Germany: Monsenstein und Vannerdat.
Lachaud, E. (2016). Why the certification process defined in the General Data Protection Regulation cannot be successful. Computer Law & Security Review, 32, 814–826.
Lepperhoff, N. (2017). Art. 42. In P. Gola (Ed.), DS-GVO. Munich, Germany: C.H. Beck.
Lepperhoff, N., & Jaspers, A. (2013). Neuer Datenschutzstandard DS-BvD-GDD-01 mit passendem Gütesiegel. MultiMedia und Recht, 617.
Meissner, S. (2008). Zertifizierungskriterien für Datenschutzgütesiegel EuroPriSe. Datenschutz und Datensicherheit, 525.
Paal, B. (2018). Art. 42. In B. Paal & D. Pauly (Eds.), Datenschutz-Grundverordnung Bundesdatenschutzgesetz (2nd ed.). Munich, Germany: C.H. Beck.
Raschauer, N. (2017). Art. 42. In G. Sydow (Ed.), Europäische Datenschutzgrundverordnung. Baden-Baden, Germany: Nomos.
Roßnagel, A. (1997). Datenschutzaudit. Datenschutz und Datensicherheit, 505.
Roßnagel, A. (2000). Datenschutzaudit. Wiesbaden, Germany: Springer.
Roßnagel, A. (2007). Datenschutz in einem informatisierten Alltag. Berlin, Germany: Friedrich-Ebert-Stiftung.
Roßnagel, A. (2011). Datenschutzaudit – ein modernes Steuerungsinstrument. In L. Hempel, S. Krasmann, & U. Bröckling (Eds.), Sichtbarkeitsregime (1st ed., p. 277). Wiesbaden, Germany: Springer.
Schantz, P. (2016). Die Datenschutz-Grundverordnung – Beginn einer neuen Zeitrechnung im Datenschutzrecht. Neue juristische Wochenschrift, 1841.
Schläger, U. (2004). Gütesiegel nach Datenschutzauditverordnung Schleswig-Holstein. Datenschutz und Datensicherheit, 459.
Scholz, P. (2014). § 9a BDSG. In S. Simitis (Ed.), Bundesdatzenschutzgesetz (8th ed.). Baden-Baden, Germany: Nomos.
Schuler, K. (2007). Stellungnahme zum Bundesdatenschutzauditgesetz vom 7. September 2007. Datenschutznachrichten, 181.
Schwartmann, R., & Weiß, S. (2016). Ko-Regulierung vor einer neuen Blüte (Teil 1). Recht der Datenverarbeitung, 68.
Spindler, G. (2016). Selbstregulierung und Zertifizierungsverfahren nach der DS-GVO Reichweite und Rechtsfolgen der genehmigten Verhaltensregeln. Zeitschrift für Datenschutz, 407.
von Braunmühl, P. (2016). Art. 42. In K. Plath (Ed.), BDSG DSGVO (2nd ed.). Cologne, Germany: Otto Schmidt.
Waelbroeck, P. (2018). An economic analysis of privacy seals. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 133). Berlin, Germany: Springer.
Wagner, E. (2011). Bundesstiftung Datenschutz - Chancen? Grenzen! Eine Erwiderung auf Piltz/Schulz, Stiftung Datenschutz - moderner Datenschutz neu gedacht. Recht der Datenverarbeitung, 229.
Weichert, T. (2010). § 9a. In W. Däubler, T. Klebe, P. Wedde, & T. Weichert (Eds.), Bundesdatenschutzgesetz (3rd ed.). Frankfurt am Main, Germany: Bund-Verlag.
Will, M. (2017). Art. 42. In E. Ehmann & M. Selmayr (Eds.), Datenschutz-Grundverordnung. Munich, Germany: C.H. Beck.
Windmann, J. (2010). Der Verifikateur und der Aufsichtsbeamte als zentrale Elemente des Sachverständigen-Vollzugsmodells im Technikrecht. Die öffentliche Verwaltung, 396.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Hornung, G., Bauer, S. (2019). Privacy Through Certification?: The New Certification Scheme of the General Data Protection Regulation. In: Rott, P. (eds) Certification – Trust, Accountability, Liability. Studies in European Economic Law and Regulation, vol 16. Springer, Cham. https://doi.org/10.1007/978-3-030-02499-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-02499-4_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02498-7
Online ISBN: 978-3-030-02499-4
eBook Packages: Law and CriminologyLaw and Criminology (R0)