PhD Defense E.M.T. Lachaud
What could be the contribution of certification to data protection regulation?
- Location: Cobbenhagen building, Auditorium (access via Koopmans building)
- Supervisors: Prof. R.E. Leenes, Prof. C. Stuurman
This research questions the contribution of certification to data protection. Certification is commonly defined as the attestation of conformity granted by a third-party entity having obtained the assurance that the conformity with predefined requirements has been demonstrated through a conformity assessment. The market and International Standardization Organization (ISO) recognize that the attestation of conformity and conformity assessment contribute to build a system called “certification scheme”. On the basis of such a scheme, the conformity of products, services, management systems or people’s knowledge can be certified against a set of criteria. The discussion on the possible contribution of certification in the European data protection framework started a decade ago. Some contributors stressed the opportunities offered by certification in the regulation of data processing to achieve a good level of data protection. Others argued that businesses could use certification to demonstrate compliance and reassure customers. Others thought that entrusting certification schemes to recognized certification bodies could improve the enforcement of the data protection legislation. When this research was initiated mid-2012, only a few data protection certification schemes were available on the market. The contribution of certification to data protection had never been evaluated and barely discussed in scholarly literature, especially in legal studies. The above reasons convinced the author that a research should be initiated to determine whether, how and to what extent certification can help data controllers and data processors comply with data protection principles. This desk research, completed with a market scan of data protection certification schemes available in the EU and Switzerland, aims to clarify the theoretical and practical contributions that certification could offer to the regulation of data protection. It seeks to identify direct and indirect contributions, short-term and long-run ones, positive and negative ones. It also intends to identify the types of certification contributing the most to the protection of personal data. The objective is to determine which functional and geographical scopes would be the most suitable for data protection certification to contribute to the protection of personal data and identify limitations inherent to certification itself, the subject matter (data protection) and the regulatory framework applying to it. Lastly, the research seeks to evaluate the methodological, technical and legal shortcomings of data protection certification. The study’s outcome revealed that the contribution of certification to data protection could be multifarious. A first type of identified contribution follows from the basic features of certification when used in any regulatory environment. A second type of contribution is closely related to the regulatory context in which certification is being applied. However, the implementation of certification under the GDPR was still in its early stages as of December 2019. Hence, it remains difficult, if not impossible, to predict what will be the actual contribution of certification to data protection. Evaluating the actual contribution of certification is challenging since there are no reliable means of assessing this contribution yet. Certification is voluntary, and its contribution is commonly limited to certified entities within the scope they have requested to be certified. The contribution of data protection certification is also undermined by certain debatable choices made as part of its endorsement in the General Data Protection Regulation (GDPR). Further research should be undertaken in the coming years to confirm the learnings of this study. The author was only able to sketch what could be the ideal contribution of certification to data protection and stress the underlying conditions that should be met to make it sustainable over time.