The General Data Protection Regulation and the rise of certification as a regulatory instrument

https://doi.org/10.1016/j.clsr.2017.09.002Get rights and content

Abstract

The endorsement of certification in Article 42 and 43 of the General Data Protection Regulation (hereinafter GDPR) extends the scope of this procedure to the enforcement of fundamental rights. The GDPR also leverages the high flexibility of this procedure to make of certification something else than a voluntary process attesting the conformity with technical standards. This paper argues that the GDPR turned certification into a new regulatory instrument in data protection, I suggest to call it monitored self-regulation, seeking to fill the gap between self-regulation and traditional regulation in order to build a regulation continuum.

Introduction

The Economist1 has suggested a meaningful comparison on the progress made by computing power during the last decades. “If cars and skyscrapers had improved at such rates since 1971”, it said, “The fastest car would now be capable of a tenth of the speed of light; the tallest building would reach halfway to the Moon”. Nordhaus2 notices that chips produced today are 400 000 times more powerful than it was at the beginning of the 70s. In the meantime, the capacity of data storage available has rocketed.3 Within the last 15 years, “hard disks had increased their capacity 1,000-fold”.4 The success met by the TCP/IP protocol made of the Internet something more than a simple technical innovation. As quoted by the Internet founders5 themselves, “the Internet is at once a world-wide broadcasting capability, a mechanism for information dissemination, and a medium for collaboration and interaction between individuals and their computers without regard for geographic location”.

The above technological breakthroughs enhanced and broadened the capacity of businesses to collect, store and exchange digitized data from any location around the world. The growing complexity of data processing6 widened the asymmetry of information existing between the data controllers7 and individuals and gave birth to new data types born from the interactions between individuals and machines, and machines to machines. This metadata8 can be very sensitive when they are derived from individuals' behavior and their body conditions. The sanction policy suggested by Directive 95/46/EC in case of non-compliance9 never ensured a deterrence effect on data controllers. The national data protection authorities do not have enough time, money, and competence to enforce more than a limited volume of processing. Moreover, the territorial scope on which the Directive is based10 limits the rights of European citizens11 to the borders of the Union and does not offer a satisfying response to the growing volume of cross-border data flows.12 The self-regulatory instruments set up, in this area, to complete the legal framework have never demonstrated their effectiveness in the absence of real enforcement.13

The long awaited General Data Protection Regulation14 (hereinafter GDPR), enacted in April 2016, intends to address these shortcomings and, among other improvements, it makes data controllers and processors accountable of their compliance15 and encourages companies to use certification procedures16 for demonstrating their compliance with the new framework. Within this context, the paper questions how the GDPR contributes to the rise of certification as a regulatory instrument. The first section defines the regulatory nature of certification and demonstrates its scope progressively extended over time. The second shows that the European lawmaker, by endorsing certification in the GDPR, purposely planned to turn this instrument into a regulatory instrument; I suggest calling it monitored self-regulation, seeking to ensure a regulatory continuum between self-regulation and traditional regulation.

Section snippets

Regulatory nature of certification

The regulatory nature of certification is still in discussion and scholars do not agree on the approach to adopt. Moreover, the high flexibility of this procedure, allowing endlessly to arrange and rearrange the schemes, makes any attempt of taxonomy a moving target. Defining certification from its purposes sounds easier and more fruitful. However, the analysis of the certification's scope shows it continuously broadened over time. Its endorsement in the GDPR contributes to extend it again to

Monitored self-regulation

To some extent, certification in the GDPR remains a self-regulatory instrument. This is a voluntary process, initiated by data controllers,87 providing a presumption of conformity without legal consequences.88 This is also a co-regulated instrument in which the authorities contribute to the design and the management of the schemes.89 However, the authorities rather monitor and substitute the private sector than they

Conclusion

This paper argues that the GDPR again plays a trailblazing role in the European Law with the endorsement of certification. The lawmaker voluntarily leveraged the flexibility of this procedure to turn it into a new regulatory instrument, located between self-regulation and co-regulation. The absence of legal consequences and the fact it remains optional clearly makes the certification a self-regulatory instrument. However, the involvement of the authorities in the design and the management of

References (0)

Cited by (0)

View full text