16 January 2014

Privacy Seals

The European Commission has released a 290 page report [PDF]  titled EU Privacy seals project: Inventory and analysis of privacy certification schemes, covering 25 online privacy seals.

The report concludes -
 The privacy seals market place is defined by heterogeneity. Whilst we can identify a relatively small number of ways in which seal schemes function, there is a large degree of variation around these core functional models. These variations can have significant implications for the claims that a seal scheme is legitimately able to make. In addition to this, the level of variation amongst seals likely impacts upon the effectiveness of seals. An individual (or organisation) cannot generalise about a seal scheme from their knowledge of other seal schemes (if any). It is a possibility that more niche seals will emerge, which will increase the level of variation further. Privacy seal schemes face a challenge in making legitimate claims about complex behaviours and standards, and making these claims rapidly, transparently, accessibly and communicating these reassuringly.
One of the key results of our study relates to the privacy and data protection elements of analysed schemes; some schemes have extensive privacy and data protection elements, others have none or a bare minimum. The focus of schemes differs. The more legally aligned schemes have a national or regional scope and coverage potentially restricting their universal application. The level of guarantees made to data subjects also varies – some schemes specify these explicitly, while others make no mention of it at all. While most of the analysed schemes seem to follow a typical model, there are highly divergent certification practices. This has implications for seal audiences who may not be able to determine the nature and scope of the certification process or to make informed judgements about a scheme that forms the basis of a seal. To this extent, it will be important to distinguish best practice from common practice in any future privacy seal scheme. A good privacy seal scheme must make specific, concrete certification of privacy and data protection behaviour. Blending these claims with other business practices may diminish the distinctiveness of a privacy seal offering (as evident in some of the analysed schemes).
While the objectives of the analysed schemes cluster around six categories (building confidence or trust, signalling compliance or accordance with a standard, signalling the presence of privacy measures, providing guarantees, increasing market transparency and resolving disputes), and though there is some evidence of schemes achieving a certain measure of success (as in the case of profitable and expanding schemes such as TRUSTe), in actual practice, it is difficult to gauge the actual achievements of most of the objectives.
EU-based schemes display some key differences in comparison to their US-based or global counterparts. Europe has schemes administered by data protection agencies. The analysis also shows that European schemes are more likely to be aligned with legal standards for privacy and data protection, to make guarantees of compliance with such standards and requirements and less likely to have abstract guarantees on data subject rights. Non-EU schemes do not generally meet the legally-binding standards of EU data protection legislation.
In general, compliance with privacy and data protection law is a challenge for organisations. The GDPR imposes a high legal standard for privacy and data protection. Though the analysed EU-based certification schemes tend to approximate as best as possible the proposed GDPR requirements, unless guided effectively on how to concretely incorporate the GDPR requirements as their standards or criteria, they might fall short of what they can actually deliver through their schemes. For the non-EU based schemes, the GDPR criteria may be less relevant (attributable to different industry and regulatory environments within which they operate). Non-EU based schemes could adopt the GDPR criteria as this would give them a good standing and even form the basis for mutual recognition efforts if their subscribers engage with European consumers and data subjects. 
Amongst the EU-based schemes, we find there is a lack of public discussion and preparation in relation to the new GDPR requirements (such as rights of data portability, right to be forgotten, data protection impact assessments, the principle of accountability and the special protection afforded to minors). EU-based schemes are also largely national in scope – while several schemes were identified in certain Member States such as Germany or Spain, no noted attempts for mutual recognition and co-operation are evident. This absence of harmonisation amongst EU-based seals puts them at a disadvantage in comparison to other international schemes that are able to cover a wider audience. EU citizens are exposed to a very wide variety of seal schemes in their use of the Internet; however, only a small sub-set of these schemes signal compliance with EU privacy and data protection law. 
There are various beneficiaries of privacy seals: policy-makers, regulators, other public bodies, scheme operators, subscribers (of all types, large, medium and small), third parties (e.g., independent evaluators, auditors), industry associations, privacy and data protection organisations, consumers and individuals. On a broader front, privacy and data protection schemes benefit society. They encourage and facilitate good privacy and data protection practices and increase the participation of individuals in online commercial and social activities. 
Privacy seal schemes can have various benefits (that are divergently applicable to beneficiaries): generation of privacy and data protection accountability and oversight, provision of privacy assurances, reduction in the regulatory and enforcement burden, enhancement of trust and confidence, reputational, competitive and market advantages, increasing trade and commerce, driving industrial growth, generation of privacy awareness, helping prove fulfilment of privacy and data protection obligations, encouraging the implementation and maintenance of data protection measures, and presenting a quick and accessible means to determine and verify privacy and data protection commitments. These benefits were broadly supported by the stated objectives of many of the analysed seal schemes. These included abstract trust-building (encouraging a general sense of confidence, with trust strongly related to commercial opportunities for the certified entity), compliance signalling (with regard to laws or other standards), signally data protection measures, the provision of binding guarantees, increasing market transparency and providing additional dispute resolution mechanisms. Each of these objectives can be understood as responding to particular problems of exercising trust online.
Privacy certification schemes also have an impact on their beneficiaries. This impact affects the propensity of organisations to subscribe to the scheme. The impact relates to various costs such as design costs, seal costs, seal administration costs, certification costs, certification compliance costs, human resource costs, accreditation costs, regulatory approval costs.
Required success factors for privacy seal schemes
One of the key factors that determine the extent to which a privacy certification scheme benefits individuals and citizens is how easy or difficult it is to break the link between the signifier (the presence of a seal on a website or entry in a register) and the signified (the particular privacy and data protection practices being certified). An effective seal must have a strong link between the two. Several factors identified in this study contribute towards weakening this link. The classical and linked seal models have weaker links between the signifier and signified than the hosted seal. This is because the website hosting the seal can potentially resist its revocation and continue to display a seal to which it is not entitled. Similarly, if a scheme fines a member who is in breach of its programme requirements rather than revokes the seal, then it becomes difficult for an end user to determine whether the seal represents a website in good standing with the programme requirements. The possibility of a negotiated relationship between seal provider and certified entity and too frequent changes to the programme requirements over time also undermine the link between the signifier and the signified, as a seal can signify different things on different websites, at different times. Finally a lack of information on what exactly the seal is supposed to signify is a concern. Too many of the analysed schemes were difficult to find, too abstract or had incomplete information accessible to the public. Given that the role of a seal is to signify something, it should be possible to determine what is being signified in a relatively easy and straightforward manner. 
Transparency and openness of schemes is a necessity for ensuring that privacy seal schemes are not simply a front or means for an organisation to build and develop its profile and other supplementary activities (e.g., consulting). There is a need to eliminate this conflict of interest as it affects the credibility of the scheme. 
Another key factor impacting the success of a privacy and data protection certification scheme is the certifier’s reputation and ability to attract (and retain) subscribers. A certifier must be independent (financially and resources), capable of engendering trust from members and successfully able to implement and enforce the scheme. This may suggest the need for increased involvement from data protection authorities. Universality (ability to offer a more widely applicable seal) of the scheme is another advantageous factor that might contribute to success of a scheme. Further, if SMEs are to gain the most from subscribing to these schemes, then certification schemes must find a way of catering to this beneficiary more effectively.