10 July 2018
Comments by the Centre for Information Policy Leadership on the European Data Protection Board’s “Draft Guidelines 1/2018 on certification and identifying certification criteria in accordance with articles 42 and 43 of the Regulation 2016/679” Adopted on 25 May 2018 On 25 May 2018, the European Data Protection Board (EDPB) adopted its Draft Guidelines on certification and identifying certification criteria in accordance with articles 42 and 43 of the Regulation 2016/679 (“Draft Guidelines”). 1 The EDPB invited public comments on this document by 12 July 2018. The Draft Guidelines provide guidance on how to set up overarching criteria relevant to all types of certification mechanisms issued in accordance with article 42 (certification) and article 43 (certification bodies) of the General Data Protection Regulation (GDPR). The Draft Guidelines also contain an annex describing the list of tasks and powers of supervisory authorities in relation to certification in accordance with the GDPR. The EDPB stated that it will publish at a later stage two separate sets of guidelines: (1) guidelines on identifying criteria to approve certification mechanisms as transfer tools to third countries or international organisations in accordance with article 42(2); 2 (2) guidelines for the supervisory authorities to assess certification criteria for the purpose of approval in order to ensure a harmonised approach. These guidelines will be made available at a later stage in an annex to the Draft Guidelines. 3 The Centre for Information Policy Leadership (CIPL) 4 welcomes the opportunity to submit the comments below, both as input for the EDPB’s final Guidelines (“Final Guidelines”) and the two other upcoming guidelines mentioned above. CIPL has already written extensively on certifications under the GDPR. Firstly, it published a white paper on Certifications, Seals and Marks under the GDPR and Their Roles as Accountability
1
Draft Guidelines 1/2018 on certification and identifying certification criteria in accordance with articles 42 and 43 of the Regulation 2016/679, available at https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_1_2018_certification_en.pdf. 2 Id. at page 4. 3 Id. at page 7. 4 CIPL is a global data privacy and cybersecurity think tank in the law firm of Hunton Andrews Kurth and is financially supported by the law firm and 61 member companies that are leaders in key sectors of the global economy. CIPL’s mission is to engage in thought leadership and develop best practices that ensure both effective privacy protections and the responsible use of personal information in the modern information age. CIPL’s work facilitates constructive engagement between business leaders, privacy and security professionals, regulators and policymakers around the world. For more information, please see CIPL’s website at http://www.informationpolicycentre.com/. Nothing in this submission should be construed as representing the views of any individual CIPL member company or of the law firm of Hunton Andrews Kurth.
1