File #2533: "2018_Book_PrivacyAndDataProtectionSeals.pdf"
Testo
1|Contents|7
1|Editors and Contributors|8
1|1 Introduction: Privacy and Data Protection Seals|12
2|Abstract|12
1|2 Data Protection Certification in the EU: Possibilities, Actors and Building Blocks in a Reformed Landscape|18
2|Abstract|18
2|2.1 Background and Structure of the Contribution|19
2|2.2 The 2012 Commission Proposal: Endorsement of Certification Mechanisms and Seals|22
2|2.3 The 2014 European Parliament First Reading: The European Data Protection Seal|23
2|2.4 The 2015 Council First Reading: Data Protection Seals as an Element of Accountability|24
2|2.5 Articles 42 and 43 GDPR on Data Protection Certification|25
2|2.6 The Certification Process in the General Data Protection Regulation (Building Block 1)|26
2|2.7 Accredited Certification Bodies: “Certifying the Certifiers” (Building Block 2)|29
2|2.8 Oversight by the National Supervisory Authorities (Building Block 3)|31
2|2.9 Register-Keeping and European Seal by the European Data Protection Board (Building Block 4)|32
2|2.10 Criteria-Setting and the European Commission (Building Block 5)|33
2|2.11 Certification Effects: Voluntary, Not Binding for Data Protection Authorities and Regulated ‘Benefits’|35
2|2.12 Functions and Possible Uses of Data Protection Certification in the GDPR|37
2|2.13 Next Steps and Reflections on Risks and the Potential of the New System|41
2|Acknowledgements|43
2|References|43
1|3 The Schleswig-Holstein Data Protection Seal|46
2|Abstract|46
2|3.1 Introduction|47
2|3.2 The Legal Provisions Supporting the Schleswig-Holstein Data Protection Seal|48
2|3.3 The Certification Procedure of the Schleswig-Holstein Data Protection Seal|49
2|3.4 Evolution of the Schleswig-Holstein Data Protection Seal|53
2|3.5 Lessons Learnt|55
2|3.6 Conclusion|58
2|References|59
1|4 The French Privacy Seal Scheme: A Successful Test|60
2|Abstract|60
2|4.1 Introduction|61
2|4.2 A Tried and Tested System|62
2|4.3 A Scheme Based on a Two-Phase System|62
2|4.4 A Proven Approach|64
2|4.5 A Seal Indicating Proof of Compliance|65
2|4.6 The CNIL Seal—A Confidence Indicator|66
2|4.7 The “Governance” Seal, Paving the Way for the EU Regulation|67
2|4.8 What Lies Ahead for CNIL Seals?|68
1|5 Privacy Seals in the USA, Europe, Japan, Canada, India and Australia|70
2|Abstract|70
2|5.1 Introduction|71
2|5.2 Comparative Analysis|72
3|5.2.1 Government Interest in Online Privacy Seal as a Self-Regulatory and Consumer Awareness Mechanism|72
3|5.2.2 Unregulated Trust Mark Sector Leads to Wide Range of Privacy Trust Mark Providers|73
3|5.2.3 Privacy Trust Mark Programs Are Continuously Evolving|74
3|5.2.4 Transparency Is Becoming a Trust Mark Provider Differentiator|75
2|5.3 The United States|76
3|5.3.1 ESRB Privacy Certified Program Seals|77
3|5.3.2 TRUSTe|78
3|5.3.3 Better Business Bureau (BBB) Online|79
2|5.4 Europe|80
3|5.4.1 EuroPriSe|81
3|5.4.2 EMOTA European Trustmark|82
2|5.5 Japan—PrivacyMark|84
2|5.6 Canada|87
3|5.6.1 CPA WebTrust|87
3|5.6.2 Privacy by Design Certification Shield|88
2|5.7 India—‘DSCI Privacy Certified’ (DPC©)|89
2|5.8 Australia|91
2|5.9 Conclusion|92
2|References|92
1|6 Controversies and Challenges of Trustmarks: Lessons for Privacy and Data Protection Seals|94
2|Abstract|95
2|6.1 The Role of Trustmarks in e-Commerce|95
2|6.2 Structure and Methodology|98
2|6.3 The Characteristics of Trustmarks|99
3|6.3.1 Main Function: Triggering Trust by Making the Unknown Appear Familiar|100
3|6.3.2 Controversies Related to the “Trust Trigger” Function of the Trustmarks|101
2|6.4 Trustmarks and Data Protection Seals in the European Union|103
3|6.4.1 Challenges|103
3|6.4.2 Recent Developments|105
2|6.5 The Need for a Yardstick to Determine the Impact of Trustmarks|106
2|6.6 Reconciling Stakeholder Expectations|107
2|6.7 Analysis of the Terms & Conditions of EU-Based Trustmark Schemes|110
3|6.7.1 Scope and Methodology|111
3|6.7.2 How Does the Governance Scheme of the Various Trustmark Organisations and the Way They Are Marketed to the Public Affect Their Independence?|111
3|6.7.3 How Impartial Are the Various Trustmark Providers in Assessing the Requirements for Joining a Trustmark Scheme and What Is the Procedure to Join Based on Strict Criterion Place?|113
3|6.7.4 Is Active Compliance Monitoring in Place, and If So, How Often Is It Undertaken and Based on What Criteria?|115
3|6.7.5 How, and to What Extent, Does a Trustmark Organisation Enforce Its Code of Conduct and What Actions Are Taken by the Trustmark Providers in the Case of a Web Shop Not Complying with the Code of Conduct? Is There a Clear List of Sanctions for Specific Offences or Are Trustmark Providers Being Too Lenient?|116
3|6.7.6 Liability and Disclaimers|117
3|6.7.7 Recurring Issues|118
2|6.8 Conclusions|119
2|References|121
1|7 The Potential for Privacy Seals in Emerging Technologies|123
2|Abstract|123
2|7.1 Introduction|124
2|7.2 The Problems of Privacy Seals in an Online Environment|125
2|7.3 The Argument for Focused and Specific Privacy Seals|127
2|7.4 The Potential for Privacy Seals in Cyber-Physical Technologies|129
3|7.4.1 Smart Homes|130
3|7.4.2 Smart Cars|131
3|7.4.3 Wearable Technologies|134
3|7.4.4 Drones|135
2|7.5 Conclusion|138
2|References|139
1|8 An Economic Analysis of Privacy Seals|143
2|Abstract|143
2|8.1 Introduction|144
2|8.2 Understanding the Demand for Security and Personal Data Protection: The Sources of Negative Externalities|145
3|8.2.1 Price Discrimination|146
3|8.2.2 Targeting and Information Filters|146
3|8.2.3 Ads (Ad-Adverse, Ad-Blockers)|147
3|8.2.4 Terms of Service Are Difficult to Read|147
3|8.2.5 No Market Solution|148
2|8.3 Understanding the Supply: Security as an Economic Good|149
3|8.3.1 Public Good|149
3|8.3.2 Network Externalities|149
3|8.3.3 Business Models Based on Data Exchange|150
3|8.3.4 Data Lock-In|150
2|8.4 Economic Analysis of Privacy and Data Protection Seals|151
3|8.4.1 Membership-Based Versus Public Trustmarks|151
3|8.4.2 Formats: Continuous Versus Binary|152
3|8.4.3 Checking Compliance and Resolving Conflicts|152
3|8.4.4 Different Business Models: Pros and Cons|152
2|8.5 Economic Impact (The Good, the Bad and the Ugly)|153
3|8.5.1 Price Increase|153
3|8.5.2 Sales|154
3|8.5.3 Longevity and Timing Issues|154
3|8.5.4 Fake Signals, Wrong Interpretation of What Is Being Protected|155
2|8.6 Conclusion and Open Questions|155
2|References|156
1|9 Conclusion: What Next for Privacy Seals?|158
2|Abstract|158
2|9.1 Strengths|159
2|9.2 Weaknesses|159
2|9.3 Opportunities|160
2|9.4 Threats|161
2|9.5 The Hallmarks of a Quality Privacy and/or Data Protection Seal|162
2|9.6 Privacy ‘Pass’, or Privacy ‘Flunk’?|163
2|References|163
1|Editors and Contributors|8
1|1 Introduction: Privacy and Data Protection Seals|12
2|Abstract|12
1|2 Data Protection Certification in the EU: Possibilities, Actors and Building Blocks in a Reformed Landscape|18
2|Abstract|18
2|2.1 Background and Structure of the Contribution|19
2|2.2 The 2012 Commission Proposal: Endorsement of Certification Mechanisms and Seals|22
2|2.3 The 2014 European Parliament First Reading: The European Data Protection Seal|23
2|2.4 The 2015 Council First Reading: Data Protection Seals as an Element of Accountability|24
2|2.5 Articles 42 and 43 GDPR on Data Protection Certification|25
2|2.6 The Certification Process in the General Data Protection Regulation (Building Block 1)|26
2|2.7 Accredited Certification Bodies: “Certifying the Certifiers” (Building Block 2)|29
2|2.8 Oversight by the National Supervisory Authorities (Building Block 3)|31
2|2.9 Register-Keeping and European Seal by the European Data Protection Board (Building Block 4)|32
2|2.10 Criteria-Setting and the European Commission (Building Block 5)|33
2|2.11 Certification Effects: Voluntary, Not Binding for Data Protection Authorities and Regulated ‘Benefits’|35
2|2.12 Functions and Possible Uses of Data Protection Certification in the GDPR|37
2|2.13 Next Steps and Reflections on Risks and the Potential of the New System|41
2|Acknowledgements|43
2|References|43
1|3 The Schleswig-Holstein Data Protection Seal|46
2|Abstract|46
2|3.1 Introduction|47
2|3.2 The Legal Provisions Supporting the Schleswig-Holstein Data Protection Seal|48
2|3.3 The Certification Procedure of the Schleswig-Holstein Data Protection Seal|49
2|3.4 Evolution of the Schleswig-Holstein Data Protection Seal|53
2|3.5 Lessons Learnt|55
2|3.6 Conclusion|58
2|References|59
1|4 The French Privacy Seal Scheme: A Successful Test|60
2|Abstract|60
2|4.1 Introduction|61
2|4.2 A Tried and Tested System|62
2|4.3 A Scheme Based on a Two-Phase System|62
2|4.4 A Proven Approach|64
2|4.5 A Seal Indicating Proof of Compliance|65
2|4.6 The CNIL Seal—A Confidence Indicator|66
2|4.7 The “Governance” Seal, Paving the Way for the EU Regulation|67
2|4.8 What Lies Ahead for CNIL Seals?|68
1|5 Privacy Seals in the USA, Europe, Japan, Canada, India and Australia|70
2|Abstract|70
2|5.1 Introduction|71
2|5.2 Comparative Analysis|72
3|5.2.1 Government Interest in Online Privacy Seal as a Self-Regulatory and Consumer Awareness Mechanism|72
3|5.2.2 Unregulated Trust Mark Sector Leads to Wide Range of Privacy Trust Mark Providers|73
3|5.2.3 Privacy Trust Mark Programs Are Continuously Evolving|74
3|5.2.4 Transparency Is Becoming a Trust Mark Provider Differentiator|75
2|5.3 The United States|76
3|5.3.1 ESRB Privacy Certified Program Seals|77
3|5.3.2 TRUSTe|78
3|5.3.3 Better Business Bureau (BBB) Online|79
2|5.4 Europe|80
3|5.4.1 EuroPriSe|81
3|5.4.2 EMOTA European Trustmark|82
2|5.5 Japan—PrivacyMark|84
2|5.6 Canada|87
3|5.6.1 CPA WebTrust|87
3|5.6.2 Privacy by Design Certification Shield|88
2|5.7 India—‘DSCI Privacy Certified’ (DPC©)|89
2|5.8 Australia|91
2|5.9 Conclusion|92
2|References|92
1|6 Controversies and Challenges of Trustmarks: Lessons for Privacy and Data Protection Seals|94
2|Abstract|95
2|6.1 The Role of Trustmarks in e-Commerce|95
2|6.2 Structure and Methodology|98
2|6.3 The Characteristics of Trustmarks|99
3|6.3.1 Main Function: Triggering Trust by Making the Unknown Appear Familiar|100
3|6.3.2 Controversies Related to the “Trust Trigger” Function of the Trustmarks|101
2|6.4 Trustmarks and Data Protection Seals in the European Union|103
3|6.4.1 Challenges|103
3|6.4.2 Recent Developments|105
2|6.5 The Need for a Yardstick to Determine the Impact of Trustmarks|106
2|6.6 Reconciling Stakeholder Expectations|107
2|6.7 Analysis of the Terms & Conditions of EU-Based Trustmark Schemes|110
3|6.7.1 Scope and Methodology|111
3|6.7.2 How Does the Governance Scheme of the Various Trustmark Organisations and the Way They Are Marketed to the Public Affect Their Independence?|111
3|6.7.3 How Impartial Are the Various Trustmark Providers in Assessing the Requirements for Joining a Trustmark Scheme and What Is the Procedure to Join Based on Strict Criterion Place?|113
3|6.7.4 Is Active Compliance Monitoring in Place, and If So, How Often Is It Undertaken and Based on What Criteria?|115
3|6.7.5 How, and to What Extent, Does a Trustmark Organisation Enforce Its Code of Conduct and What Actions Are Taken by the Trustmark Providers in the Case of a Web Shop Not Complying with the Code of Conduct? Is There a Clear List of Sanctions for Specific Offences or Are Trustmark Providers Being Too Lenient?|116
3|6.7.6 Liability and Disclaimers|117
3|6.7.7 Recurring Issues|118
2|6.8 Conclusions|119
2|References|121
1|7 The Potential for Privacy Seals in Emerging Technologies|123
2|Abstract|123
2|7.1 Introduction|124
2|7.2 The Problems of Privacy Seals in an Online Environment|125
2|7.3 The Argument for Focused and Specific Privacy Seals|127
2|7.4 The Potential for Privacy Seals in Cyber-Physical Technologies|129
3|7.4.1 Smart Homes|130
3|7.4.2 Smart Cars|131
3|7.4.3 Wearable Technologies|134
3|7.4.4 Drones|135
2|7.5 Conclusion|138
2|References|139
1|8 An Economic Analysis of Privacy Seals|143
2|Abstract|143
2|8.1 Introduction|144
2|8.2 Understanding the Demand for Security and Personal Data Protection: The Sources of Negative Externalities|145
3|8.2.1 Price Discrimination|146
3|8.2.2 Targeting and Information Filters|146
3|8.2.3 Ads (Ad-Adverse, Ad-Blockers)|147
3|8.2.4 Terms of Service Are Difficult to Read|147
3|8.2.5 No Market Solution|148
2|8.3 Understanding the Supply: Security as an Economic Good|149
3|8.3.1 Public Good|149
3|8.3.2 Network Externalities|149
3|8.3.3 Business Models Based on Data Exchange|150
3|8.3.4 Data Lock-In|150
2|8.4 Economic Analysis of Privacy and Data Protection Seals|151
3|8.4.1 Membership-Based Versus Public Trustmarks|151
3|8.4.2 Formats: Continuous Versus Binary|152
3|8.4.3 Checking Compliance and Resolving Conflicts|152
3|8.4.4 Different Business Models: Pros and Cons|152
2|8.5 Economic Impact (The Good, the Bad and the Ugly)|153
3|8.5.1 Price Increase|153
3|8.5.2 Sales|154
3|8.5.3 Longevity and Timing Issues|154
3|8.5.4 Fake Signals, Wrong Interpretation of What Is Being Protected|155
2|8.6 Conclusion and Open Questions|155
2|References|156
1|9 Conclusion: What Next for Privacy Seals?|158
2|Abstract|158
2|9.1 Strengths|159
2|9.2 Weaknesses|159
2|9.3 Opportunities|160
2|9.4 Threats|161
2|9.5 The Hallmarks of a Quality Privacy and/or Data Protection Seal|162
2|9.6 Privacy ‘Pass’, or Privacy ‘Flunk’?|163
2|References|163