Praise for EuroPriSe
Tomás F. Serna
September 23, 2008
The European Privacy Seal (EuroPrise), project is an interesting initiative lead by the Independent Centre for Privacy Protection Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz, ULD). This body is the local data protection authority of Schleswig-Holstein, the northernmost federal state of Germany.
Funded under the European Commission’s eTen Programme, it currently consists in a nine European partner consortium to which Madrid’s Data Protection Authority is a party.
At its essence, what this program is aiming to do is to establish a voluntary certification program by which any company or individual could: a) Gain assurance that her product or service is in compliance with EU data protection Laws, and b) Send a message to the marketplace and to consumers (end-users) stating: We take user’s privacy seriously. Should you choose to use this product or service, rest assured that nothing funny is taking place regarding your personal information. See, we have this seal to prove it.
Two are the concepts that I would like to highlight here which are the ones that bring my interest to this initiative: The voluntariness of the process as well as that amongst its main objectives it has been designed to serve the purpose of building a reputation in the marketplace. The fact that an initiative like this would come from a public body is remarkable in itself.
I could go on a high level of detail in order to explain how to conform a serious uniform certification process, the program established a set of clear standards (EU data protection Laws), and developed a methodology which anyone involved in the process would need to follow. A body of ‘EuroPriSe experts’ is slowly building up, which will undoubtedly help the project gain some momentum sooner than later. Also worth to mention is that on July 2008, the first EuroPriSe was awarded to the ixquick search engine. And from what I hear it wasn’t an easy award to obtain…
But I’m not telling you all the truth. I also find this initiative noteworthy for another reason. Please allow me to digress a little bit in order to elaborate: Its been a couple of years now that I have been detecting a certain level of intrusiveness in the data protection field of practice. More often than not I find myself competing for data protection projects with individuals and small companies who offer to solve anyone’s data protection problems with a set of powerpoint slides and one or two word templates. In most cases these individuals or companies rarely have any background in the practice of Law, or in information technologies for that matter.
I’m not alone here, as I have heard the complaint in many professional gatherings. The present economic situation has certainly not made things better. In fact, just last week, on a visit to a Client’s HQ he showed me no less than five faxes and e-mails in which five different companies were advertising their data protection compliance services by showing in threatening big letters the potential fines as established by Spanish Law while at the same time breaking a bunch of regulations regarding spam and even data protection.
Sometimes people take the bait and sometimes they go unnoticed. But some other times they get into trouble and then you get called to the table, more often than not 24 hours before an announced data protection inspection. And I could tell you a couple of horror stories about people who received the powerpoint slides and thought they were covered.
How about the mandatory audit that any company or individual with medium or high level of security files (as determined by Law), needs to undertake every two years? We also find this kind dubious professionals here. And I still have to hear of one case in which anyone got accountable for giving these poor services. In lawyer parlance this would translate as pure and simple malpractice. But like I said, they rarely have a Law background.
Maybe data protection authorities could establish a set of minimum standards in order for data protection specialists to become accredited so that companies could check and see who they are dealing with. While notoriously missing from the EuroPriSe project is the Spanish Data Protection Agency, maybe accreditations as the one that this project is bringing (e.g. ‘Accredited EuroPriSe Legal and/or Technical Expert‘), could help the marketplace make some informed educated choices.
So, praise for the EuroPriSe project! Initiatives like this one, can only bring greater certainty to this very important field of fundamental rights and economic interaction.
2 Comments »
RSS feed for comments on this post. | TrackBack URI | bookmark on del.icio.us.
Leave a comment
Advertencia de Protección de Datos:
Los datos personales capturados con ocasión de la utilización del formulario de comentarios (nombre/apodo, dirección de correo electrónico, sitio web y dirección IP), serán incluidos en un fichero del propietario del sitio web y se publicarán (excepto su dirección de correo electrónico y su dirección IP) en esta página con la finalidad de permitir opinar públicamente al lector, así como para en su caso contestar al comentario o consultas que formule. Podrá ejercitar sus derechos de acceso, de rectificación, de cancelación y de oposición en lo referido a dichos datos personales dirigiendo un correo electrónico a la dirección: datos.personales@blogeuropa.eu.
----
Privacy notice:
Please be informed that by using the comments form, your personal data (name/nickname, e-mail address, website and IP address), will be included in a file owned by the website proprietor and published along your comment (except for your e-mail and IP addresses), in order for the reader to publicly comment, as well as -should that be the case-, to respond to any comment or query that readers may have made. You will be able to exercise your rights to access, rectify, cancel and oppose such personal data by sending an e-mail to the following address: datos.personales@blogeuropa.eu.
It is quite interesting that the initiative is being developed by a public body.
Separately, I would be interested to know if some of the companies targeted by the non-law service providers are non-European entities, which may have a reduced understanding of the compliance requirements found in European states. It seems that companies with less familiarity are likely the ones who would benefit most from legal counsel on this topic, but may be the ones least likely to receive such counsel early on in the process.
Comment by CDG — September 25, 2008 @ 7:46 pm
Thank you for your question Chris. I always find it enriching to discuss anything regarding EU data protection with colleagues from the US.
Assuming that by “non-law companies” you are referring to the dubious kind of firms/people sending the threatening faxes I mentioned above, in my experience these people are targeting anyone willing to pay them for what in most occasions is a half-baked do-it-yourself data protection kit…
I’d say their main target are small companies and professionals who have heard about the compliance requirements, the huge fines, etc… and who aren’t really looking for quality services… and who as you say, most probably lack any knowledge on the subject matter.
This is not to say that everyone in the data protection field should be a Lawyer, but it seems to me that more and more the field is attracting lots of people who –from what I’ve seen– don’t really know what they are doing.
I hope this answers the question.
Bests, TFS
Comment by tfserna — September 26, 2008 @ 1:04 pm