The UK’s Information Commissioner’s Office (ICO) has announced that it is looking to introduce a system of “privacy seals” for organizations doing business in the UK. The seal is intended to be a consumer-facing stamp of approval demonstrating that a particular organization is meeting or surpassing the compliance requirements of the UK’s Data Protection Act. The ICO expects that this will provide numerous benefits, both for companies, who could gain an advantage over competitors, and for customers, who should feel confident entrusting their personal information to companies displaying the seal. It is hoped that the privacy seal will incentivize good data protection practices across UK businesses.
The privacy seals themselves will be delivered by third party operators who are endorsed by and work with the ICO. It is expected that different operators will focus on different sectors, meaning that accreditation schemes can be tailored to particular industries. For example, an operator handling the privacy seals for mobile app companies may be different to the operator assigned to healthcare service providers. A privacy seal will only be awarded to an organization once they have demonstrated that they meet the relevant data protection standards.
The ICO plans for the privacy seal to remain active for a period of four years, after which the organization must apply to be re-certified. The seal can also be withdrawn if the organization fails to maintain the standards expected from the program. The ICO is confident that the privacy seal program has the support of legislators and is responding to consumer demand for higher data protection standards.
It is anticipated that privacy seals will come into effect in 2016. A consultation run by the ICO in 2014 raises some important questions from stakeholders regarding the operation of the scheme. One particular concern is whether privacy seals should be implemented in the UK prior to the entry into force of the EU-wide General Data Protection Regulation, still under negotiation in Europe. The ICO maintains that it should, in part because it views the privacy seal mechanism as an opportunity to build the ICO’s expertise in this area in preparation for future compliance with the Regulation.
Privacy certification schemes already exist in Europe, such as the European Privacy Seal (EuroPriSe), which provides certifications for IT-based products and services throughout the EU, and the French data protection authority’s “Label CNIL” privacy certification scheme. These various mechanisms are likely to be harmonized across all EU Member States once the General Data Protection Regulation comes into force. Covington will continue to track developments in this space.
This post was written with contributions from Fredericka Argent.