Data protection certification for cross-border data flows

Event report

This session looked at the possibility of a global certification system that can enable collaboration in the domain of data related services. The session looked in particular to the harmonisation and mutual certifications of professionals and institutions for working on national data protection initiatives and regulations adopted rapidly worldwide. We heard particular examples considering the EU General Data Protection Regulation (GDPR), the Brazilian General Data Protection Law (LGPD), and the Asia-Pacific-Economic-Cooperation (APEC) Cross-Border-Privacy-Rules (CBPR).

The evolution of data protection regulations is directly impacting cross-border data flows. The need to harmonise certification systems for data protection professionals will bring new practices and a new way of dealing with online data.

Mr Luca Bolognini (President, Istituto Italiano per la Privacy e la Valorizzazione dei Dati) mentioned that certification mechanisms for international data transfers do not yet exist, but are envisaged in articles 42, 43, and 46 of the EU General Data Protection Regulation (GDPR). From there, companies and individuals will have a clear direction on how to apply the rules, he added. There are new and rapid developments in this field regarding the regulations and additional EU Court of Justice decisions that will shape future rules.

Developed through th eEU HORIZON 2020 programmes, the Europrivacy certification scheme offers a ready made solution for all data protection professionals and businesses. Mr Adrian Quesada Rodriguez (Mandat International) talked about the features this platform is offering, mentioning that Europrivacy is currently in the leading position for approval as an official scheme for the GDPR compliance. In particular, he mentioned that Europrivacy is extending GDPR’s core criteria to countries that already have an established data protection framework (Brazil, India, Mexico, South Korea, Israel, Canada, to name a few). In this way, it aims to provide a one-place certification scheme at a global scale. Rodriguez also added that the work of the Europrivacy scheme is open to all professionals and organisations from the data protection community.

Mr Romeo Kadir (President, Global Association of Data Protection Professionals) put particular light on the harmonisation of the APEC cross border privacy rules and GDPR in particular. He mentioned that the GDPR actually acknowledges APEC CBPR as a data privacy framework and an example of the double certification. What are the gaps that will need to be filled in order to harmonise the certification system? Kadir said that qualified people are needed who can understand the basic notions behind national data regulation policies and try to find a common denominator. Apart from that capacity development initiative, we might need global convergence of global data protection rules.

International organisations, such as UNCTAD, can have a significant role in capacity development in this field, which will for sure bolster international trade and e-commerce perspective, said Mr Sebastien Ziegler, (Director, Mandat International) the moderator of the session, while Mr Renato Opice Blum (Chief Executive Officer at Opice Blum, Bruno, Abrusio and Vainzof Attorneys at Law) also emphasised the need for capable professionals, data protection officers, and educated personnel, who can be certificated in the global scheme. He also mentioned the Europrivacy certification system to be the most comprehensive in terms of the wide area it covers. We will have to act in order to prevent the defragmentation of the global market, and we might soon have new treaties and conventions, Opice Blum added.

Data protection officers need to be updated regularly and take care to expand their knowledge and certification as much as possible. This is a cross-cutting issue with technology, so it requires following the pace of technological advancements, he concluded.

The participants agreed that challenges might lie in the cybersecurity preparedness of all countries, as well as a geopolitical ‘battle for trust’ at the global level. We should be aware not to create our future data regulation policies as a protectionism mechanism, but rather in the spirit of cooperation through international agreements.

By Arvin Kamberi