Third-Party Certification and Cross-Border Flows in the GDPR: Which Workable Option?
16 Pages Posted: 21 Oct 2020
Date Written: September 3, 2020
The US/EU Privacy Shield invalidation has brought back on the table the issue of suitable instruments to safely transfer personal data from the EU to third party countries. Surprisingly, certification might be an option although the invalidation of the self-certification process proposed by the Privacy Shield. Third-party certification schemes approved by the EU supervisory authorities have been recognized by the GDPR as a suitable instrument to transfer personal data in third countries. Third-party certification theoretically offers some advantages compared to other recognized instruments like the Binding Corporate Rules and Standard Contractual Clauses. Following the principle 'certified once, accepted everywhere', certification under Article 42.2 regime authorizes the data importers established in third countries to work with many EU exporters without having to strike an agreement every time. Moreover, third-party certification offers a level of monitoring the other contractual instruments are unable to provide. But, the establishment of certification schemes under Article 42.2 regime leaves many questions open and approved schemes are still down the road. Another option could be to recognize certification schemes available on the market as soon as they demonstrate that appropriate safeguards are applied to the transfer and management of the data. But again, this option is debatable as the paper shows.
Keywords: Certification, Transborder dataflows, Article 42.2 GDPR, Privacy Shield
Suggested Citation: Suggested Citation