Titre III. Executive summary

In the context of the globalization and progress of information technologies without common measurement, the legislative and regulatory instruments for data protection and privacy are facing new challenges to which it is urgent to bring answers.

The European regulation is regarded as most protective of the privacy in the world but in practice its application within the European Union is far from being satisfactory: lack of harmonization, conflicts of applicable law, disparity of controls and sanctions, principles inapplicability...

Although article 27 of directive 95/46 encourages self-regulation and Co-regulation, these means were regarded as complementary tools in order to make the regulation more effective.

In the majority of countries where there are no general law of privacy or data protection, but sectoral laws or provisions, self-regulation and in particular certification seeks to meet and to answer the demand of the market.

Recently, between the pure market model and the pure enforcement model, one notes a triple tendency:

The countries fervent supporters of the self regulation express the need to resort to a general law of privacy for the harmonization of the practices (see the USA).

In addition, although in Europe it was generally considered that this subject concerned the law, more and more voices rise to encourage the sensitizing of the organizations and to improve data protection thanks to actions of Co-regulation. Certification may then be considered as the best way to implement and to supplement legislation.

Finally certification is blossoming in the wake of political, legal and economic transformation in countries where rules of law did not become ripe yet (cf South America, Asia), under the influence of alliances and agreements of mutual recognition between certification schemes (see the APEC).

It is in this context that appeared new tools and concepts both in Europe and on the American continent, in Asia, or at the international level (ISO, CEN) aiming at improving the data protection. The majority of these tools are based on voluntary steps of self-regulation or Co-regulation and aim at encouraging a total and continuous data management throughout their life cycle.

Certification seems one of the means being able to guarantee the good application and the effectiveness of these tools, by attesting conformity of the products or procedures to a reference framework.

The very concept of certification covers a great disparity of diagrams of unequal quality.

This study undertaken within the framework of a thesis and a professional project wants to be at the same time practical, exhaustive and comparative as well as systemic concerning the geographical distribution.

In order to determine the feasibility of a diagram of certification concerning the DP protection, the analysis relates to the census of the schemes, of their characteristics and of their legal and cultural context of development.

We approach then the state of maturity of the market, in particular the gaps or barriers of psychological, political, technological or economic nature related to the concept of protection of the personal data which could prevent the success of a scheme of certification in this field.

Complementary to this study, we conducted a ground investigation of amongst professionals of certification and companies potentially candidate to a label of data protection.

We believe firmly that if we aim at delivering certifications to organizations, their needs and their expectations must be taken into account.

On the base of these analyses and of all the comparative data, we make some recommendations and suggestions which could increase the chances of success of a certification schemes.

Success will depend to some extent on the characteristics suitable for the diagram:

Quality of the reference framework; certification by stage; Statutes of the certification body and implication of DPA; European character of the certificate; independence and competence of the evaluators; effective controls and sanction; harmonization of the evaluations and implementations.

At the same time, the framework of the scheme should be embedded into a holistic approach of data protection and privacy (PbD, accountability, responsibility) and thus make it possible to improve its effectiveness. At least, undertaken certification should be an easy and fast step.

But the feasibility and the viability of such a scheme will be dependent on the involvement of all private and public actors in a "society project" and of capacity of the political institutions to support a European design of the data protection and privacy. One might take the «precautionary principle «which has been defined at the conference of Rio for the environmental protection as an example.

The various methods of compromising data cost evaluation and the return-on-investment related to DP protection showed their limits.

It is not enough to convince the organizations who seek to profit from an immediate gratification.

Also, a scheme of certification should be accompanied by economic incentives or even regulatory provisions when feasible.

Lastly, its success will be very closely related to that of the revision of the directive and more generally to the evolution of the European texts, depending of their enforcement and of their effective and harmonious application in the whole of the Member States.