Businesses eyeing GDPR codes of conduct should get clarity in 2020

Multinational companies keen to adopt EU-wide codes of conduct to show they respect data-privacy rules should get clearer guidance next year on what's needed in particular sectors — but other roadblocks to progress remain.

A year and a half after the entry into force of the General Data Protection Regulation — which promotes codes of conduct as a compliance tool — EU privacy watchdogs have yet to approve the first EU-wide industry code.

The lag has raised questions about the value of dedicating intense work and resources to drafting such codes. But change may come soon.

"A lot of market players are waiting for the first code of conduct to be approved, which will set the standard and baseline for all other codes," said Cornelius Witt, a public policy manager at Scope Europe.

Scope Europe will be responsible for monitoring adherence to the EU Cloud Code of Conduct, one of the more advanced draft codes. The draft code — endorsed by IBM, Oracle and SAP — is currently being reviewed by the Belgian privacy regulator.

Regulators' response — expected as soon as mid-2020 — to some of the ongoing work in the cloud computing, direct marketing, market research, biomedical research and debt collection industries will set the tone for future initiatives and should drive appetite for similar codes in other sectors.

Under the GDPR, companies can sign up to an industry code of conduct, which lists data-protection rules meeting the sector's needs, as a practical and cost-effective way to show regulators they comply with the law. Codes can also be used when transferring data outside the EU.

Proponents stress the benefit to industries of adhering to the principles contained within codes that carry regulators' seal of approval. But some doubt whether the codes will provide the necessary level of detail needed on how the EU's data-protection law applies in a particular area.

Limited life span

In a world where data practices change rapidly, regulators' decisions will need to come quickly if the codes are to be worthwhile for companies.

"Codes of conduct have a limited life span to be useful," said Kim Leonard Smouter-Umans, head of public affairs and professional standards at the European Society for Opinion and Marketing Research, or Esomar.

Esomar, which counts among its members Procter & Gamble, Microsoft, Coca-Cola and Nielsen, is drafting a GDPR code of conduct for the market-research industry.

"If we don't get them done quickly enough, members will find alternative solutions," Smouter-Umans told MLex. "At some point, the market moves on and a code of conduct doesn't add any value; it only adds more headaches."
Codes of conduct aren't a novelty in EU data-protection law. But they featured only in the preamble, rather than the main text, of the EU's 1995 data-protection directive.

Only one pan-European code for a specific industry was put in place under the EU's old privacy law, the Data Protection Directive adopted in 1995. That was from the Federation of European Direct and Interactive Marketing, or Fedma, whose code of practice for the use of personal data took regulators five years to approve.

That said, there are hopes the introduction of the GDPR may speed up the process. Fedma is now in talks with the French privacy watchdog CNIL on revising the code to bring it up to date with the regulation.

Other EU-wide codes in the pipeline are the Federation of European National Collection Associations' Code of Conduct for the debt-collection industry; the Cloud Security Alliance's Code of Conduct; and the Code of Conduct for Health Research.

Benefits

Backers say industry codes have the potential to eliminate legal uncertainty stemming from the GDPR's broad obligations, as well as to align divergent interpretations of the law in different EU countries.

"Codes of conduct drive harmonization and bring clarity to industry on what path to follow on best practices," said Geraldine Proust, EU legal affairs manager at Fedma. "That, in turn, brings clarity and trust to the data subject, because the GDPR is explained in the light of a specific sector."

For companies, codes can be a cheaper tool for showing compliance, compared with certification mechanisms or binding corporate rules.

And significantly, adherence can mean lower fines from regulators for breaches of the GDPR, as the watchdogs are called on to consider whether the infringer has complied with industry principles.

There is also the importance of code compliance as a "trust mark" — an indication that the business is trustworthy — particularly in companies' relationship with people who hand over sensitive data. Codes, then, may well give businesses something of a competitive advantage.

It helps that privacy regulators encourage the drawing-up of codes. The Irish Data Protection Commission, for instance, is driving efforts to create an EU-wide set of guiding principles for Google, Apple, Facebook and others on how to process children's data under the GDPR, and it has invited Big Tech companies in to have their say. In addition, the Dutch privacy regulator helped Esomar in directing its draft code for the market research industry.

Challenges

The difficulty for EU-wide codes — compared with those valid only within one EU country — is that they need the approval first, of the lead national privacy regulator and then, of the bloc's umbrella body of national privacy watchdogs, the European Data Protection Board. This two-step process typically takes several years, especially in the case of codes designed to cover complex processing operations involving sensitive data.

It takes this time partly due to domestic regulators and the EDPB having to agree consistent criteria for the organizations that will enforce EU-wide codes. So far, the EDPB has not approved any national regulator's criteria for accrediting monitoring bodies. Few regulators have submitted draft criteria to the EDPB, and out of those that have, the Austrian and UK watchdogs have had to make changes to meet the umbrella body's recommendations. Monitoring bodies could be subject to fines of up to 10 million euros ($11 million), under the GDPR.

Given that, many industries remain reluctant to start drafting codes, preferring to wait for more clarity from regulators around the approval process and the privacy requirements they should work toward.

The picture is complicated by the fact that EU and national organizations are sometimes simultaneously drafting EU-wide and national codes for the same industry that set out different principles and conditions. This is the case in the health research, market research and direct marketing sectors. There has been no word on whether privacy regulators are working to avoid duplication.

National codes are sometimes requested by domestic regulators, partly to meet new national laws such as ones governing genomics data. That creates a precedent, which EU codes must then consider.

The duplication partly stems from another challenge for EU codes: the GDPR's many derogations, which have meant divergent domestic data-protection rules in the field of employment, for example.

Often, companies simply fail to agree on fundamental GDPR elements, such as who acts as a data controller and who as a data processor; the latter has slightly more lenient obligations to comply with.

"Things you encounter as you start drafting the code [include the question:] 'How do you find the right balance between something which affords a certain amount of flexibility for business to operate and at the same time provides sufficient guidance and prescription?'" said Smouter-Umans from Esomar.

Code drafters also must consider any conflicts between privacy regulation and other laws, such as those governing clinical trials, where reliance on individuals' consent as a legal ground to process their data is problematic for privacy watchdogs. The prospects for successful EU-wide codes for highly-regulated sectors are therefore more limited.

Data transfers

Where companies and privacy experts agree on the legal worth of codes is their role as tools for data transfers outside the EU.

This is especially in focus at a time when the validity of EU-approved model contracts and the EU-US Privacy Shield agreement are being challenged at the EU courts. Brexit is another factor: a set of principles that provides assurance for data transfers may end up being used by UK company partners based in the EU for transfers into Britain, once Britain has exited the EU.

Then again, businesses are still waiting for promised guidance by the EDPB on how to use codes for data transfers. That should come in 2020, most likely following the denouement of the two EU court cases.

Those legal decisions and regulators' expected response to the draft codes in hand mean that next year should bring some relief for companies wanting more light on the data privacy conduct they need to adopt. Otherwise, it remains a waiting game that may end in some players choosing not to participate.