Specific certification schemes as rule, general schemes (and criteria) as exception: Comment on Addendum to Guidelines 1/2018 on certification and identifying certification criteria per Articles 42 and 43 of the regulation

This analysis criticizes a major design flaw of the Addendum to the Guidelines 1/2018 on certification and identifying certification criteria per Articles 42 and 43 of the EU General Data Protection Regulation (GDPR) by the European Data Protection Board (EDPB). The possibility for certification owners to set up general certification schemes in addition to specific specification schemes opens up a glaring loophole which will decrease transparency and inhibit a consistent EU-wide application of the law. In its addendum, the EDPB makes a recognizable effort to close the loophole by specifying further requirements for such general schemes. However, these efforts are merely corrective measures: the fundamental design flaw continues to exist. The consequences are serious; not only does this design flaw contradict the two key regulatory objectives of increasing transparency and supporting consistent EU-wide compliance, but will sooner or later marginalise specific certification schemes in practice. That is an unfortunate outcome, as specific certification schemes ultimately cost businesses less and are much more effective measures in meeting the two regulatory objectives of the GDPR. This paper analyzes the Addendum with respect to the function of certification schemes in environments which are highly prone to future uncertainties and covered by data protection law.