Today, privacy and the protection of personal data are critical challenges for the development of information and communication technologies (ICT) systems and applications. This article discusses a recent report by ENISA and some of its recommendations.
SECURITY INCIDENTS DISCLOSURE
Effective privacy protection is only possible if information about related security and privacy risks of the data processing, as well as the security and privacy incidents in which personal data are involved, are appropriately and timely communicated.
We recommend that the European Commission introduce a comprehensive security breach notification law. In particular it should enable not only DPAs to better identify and react to such incidents, but also individuals, so that citizens can better understand how security and privacy incidents may concern them and to react appropriately. Further we recommend that standardisation bodies consider working on formats and protocols which support ICT systems at the user’s side to interpret these notifications.
CERTIFICATION
Work on providing purely economic incentives to compliance has so far met with little success. Therefore work should be done on other ways of motivating compliance. For example, Member States should design tools for companies to provide certification or self-certification of compliance to data protection legislation when applying for public procurement. Member States should promote and regulate certification schemes, also involving consumers associations: tax incentives for companies compliant should be provided by Member States, and Member States should consider absolving companies from certain reporting requirements on the condition that they have privacy certification (as in the Swiss Ordinance on Data Protection Certification, DPCO/VDSZ1, effective as of January 1, 2008). Effective sanctions (and compensation) for the violation of data protection law should be provided. (e.g., sanctions on a daily basis or punitive damages).
We recommend that the European Commission should encourage the development of privacy certification processes and develop tax and other legislation to motivate such certification. We also recommend that standardisation bodies contribute to standardise certification referentials for privacy. Supervision Tools and Best Available Techniques will be important pieces of a comprehensive certification framework.
SUPERVISION TOOLS
Data Protection Authorities (DPAs) face difficulties to inspect and audit the systems that process personal data. The industry does not either have adequate tools to conduct internal privacy audits. The current state of the art of technologies and legal framework do not provide the means to supervise and inspect easily the processing conducted by data controllers. Standardised supervision tools with automated and possibly remote access to DPAs should be possible to enforce inspections powers appropriately and continuously. In addition, these tools should provide non-repudiatable traceability of systems. Such tools could therefore contribute to improve the inspection processes and to ease the analysis of a privacy breach; finally, supervision tools will enhance the transparency and information about the processing that is provided to the user. We recommend that the European Commission fund research on efficient privacy supervision tools allowing for reliable and trusted auditing; such tools should then be systematically implemented by data controllers to ensure a continuous privacy monitoring; DPAs should also use those tools in order to automate their inspections.
BEST AVAILABLE TECHNIQUES
In order to enable the timely and effective auditing and certification of data collection and processing systems, both Industry and DPAs need an established set of sectoral Best Available Techniques (BATs) regarding privacy and security issues. This allows for a checklist-like approach for assessing privacy compliance, establishing a base-level certification upon which further analysis and supervision tools can based on. We recommend that the Commission propose a legal instrument which will define the required structure and procedures for identifying these BATs. This instrument should foresee the involvement of all relevant stakeholders, the deliverables of which should be considered as primary guidelines by supervisory authorities and public and private organisations which implement those processing systems.
INCENTIVES AND SANCTIONS There is a general gap of data controllers not being properly motivated to be compliant with data protection law. Many Data Protection Authorities are only able to check a small fraction of data controllers, so that non-compliant data processing frequently goes unnoticed. Also, given the weakness of many sanctions, the economic incentives to be privacy law compliant are often minimal. We recommend that the European Commission and the Member States encourage an incentive system connected to a certification scheme and an effective economic sanctions system based on BATs, as well as proper auditing and supervision tools.
TO BE OR NOT TO BE PERSONAL DATA Despite recent efforts by the Article 29 Working Party to clarify the notion of personal data, this concept is still often challenged. Even when the industry believes that no personal data are involved, an analysis of privacy risks should be conducted and the system should be designed in order to minimise privacy risks. In some cases, data may become personal especially if the means likely reasonably to be used to identify the person evolve as new technologies appear. Therefore, even when data is not intended to become personal appropriate safeguards should be implemented to prevent that data from becoming personal. We recommend ENISA to develop Privacy Impact Assessment methodologies and the industry to include these Privacy Impact Assessments when defining their privacy and security policy. We also recommend the industry to develop adequate safeguards to protect one’s data adequately, whether this data is personal or not.
SOCIAL SORTING Social sorting such as behavioural marketing may infringe on people‟s privacy even if the processed data are not personal. Current regulation is scattered in different laws and does not provide an effective privacy protection in these cases.
We recommend that the Commission develops and establishes a comprehensive legal framework for all data processing affecting individuals, be it personal or non-personal. In practical terms, this could mean to demand a full audit trail of data processing and sources of data, and an obligation for better transparency for individuals concerned. Further we recommend that data controllers set up organisational and technical measures which make sure that individuals concerned can exercise their rights.
PRIVACY, DATA PROTECTION AND SPACE Information Society presents a clear challenge for keeping personal data of citizens within the European jurisdiction. By digitising the personal domain but also its boundaries, the Digital Territory concept offers the opportunity to introduce the notion of territory, property and space in a digital environment. The objective is to provide tools that enable users to manage proximity and distance with others in this future Ambient Intelligence space, both in a legal and a social sense, as it is currently the case in the physical world. We recommend that the Article 29 Working Party and the European Commission explore the possibility to apply the notion of territory to the Information Society and extend for example the principle of legal sanctuary applied to the residence to the online world.
FUTURE WORK
Some of the identified gaps relate to privacy risks arising from new business models which target individual consumers through behavioural profiling. The Working Group notes that these issues were recently raised but not resolved in the context of competition inquiries in the United States of America and in the EU, and recommends that ENISA commission further in-depth study of these issues with special emphasis on behavioural economics. The group also notes that although some supervisory bodies and the business sector claim that adequate incentives exist for satisfactory self-regulation, existing academic research2,3 provides very little support for this view. It may be necessary to consider whether new privacy principles and market structures are required to guarantee that competitive forces reinforce (rather than undermine) privacy protection. ENISA is in a good position to promote such research, in the role of an independent facilitator of EU-wide network and information analyses, and to ensure that its conclusions are reflected in EU policies.
We recommend that ENISA commission research to continue work on privacy and technology to gain a deeper understanding. In particular, a thorough analysis should be performed concerning the market structure of online services supported by advertising in general, and the economic influence of behavioural profiling in particular, with a focus on the effective application of data protection principles and the autonomy of the data subject. The study should sceptically evaluate the potential efficacy of self-regulation, and also study whether divergences in the definition of personal data are resulting in regulatory arbitrage4,5 between Member States.
