Friday, 8 January 2010

EU privacy, data protection - Art 29 working party "Future of Privacy" response to Commission consultation & other Art 29 WP developments

1. Privacy & data protection in the EU

Summary and overview

The EU's Article 29 Working Party has published The Future of Privacy (WP 168).

It's a good, well-informed summary of the current position and current thinking on the way ahead, and repays close reading given the status of the WP (effectively its members are the privacy & data protection regulators or supervisors of the EU member states). So I'll cover it in some detail.

This paper is its 28-pg response (made jointly with the Working Party on Police and Justice) to the Commission's curiously question-light consultation on the legal framework for the fundamental right to protection of personal data in the EU.

The response recommends that while better application of existing data protection principles would be beneficial, a new comprehensive legal framework for data protection is needed in the EU (including in cooperation on criminal matters), with possible additional regulation specific to industry sectors or member states.

In brief, the response says that the new framework should:

  • clarify key issues like:
    • consent (opt in / opt out confusion; not using "consent" when it's not the appropriate legal basis for processing)
    • transparency (as a pre-condition to valid consent and fair processing), and
    • applicable law (i.e whether and which EU member state law applies, especially for multinationals with offices in more than one EU country. The WP is currently working on an opinion on the concept of applicable law, see para 28 of the Future of Privacy report, which may well be published in 2010, possibly with recommendations for a future legal framework)
  • introduce principles like accountability and privacy by design including privacy-protective defaults and use of standards-compliant privacy enhancing technologies or PETS (binding on technology designers & engineers, hardware manufacturers and developers as well as data controllers)
  • make improvements like cutting down on red tape and facilitating binding corporate rules (BCRs), and
  • harmonise and beef up the independence, powers, say and resources of national data protection authorities (DPAs);

and that the Commission should take forward initiatives towards a binding international framework based on global standards (such as the Madrid Resolution) to facilitate transborder data flows while protecting personal data, and bilateral agreements (at least as protective as global standards) such as may be developed by the EU-US High Level Contact Group on information sharing, privacy and personal data protection.

Some specific points of interest

Globalisation and accountability (para 39, emphasis added):

"from a general point of view, a new provision could be included in the new legislative framework pursuant to which data controllers would remain accountable and responsible for the protection of personal data for which they are controllers, even in the case the data have been transferred to other controllers outside the EU" [do they mean to include, processors outside the EU?]

Privacy by design (PbD) and privacy enhancing technologies (PETs): a "broader and consistent" principle of privacy by design should (emphasis added):

"be binding for technology designers and producers as well as for data controllers who have to decide on the acquisition and use of ICT. They should be obliged to take technological data protection into account already at the planning stage of information-technological procedures and systems. Providers of such systems or services as well as controllers should demonstrate that they have taken all measures required to comply with these requirements…
48. The application of such principle would emphasize the need to implement privacy enhancing technologies (PETs), 'privacy by default' settings and the necessary tools to enable users to better protect their personal data (e.g., access controls, encryption). It should be a crucial requirement for products and services provided to third parties
and individual customers (eg. WiFi-Routers, social networks and search engines)
. In turn, it would give DPAs more powers to enforce the effective implementation of such measures."

Recommended PET principles (para 53), emphasis added:

"• Data Minimization…
Controllability: an IT system should provide the data subjects with effective means of control concerning their personal data. The possibilities regarding consent and objection should be supported by technological means.
Transparency: both developers and operators of IT systems have to ensure that the data subjects are sufficiently informed about the means of operation of the systems. Electronic access / information should be enabled.
User Friendly Systems
Data Confidentiality: it is necessary to design and secure IT systems in a way that only authorised entities have access to personal data.
Data Quality: data controllers have to support data quality by technical means. Relevant data should be accessible if needed for lawful purposes.
Use Limitation: IT systems which can be used for different purposes or are run in a multi-user environment (i.e. virtually connected systems, such as data warehouses, cloud computing, digital identifiers) have to guarantee that data and processes serving different tasks or purposes can be segregated from each other in a secure way."

Examples of PbD (emphasis added):

"• Biometric identifiers should be stored in devices under control of the data
subjects (i.e. smart cards) rather than in external data bases.
Video surveillance in public transportation systems should be designed in a way that the faces of traced individuals are not recognizable or other measures are taken to minimize the risk for the data subject. Of course, an exception must be made for exceptional circumstances such as if the person is suspected of having committed a criminal offence.
Patient names and other personal identifiers maintained in hospitals' information systems should be separated from data on the health status and medical treatments. They should be combined only in so far as it is necessary for medical or other reasonable purposes in a secure environment.
• Where appropriate, functionality should be included facilitating the data subjects' right to revoke consent, with subsequent data deletion in all servers involved (including proxies and mirroring)."

Empower data subjects (paras 59 to 69):

"Changes in the behaviour and role of the data subject and the experience with Directive 95/46/EC require a stronger position for the data subject in the data protection framework… [especially children]

the possibility for class action procedures should be introduced in Directive 95/46/EC…

data controllers should provide for complaints procedures which are
more easily accessible and more effective and affordable…

A general privacy breach notification should be introduced…

Consent - [In cases] when there is a clear unbalance between the data subject and the data controller (for example in the employment context or when personal data must be provided to public authorities)… [and where] complexity… outstrips the individual’s ability or willingness to make decisions to control the use and sharing of information through active choice… consent is an inappropriate ground for processing… particularly in the context of the internet, where implicit consent does not always lead to unambiguous consent [and] Giving the data subjects a stronger voice ‘ex ante’, prior to the processing of their personal data by others, however requires explicit consent (and therefore an opt-in) for all processing that is based on consent... The new legal framework should specify the requirement of consent, taking into account the observations made above…

Redress - Several elements of the Directive… such as the liability provision and the possibility to claim immaterial [i.e. intangible, non-financial] damages, have not been implemented by all Member States…[and] the interpretation of the Directive in the Member States is not always uniform… As globalisation increases… It is therefore of great importance that harmonisation be improved... if needed by specifying legislative provisions.

[Given the rise of UGC, social networks & cloud computing etc] whoever offers services to a private individual should be required to provide certain safeguards regarding the security, and as appropriate the confidentiality of the information uploaded by users, regardless of whether their client is a data controller…"

Strengthen data controllers' responsibilities (Chapter 6):

Embedding data protection in organisations, including proactive transparent policies, processes & mechanisms, compliance reports, audits and privacy impact assessments, data protection officers and "Certification of compliance by top level company executives confirming that they have implemented appropriate safeguards to protect personal data" (para 77).

"introduce… an accountability principle. Pursuant to this principle, data controllers would be required to carry out the necessary measures to ensure that substantive principles and obligations of the current Directive are observed when processing personal data. Such provision would reinforce the need to put in place policies and mechanisms to make effective the substantive principles and obligations of the current Directive… [and] would require data controllers to have the necessary internal mechanisms in place to demonstrate compliance to external stakeholders, including national DPAs… the measures expected from data controllers should be scalable and take into consideration the type of company, whether large or small, and of limited liability, the type, nature and amount of the personal data by the controller, among other criteria…." (para 79)

"Notifications of data processing operations with national DPAs could be simplified or diminished… better data governance and accountability requirements may achieve the same purposes… It should be explored whether and to what extent notification could be limited to those cases where there is a serious risk to privacy, enabling DPAs to be more selective and concentrate their efforts to such cases… This could be combined with a registration system [for all data controllers]"

Strengthen and clarify data protection authorities' roles and cooperation

"The new challenges to data protection (globalisation and the technological changes, Chapters 3 and 4) require strong supervision by DPAs, in a more uniform and effective way. As a consequence, the new framework should guarantee uniform standards as for independence [institutional, functional and material including adequate funding and resources], effective powers, an advisory role in the legislation making process and the ability to set their own agenda by, in particular, setting priorities regarding the handling of complaints, all on a high and influential level…

On the other hand, DPAs need to be accountable for the way they make use of their stronger supervisory role. They should be transparent in this regard and publicly report on the way they operate and the priorities they set…

it should be ensured that all issues relating to the processing of personal data, in particular in the area of police and judicial cooperation in criminal
, will be included in the activities of the current WP29…

[the] changing emphasis in law enforcement has led to a dramatic increase of the storage and exchange of personal data in relation to activities of the police and justice sector. The technological possibilities to easily combine information may have a profound impact on the privacy and data protection of all citizens and on the very possibility for them to really enjoy and be able to exercise their fundamental rights, in particular whenever freedom of movement, freedom of speech, and freedom of expression are at issue… a future legal framework should address in particuar… [the surveillance society.. data mining and risk assessments, stigmatisation, false negatives, false positives, conditions & safeguards on processing the personal data of non-suspects, the use of biometric data]… there may be added value in basing information exchange on a consistent strategy… Transparency is an essential element…

[On systems architecture] -

Privacy by design and PETS (certification scheme) should determine the architecture. In the area of freedom, security and justice where public authorities are the main actors and every initiative aimed at increasing surveillance of individuals and increasing the collection and use of personal information could have a direct impact on their fundamental right to privacy and data protection, those requirements could be made compulsory.
Purpose limitation and data minimization should remain guiding principles.
Access to large databases must be configured in such a way that in general no direct access on line to data stored is allowed, and a hit/no hit system or an index system is in general considered preferable.
• The choice between models with central storage, meaning systems with a central database on EU-level and decentralised storage should be made on transparent criteria and in any event ensure a solid arrangement providing for clear definition of the role and responsibilities of the controller/s and ensuring the appropriate supervision by the competent data protection authorities.
Biometric data should only be used if the use of other less intrusive material does not present the same effect."


By and large the paper makes sense and it has to be right that data protection authorities ought to be given greater independence, powers and resources (as I've observed in the context of why PETs aren't being adopted i.e. low penalties for privacy breaches and lack of resources and enforcement powers).

I'm glad that much of what is in the paper ties in with my suggested data dozen for privacy-protective identity management systems.

But I think that any future legislation needs to take specific account of human psychology and the engineering of consent (discussed in point 4 of my data dozen post).

And obviously many areas need a great deal of further thought and work, such as cross border data transfers and dealing with third party uploading of an individual's personal data on social networks such as Facebook.

It will be very interesting to see the Commission's proposals in the light of this and other responses to their consultation on the legal framework for data protection. But I wouldn't expect any proposals for legislation in the near future.

2. Other Article 29 WP developments

The article 29 Working Party has been quite active generally.

You'll recall the SWIFT provisional agreement which allows the US authorities, from 1 Feb 2010, to get info on EU banking transactions was made (coincidentally or not) just before the Lisbon Treaty gave the European Parliament more say in things EU.

In this context the article 29 Working Party has expressed its "deep regrets for not having been consulted earlier, and strongly reiterated its wish to be consulted in the drafting process of the mandate for the future agreement in the coming months".

The article 29 WP has also issued:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.