Monday, 22 March 2010

EDPS calls for privacy by design for social networks, RFID, advertising; & accountability

The European Data Protection Supervisor Peter Hustinx has issued an opinion on "Promoting trust in the information society by fostering data protection and privacy" of 18 March 2010,  for the European Commission's new European Digital Agenda.

He advocates the adoption of privacy by design (PbD) both generally as well in specific areas such as social networking (privacy-friendly defaults etc).

From the press release of 22 March 2010:

"the opinion discusses the measures that could be either undertaken or promoted by the European Union to guarantee individuals' privacy and data protection rights when making use of information and communication technologies (ICTs). Radio Frequency Identification (RFID), social networks, eHealth, eTransport are only a few examples.

The opinion emphasizes that trust is a core issue in the emergence and successful deployment of ICTs. Those technologies offer great opportunities and benefits but they also carry new risks. Ensuring that the use of ICTs does not jeopardize individuals' fundamental rights to privacy and data protection is a key factor to secure users' trust in the information society."

The conclusions in the opinion (emphasis added) are:

"He recommends the Commission to follow four courses of action:
a) Propose to include a general provision on Privacy by Design in the legal framework for data protection. This provision should be technology neutral and compliance should be mandatory at different stages;
b) Elaborate this general provision in specific provisions, when specific legal instruments in different sectors are proposed. These specific provisions could already now be included in legal instruments; on the basis of Article 17 of the Data Protection Directive (and other existing law);
c) Include PbD as a guiding principle in Europe's Digital Agenda;
d) Introduce PbD as a principle in other EU-initiatives (mainly non legislative).
116. In three designated ICT areas, the EDPS recommends the Commission to evaluate the need to put forward proposals implementing the principle of Privacy by Design in specific ways:
a) In relation to RFID, propose legislative measures regulating the main issues of RFID usage in case the effective implementation of the existing legal framework through self-regulation fails. In particular, provide for the opt-in principle at the point of sale pursuant to which all RFID tags attached to consumer products would be deactivated by default at the point of sale;
b) In relation to social networks, prepare legislation which would include, as a minimum, an overarching obligation requiring mandatory privacy settings, coupled with more precise requirements, on the restriction of access to user profiles to the user's own, self-selected contacts, and providing that restricted access profiles should not be discoverable by internal/external search engines;
c) In relation to targeted advertising, consider legislation mandating browser settings to reject third party cookies by default and require users to go through a privacy wizard when they first install or update the browser.
117. Finally, the EDPS suggests the Commission to:
a) Consider implementing the accountability principle in the existing data protection Directive, and
b) Develop a framework of rules and procedures to implement the security breach notification provisions of the e-Privacy Directive, and extend them to apply generally to all data controllers."

I'm not sure how well rejecting third party cookies by default would work, but a wizard would certainly help. Personally, I think any wizard would be needed not just on first installation or updating but generally, to help people understand how to deal with third party cookies.

For more from the EDPS recently see the EDPS guidelines on video surveillance.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.