Monday, 19 July 2010

Privacy enhancing technologies (PETs) - final study on economic benefits for Commission

Just out, Study on the economic benefits of privacy-enhancing technologies (PETs) - Final Report to The European Commission DG Justice, Freedom and Security by London Economics, July 2010. I previously mentioned their interim report.

The final report weighs in at 259 pgs. I'm still working my way through it, but from the executive summary:

  • It looks at the benefits of PETs (or privacy by design) for data controllers, not surprisingly - but particularly SMEs, and specific issues such as whether/ how the impact of PETs can be measured and whether cooperation/joint action such as Public Private Partnerships of data controllers with national authorities or international organisations would enhance economic benefits.
  • Covers 12 EU Member States selected after consultation with DG Justice, Freedom and Security - the Czech Republic; Denmark; Germany; Estonia; Spain; Ireland; Italy; Hungary; Malta; the Netherlands; Austria; and the United Kingdom.
  • Theoretical part - provides a framework for understanding PETs and the deployment decision faced by data controllers - overview of technologies that together form the ‘PETs universe’ and different classifications for PETs proposed in the literature, then determinants of PETs deployment from an economic perspective.
  • Empirical part - based on stakeholder consultations, surveys of businesses in the 12 states chosen, and detailed case studies including in more detail 6 specific services such as GENOMatch ("a complex PET designed to be used with highly sensitive personal data (genetic information) in a strictly regulated pharmaceuticals development environment),  pseudonymisation services to ensure data protection compliance on the part of public sector healthcare controllers, location based mobile services, and nightclub fingerprint identification.

The conclusions - economic benefits of PETs are technology-specific and application-specific, and can vary with the application and the business, so the net economic benefit of PETs deployment needs to be assessed on a case-by-case basis -

"There is little evidence that the demand by individuals for greater privacy is driving PETs deployment. The reasons for this include the uncertainties surrounding the risk of disclosure of personal data, a lack of knowledge about PETs, and behavioural biases that prevent individuals from acting in accordance with their stated preference for greater privacy. Data controllers, on the other hand, can derive a variety of benefits from holding and using personal data, including the personalisation of goods and services, data mining, etc. To the extent that PETs limit the ability of data controllers to use personal data, this acts as a disincentive for deployment. In particular, data controllers often favour mere data protection to protect themselves against the adverse consequences of data loss over data minimisation or consent mechanisms which can impede the use of personal data. However, the demand for PETs deployment is much more an important driver in the business-to-business market as well as in settings where individuals are represented by intermediaries that articulate privacy concerns towards data controllers. Even in cases where PETs deployment is potentially beneficial for data controllers, deployment rate may still be low. The uncertainty of some of the costs and benefits of PETs also explains why firms might rationally postpone the deployment of PETs while waiting for more information, in order not to limit their future choices. In addition, there are certain market failures, such as the existence of externalities in PETs deployment, which lead to sub‐optimal deployment rates. Finally, as already noted theories of technology adoption suggest that the adoption rates of PETs may follow an S‐shaped pattern, which means that current, low deployment rates could pick up quickly in the future as the technologies mature and become better known. The evidence considered in this study suggests that there is a role for the public sector in helping data controller realise the benefits of PETs. This can take various forms. The most effective appear to be official endorsements of PETs, including through pioneering deployment and official certification schemes, and direct support for the development of PETs, through subsidies to researchers (e.g. the European Framework Programmes).

SMEs are using fewer PETs, and are less convinced of the benefits of PETs, than larger businesses. At the same time, SMEs often store personal data from which they derive no economic benefit. However, SMEs also use less personal data, which suggests that a proportional response to promoting the use of PETs by SMEs will be required."

The point about controllers being disincentivised to use PETs because of the benefits to them of being able to use personal data fully backs up what I've said before on why businesses don't deploy privacy enhancing technologies. Although they didn't mention the stick as well as carrot. (See also thoughts on privacy-preserving identity management systems.)

This study will obviously help inform the Commission as they work on formulating their proposals, due to be published by the end of this year, for updating the EU Data Protection Directive. The EU privacy regulators the Article 29 Working Party support PETs / PbD and Commissioner Reding, in a recent speech of 14 July 2010 (text also here) at a meeting of the Working Party, emphasised the need for public authorities and businesses to apply a "privacy by design" approach (as well as conduct privacy impact assessments). So we don't need a crystal ball to predict some legally binding requirements for PETs on the horizon.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.