Annexes to COM(2007)228 - Promoting Data Protection by Privacy Enhancing Technologies (PETs) - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2007)228 - Promoting Data Protection by Privacy Enhancing Technologies (PETs). |
|---|---|
| document | COM(2007)228  |
| date | May 2, 2007 |
- Action 2.2.b) Coordination of national technical rules on security measures for data processing
National legislation adopted pursuant to the Data Protection Directive[11] gives national data protection authorities certain influence in determining precise technical requirements such as providing guidance for controllers, examining the systems put in place or issuing technical instructions. National data protection authorities could also require the incorporation and use of certain PETs where the processing of personal data involved makes them necessary. The Commission considers that this is an area where coordination of national practice could contribute positively to promoting the use of PETs. In particular the Article 29 Working Party[12] could contribute in its role of considering the uniform application of national measures adopted under the Directive. The Commission thus calls on the Article 29 Working Party to continue its work in the field by including in its programme a permanent activity of analysing the needs for incorporating PETs in data processing operations as an effective means of ensuring respect for data protection rules. This work should then produce guidelines for data protection authorities to implement at national level through coordinated adoption of the appropriate instruments.
4.2.3. Action 2.3.: Promoting the use of PETs by public authorities
A consistent number of processing operations involving personal data are conducted by public authorities in the exercise of their competences, both at national and at Community level. Public bodies are themselves bound to respect fundamental rights, including the right to protect personal data, and ensure respect by others, and should therefore set a clear example.
As regards national authorities, the Commission notes the proliferation of eGoverment applications as a tool for enhancing effectiveness of public service. As stated in the Commission’s Communication on the Role of eGoverment for Europe’s Future [13], the use of PETs in eGovernment is necessary to provide trust and confidence to ensure its success. The Commission calls upon governments to ensure that data protection safeguards are embedded in eGovernment applications, including through the widest possible use of PETs in their design and implementation.
As for Community institutions and bodies, the Commission itself will ensure that it complies with the requirements of Regulation (EC) 45/2001 in particular through a wider use of PETs in the implementation of ICT applications involving the processing of personal data. At the same time, the Commission calls on other EU institutions to do the same. The European Data Protection Supervisor could contribute with his advice to Community institutions and bodies on drawing up internal rules relating to the processing of personal data. When selecting new ICT applications for its own use, or when developing existing applications, the Commission will consider the possibility of introducing privacy enhancing technologies. The importance of PETs will be reflected in the Commissions' overall IT governance strategy. The Commission will also continue to raise awareness in its own staff. However, the implementation of PETs in the Commissions' ICT applications depends on the availability of the corresponding products and will have to be evaluated on a case by case basis, in line with the application's development cycle.
4.3. Third objective: to encourage consumers to use PETs
Consumers will remain the most concerned party in ensuring personal information is properly used, that data protection rules are properly enacted, and that PETs are an efficient means to guarantee them.
Consumers should therefore be made fully aware of the advantages that the use of PETs may bring to diminish the risks posed by operations involving processing of their personal data. They should also be placed in a position where they may exercise an informed choice when purchasing IT equipment and software, or using e-services. This should reflect their awareness of the risks involved, in particular whether PETs offer appropriate protection. Simple and understandable information about possible technological tools to protect privacy must thus be provided to the user. Increased use of PETs and increased use of e-services which incorporate PETs will in turn mean economic reward to the industries using them, and may result in a snowball effect, encouraging other companies to pay greater attention to respecting the data protection rules. In order to achieve this, a series of steps should be taken.
4.3.1. Action 3.1.: Raising awareness of consumers
A consistent strategy should be adopted to raise consumer awareness of the risks involved in processing their data and of the solutions that PETs may provide as a complement to the existing systems of remedies contained in data protection legislation. The Commission intends to launch a series of EU-wide awareness-raising activities on PETs.
The main responsibility for conducting this activity falls within the realm of national data protection authorities which already have relevant experience in this area. The Commission calls on them to increase their awareness-raising activities to include information on PETs through all possible means within their reach. The Commission also urges the Article 29 Working Party to coordinate national practice in a coherent work plan for awareness-raising on PETs and to serve as a meeting point for the sharing of good practice already in place at national level. In particular, consumer associations and other players such as the Consumer Centres Network (ECC-Net), in its role as an EU-wide network to advise citizens on their rights as consumers, could become partners in the quest to educate consumers.
4.3.2. Action 3.2.: Facilitating consumers' informed choice: Privacy Seals
The take-up and use of PETs could be encouraged if the presence of these technologies in a certain product and its basic features are easily recognizable. For that purpose, the Commission intends to investigate the feasibility of an EU-wide system of privacy seals, which would also include an economic and societal impact analysis. The purpose of such privacy seals would be to ensure consumers can easily identify a certain product as ensuring or enhancing data protection rules in the processing of data, in particular by incorporating appropriate PETs.
In order for privacy seals to achieve their purpose, the Commission considers that the following principles should be respected:
- The number of privacy seal systems should be kept to a minimum. In fact, a proliferation of seals may create more confusion to the consumer and undermine their trust in all seals. Therefore, an assessment should be made about whether and to what extent it would be appropriate to integrate a European privacy seal in a more general security certification scheme[14].
- Privacy seals should only be awarded for a product's compliance with a set of standards corresponding to data protection rules. The standards should be as uniform as possible throughout the EU.
- Public authorities, in particular national data protection authorities, should play an important role in the system through their involvement in the definition of relevant standards and procedures as well as in monitoring the functioning of the seal system.
With this in mind, and taking account of previous experience concerning seal programmes in other areas (e.g. environment, agriculture, security certification for products and services), the Commission will conduct a dialogue with all the stakeholders concerned, including national data protection authorities, industrial and consumer associations and standardisation bodies.
[1] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31.
[2] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.07.2002, p. 37.
[3] Regulation (EC) 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8, 12.1.2001, p. 1-22.
[4] Recital 46 and Article 14(3) of Directive 2002/58/EC
[5] COM (2003) 265(01), 15.5.2003, see http://eurlex.europa.eu/LexUriServ/site/en/com/2003/com2003_0265en01.pdf
[6] http://ec.europa.eu/information_society/activities/egovernment_research/doc/eidm_roadmap_paper.pdf
[7] European Court of Justice, judgment of 20.5.2003, Joined cases C-465/00, C-138/01 and C-139/01 “Österreichischer Rundfunk and Others” (“Rechnungshof") ECR [2003] I-04989, paragraphs 71 and 72.
[8] https://www.prime-project.eu/
[9] http://www.opentc.net/
[10] http://www.ist-discreet.org/
[11] e.g. Article 17
[12] Working Party on the Protection of Individuals with regard to the Processing of Personal Data set up by Article 29 of Directive 95/46/EC.
[13] COM (2003) 567 final, 26.9.2003.
[14] In its Communication of 31 May 2006 on a Strategy for a secure Information Society “Dialogue, partnership and empowerment”(COM (2006) 251 final), the Commission has already invited the private sector to “work towards affordable security certification schemes for products, processes and services that will address EU-specific needs (in particular with respect to privacy)”.