EDPS and PbD

March 23, 2010

The European Data Protection Supervisor (EDPS) adopted last week an opinion on ‘Promoting trust in the information society by fostering data protection and privacy’ as an input to the forthcoming European Commission’s new European Digital Agenda. The opinion discusses the measures that could be either undertaken or promoted by the European Union to guarantee individuals’ privacy and data protection rights when making use of information and communication technologies (ICTs). Radio Frequency Identification (RFID), social networks, eHealth, eTransport are only a few examples.

The opinion takes an orthodox stance and emphasises that trust is a core issue in the emergence and successful deployment of ICTs which the EDPS sees as offering great opportunities and benefits but also carrying new risks. Ensuring that the use of ICTs does not jeopardise individuals’ fundamental rights to privacy and data protection is a key factor to secure users’ trust in the information society.

Although the EDPS acknowledges that the EU has a strong data protection regulatory framework, he sees many instances where ICTs raise new concerns that are not accounted for within the existing framework. He therefore considers that further action is necessary to strengthen this framework. The EDPS believes that such action requires the need to provide for the principle of “Privacy by Design” whereby ICTs are designed and developed taking into account privacy and data protection requirements from the very inception of the technology and at all stages of its development.

Peter Hustinx, EDPS, says: “The potential benefits of ICT can only be enjoyed in practice if they are able to generate trust. Such trust will only be secured if ICTs are reliable, secure, under individuals’ control and if the protection of their personal data and privacy is guaranteed. To significantly minimise the risks and to secure users’ willingness to rely on ICTs, it is crucial to integrate, at practical level, data protection and privacy from the very inception of new ICTs. This need for a “Privacy by Design” approach should be reflected in the EU data protection legal framework at different levels of laws and policy making”.

In order to further strengthen the European data protection legal framework, the EDPS calls on the European Commission to follow the following courses of action:

·         Privacy by Design general approach: Privacy by Design needs to be explicitly included as a general binding principle into the existing data protection legal framework. This would compel its implementation by data controllers and ICT designers and manufacturers while offering more legitimacy to enforcement authorities to require its effective application in practice. Privacy by Design should also be fully endorsed by the forthcoming European Digital Agenda and become a binding principle in future EU policies;  

·         Privacy by design in particular sectors: in three ICT areas presenting specific risks to privacy and data protection, the EDPS recommends the implementation of Privacy by Design based on the following approach: a) RFID: to propose legislative measures regulating the main issues of RFID usage in case self-regulation does not deliver the expected results (e.g. to provide for the opt-in principle at the point of sale); b) Social networks: to consider legislation that would provide for the need for mandatory privacy by default settings; c) Browser settings and targeted advertising: to consider legislation that would require browsers to be provided with privacy by default settings to facilitate obtaining users’ consent to received advertisement;

·         implementing the accountability principle in the existing Data Protection Directive;.

·         to start the work towards the adoption of the implementing measures of the security breach provisions of the ePrivacy Directive, and extend them to apply generally to all data controllers.  

The full opinion can be consulted here.