Promoting data protection by privacy-enhancing technologies
The purpose of this Communication is to define objectives to achieve better protection of privacy through the use of information and communication technologies and to define precise actions to achieve these objectives.
Communication from the Commission to the European Parliament and the Council on promoting data protection by privacy-enhancing technologies [COM(2007) 228 final - Not published in the Official Journal].
The Commission considers that privacy-enhancing technologies (PETs) should be developed and more widely used, in particular where personal data are processed through information and communication technology (ICT) networks. It considers that wider use of these technologies would improve the protection of privacy.
In its Communication on a strategy for a secure Information Society, it invites the private sector to "stimulate the deployment of security-enhancing products, processes and services to prevent and fight ID theft and other privacy-intrusive attacks". Furthermore, in its Roadmap for a pan-European eIDM Framework by 2010, it indicates that one of the key principles governing electronic identity management is that "the system must be secure, implement the necessary safeguards to protect the user's privacy, and allow its usage to be aligned with local interest and sensitivities".
The purpose of this Communication, which follows on from the Communication on a strategy for a secure Information Society, the Roadmap for a pan-European eIDM Framework by 2010 and the First Report on the implementation of the Data Protection Directive, is to define the objectives so as to achieve better protection of privacy and to determine clear actions so as to achieve these goals by supporting the development of PETs and their use by data controllers and consumers.
First objective: to support the development of PETs
If PETs are to be widely used, there needs to be further design, development and manufacturing of PETs. Although these activities are already undertaken to a certain degree by the public and private sectors, the Commission considers that they should be stepped up. With this aim in mind, the need for PETs and their technological requirements should be identified and RTD activities should develop the tools. Finally, the Commission will encourage stakeholders to meet and discuss these technologies.
As the need for and technological requirements of PETs are identified, concrete action has to be taken to arrive at an end-product ready to use. In the future, under the 7th Framework Programme, the Commission intends to support other research and technological development (RTD) projects and large-scale pilot demonstrations to develop and stimulate the uptake of PETs. The Commission also calls on national authorities and on the private sector to invest in the development of PETs.
Second objective: to support the use of available PETs by data controllers
The Commission calls on all data controllers to incorporate and apply PETs in their processes more widely and systematically. For that purpose, the Commission will organise seminars with key actors of the ICT industry, and in particular PETs developers, with the aim of analysing their possible contribution to promoting the use of PETs among data controllers. It will also conduct a study on the economic benefits of PETs and disseminate its results in order to encourage enterprises, in particular SMEs, to use them.
Furthermore, the Commission will assess the need to develop standards regarding the lawful processing of data with PETs.
Firstly, the Commission will consider the need for respect of data protection rules to be taken into account in standardisation activities. It may invite the European Standardisation Organisations (CEN, CENELEC, ETSI) to assess specific European needs and subsequently to bring them to the international level by means of applying the current agreements between European and international standardisation organisations.
Secondly, the Commission considers that this is an area where coordination of national practice could contribute positively to promoting the use of PETs. It is calling on the Article 29 Working Party to continue its work in the field by including in its programme ongoing analysis of the needs for incorporating PETs in data-processing operations. This work should then produce guidelines for data-protection authorities to implement at national level through coordinated adoption of the appropriate instruments.
Moreover, many data-processing operations are conducted by public authorities in the exercise of their competences, both at national and at Community level. They are themselves bound to respect fundamental rights, including the right to protect personal data.
The Commission also considers that the public authorities should therefore set a clear example in this field. It calls on governments to ensure that data-protection safeguards are embedded in eGovernment applications, including through the widest possible use of PETs in their design and implementation. As for Community institutions and bodies, the Commission calls on them to comply with the requirements of Regulation (EC) No 45/2001. The European Data Protection Supervisor could contribute with his advice to drawing up internal rules relating to the processing of personal data.
Third objective: to encourage consumers to use PETs
A consistent strategy must be adopted to raise consumer awareness of the risks involved in processing their data and of the solutions that PETs may provide. With this in mind, the Commission intends to launch a series of EU-wide awareness-raising activities on PETs.
The main responsibility for conducting this activity falls within the realm of national data-protection authorities, which already have valuable experience in this area. The Commission calls on them to increase their awareness-raising activities to include information on PETs through all possible means within their reach. It also urges the Article 29 Working Party to coordinate national practice in a coherent work plan for awareness-raising on PETs and to serve as a meeting point for the sharing of good practice already in place at national level.
The Commission also intends to investigate the feasibility of an EU-wide system of privacy seals. With this in mind, and taking account of previous experience concerning seal programmes in other areas (e.g. environment, agriculture, security certification for products and services), it will conduct a dialogue with all the stakeholders concerned, including national data-protection authorities, industrial and consumer associations and standardisation bodies.