MEMO/07/159

Brussels, 2 May 2007

Privacy Enhancing Technologies (PETs)

The existing legal framework

The Charter of Fundamental Rights of the European Union recognises in Article 8 the right to the protection of personal data. This fundamental right is developed by the European legal framework on the protection of personal data consisting mainly of the Data Protection Directive^[1] and the ePrivacy Directive^[2]. They lay down several substantive provisions imposing obligations on the data controller and recognizing rights to the data subject, prescribing sanctions and appropriate remedies in cases of breach, and establishing enforcement mechanisms to make them effective.

However, this formal scheme may face considerable obstacles to impose itself in practice, deriving from the difficulties linked with the very technology used, which involves data processing by different actors in different locations, and with the hurdles intrinsic to the enforcement of national administrative and court rulings in another jurisdiction, especially in non-EU countries.

Although strictly speaking it is data controllers who bear legal responsibility for complying with data protection rules, also those who design technical specifications and those who actually build or implement applications or operating systems bear some responsibility for the data protection aspects from a societal and ethical point of view.

A further step to pursue the aim of the legal framework whose objective is to minimise the processing of personal data and using anonymous or pseudonymous data where possible, could be supported by measures called Privacy Enhancing Technologies or PETs - that would facilitate ensuring that breaches of the data protection rules and violations of individual's rights are not only something forbidden and subject to sanctions, but technically more difficult.

This Communication follows from the First Report on the implementation of the Data Protection Directive^[3].

What are PETs?

The use of PETs can help to design information and communication systems and services in a way that minimises the collection and use of personal data and facilitate compliance with data protection rules. The use of PETs should result in making breaches of certain data protection rules more difficult and/or helping to detect them.

Several examples of PETs can be mentioned here.

• Automatic anonymisation after a certain lapse of time support the principle that the data processed should be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the data were originally collected.
• Encryption tools prevent hacking when the information is transmitted over the Internet and support the data controller's obligation to take appropriate measures to protect personal data against unlawful processing. .
• Cookie-cutters blocking cookies placed on the user's PC to make it perform certain instructions without him being aware of them, enhance compliance with the principle that data must be processed fairly and lawfully, and that the data subject must be informed about the processing going on.
• The Platform for Privacy Preferences (P3P), allowing internet users to analyze the privacy policies of websites and compare them with the user's preferences as to the information he allows to release, helps to ensure that data subjects' consent to processing of their data is an informed one.

The Commission supports PETs

The Commission expects that wider use of PETs would improve the protection of privacy as well as help fulfil the data protection rules.

The use of PETs would be complementary to the existing legal framework and enforcement mechanisms. In fact the intervention of different actors in the data processing and the existence of the different national jurisdictions involved could make enforcement of the legal framework difficult.

PETs would bring about that certain breaches to data protection rules, resulting in invasions of fundamental rights including privacy, could be avoided because they would be technologically more difficult to carry out. PETs need to be applied according to a regulatory framework of enforceable data protection rules providing a number of negotiable levels of privacy protection for all individuals. The use of PETs does not mean that operators can be discharged of certain of their legal obligations (e.g. granting individual users a right of access to their data).

Important public interests could also be better served. PETs should be developed as a tool to ensure that the law is respected and not breached. The data protection legal framework provides that restrictions to the general principles and interference in the rights of individuals are possible for important public interests such as public security, the fight against crime or public health. The conditions for that are laid down in Article 13 of the Data Protection Directive and Article 15 of the ePrivacy Directive, and are substantially similar to those set by Article 8 of the European Convention on Human Rights (ECHR), namely that such interference is done in accordance with the law and is necessary in a democratic society for important public interests.

The European Commission supports PETs

To pursue the objective of enhancing the level of privacy and data protection in the Community the Commission intends to conduct following activities:

• identifying the need and technological requirements of PETs;
• Funding research on PETs: Europe contributed over 18M Euro to PET research as part of its 6^th Framework Programme (2002-06), and this expected to increase significantly in the coming years
• promoting use of PETs by industry;
• ensuring respect for appropriate standards in the protection of personal data through PETs (through standardization and coordination of national technical rules on security measures for data processing);
• promoting the use of PETs by public authorities;
• raising awareness of consumers;
• facilitating consumers' informed choice through Privacy seals.

Further information on European research on PETs

European research projects in this field are funded as part of the Information Society Technologies (IST) programme

See http://cordis.europa.eu/ist/trust-security/projects.htm

Examples of significant IST research projects in this field:
Project PRIME: developing solutions for solutions on privacy-enhancing identity management

http://cordis.europa.eu/fetch?CALLER=PROJ_IST&ACTION=D&RCN=71383
Project FIDIS: developing new ways for identifying individuals, eg so-called virtual identities, embodying concepts such as pseudonymity and anonymity,

http://cordis.europa.eu/fetch?CALLER=PROJ_IST&ACTION=D&RCN=71399

To find out more about Vice President Frattini's work please visit his website: http://www.ec.europa.eu/commission_barroso/frattini/index_en.htm

^[1] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31.

^[2] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.07.2002, p. 37.

^[3] COM (2003) 265(01), 15.5.2003, see http://eurlex.europa.eu/LexUriServ/site/en/com/2003/com2003_0265en01.pdf