Brussels, 2 May 2007
The Charter of Fundamental Rights of the European Union recognises in Article 8 the right to the protection of personal data. This fundamental right is developed by the European legal framework on the protection of personal data consisting mainly of the Data Protection Directive and the ePrivacy Directive. They lay down several substantive provisions imposing obligations on the data controller and recognizing rights to the data subject, prescribing sanctions and appropriate remedies in cases of breach, and establishing enforcement mechanisms to make them effective.
However, this formal scheme may face considerable obstacles to impose itself in practice, deriving from the difficulties linked with the very technology used, which involves data processing by different actors in different locations, and with the hurdles intrinsic to the enforcement of national administrative and court rulings in another jurisdiction, especially in non-EU countries.
Although strictly speaking it is data controllers who bear legal responsibility for complying with data protection rules, also those who design technical specifications and those who actually build or implement applications or operating systems bear some responsibility for the data protection aspects from a societal and ethical point of view.
A further step to pursue the aim of the legal framework whose objective is to minimise the processing of personal data and using anonymous or pseudonymous data where possible, could be supported by measures called Privacy Enhancing Technologies or PETs - that would facilitate ensuring that breaches of the data protection rules and violations of individual's rights are not only something forbidden and subject to sanctions, but technically more difficult.
This Communication follows from the First Report on the implementation of the Data Protection Directive.
What are PETs?
The use of PETs can help to design information and communication systems and services in a way that minimises the collection and use of personal data and facilitate compliance with data protection rules. The use of PETs should result in making breaches of certain data protection rules more difficult and/or helping to detect them.
Several examples of PETs can be mentioned here.
The Commission expects that wider use of PETs would improve the protection of privacy as well as help fulfil the data protection rules.
The use of PETs would be complementary to the existing legal framework and enforcement mechanisms. In fact the intervention of different actors in the data processing and the existence of the different national jurisdictions involved could make enforcement of the legal framework difficult.
PETs would bring about that certain breaches to data protection rules, resulting in invasions of fundamental rights including privacy, could be avoided because they would be technologically more difficult to carry out. PETs need to be applied according to a regulatory framework of enforceable data protection rules providing a number of negotiable levels of privacy protection for all individuals. The use of PETs does not mean that operators can be discharged of certain of their legal obligations (e.g. granting individual users a right of access to their data).
Important public interests could also be better served. PETs should be developed as a tool to ensure that the law is respected and not breached. The data protection legal framework provides that restrictions to the general principles and interference in the rights of individuals are possible for important public interests such as public security, the fight against crime or public health. The conditions for that are laid down in Article 13 of the Data Protection Directive and Article 15 of the ePrivacy Directive, and are substantially similar to those set by Article 8 of the European Convention on Human Rights (ECHR), namely that such interference is done in accordance with the law and is necessary in a democratic society for important public interests.
The European Commission supports PETs
To pursue the objective of enhancing the level of privacy and data protection in the Community the Commission intends to conduct following activities:
Further information on European research on PETs
European research projects in this field are funded as part of the Information Society Technologies (IST) programme
Examples of significant IST research projects in this field:
Project PRIME: developing solutions for solutions on privacy-enhancing identity management
Project FIDIS: developing new ways for identifying individuals, eg so-called virtual identities, embodying concepts such as pseudonymity and anonymity,
To find out more about Vice President Frattini's work please visit his website: http://www.ec.europa.eu/commission_barroso/frattini/index_en.htm
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31.
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.07.2002, p. 37.
 COM (2003) 265(01), 15.5.2003, see http://eurlex.europa.eu/LexUriServ/site/en/com/2003/com2003_0265en01.pdf