Posted on January 10, 2012 by Bret Cohen

European Data Protection Supervisor Releases "Inventory" of 2012 Priorities

On January 10, Peter Hustinx, the European Data Protection Supervisor (EDPS), released his annual "Inventory" of issues of strategic importance for 2012, along with an annex of the relevant Commission proposals and other documents that have been recently adopted or otherwise require the attention of the EDPS.  The strategic proposals can be grouped into four main categories:

  • Towards a new legal framework for data protection.  The European Commission has almost finalized its proposal for a new legislative framework, a draft of which was disclosed last month and which is likely to be published by the end of January.  Hustinx will issue an opinion on the legislative proposal in early 2012, closely follow the review process, and continue to fulfill his advisory role throughout the legislative process by intervening at the appropriate stages.
  • Technological developments and the Digital Agenda, IP rights, and Internet.  Of the European Commission's work in the area of new technologies, Hustinx will focus on the policy issues of Internet monitoring, IP enforcement, and takedown procedures (focusing on IP rights and privacy); cloud computing services (focusing on jurisdictional issues); e-Health; and a pan-European framework for electronic identification, authentication, and signature (focusing on e-security and privacy by design).
  • Further developing the Area of Freedom, Security, and Justice.  The items in this area at the top of Hustinx's agenda are immigration, border control, anti-terrorism, and internal security strategy, focusing on ensuring the right balance between privacy and security.
  • Financial sector reform.  Hustinx plans to issue a package of opinions on data protection issues with legislative proposals concerning the regulation and supervision of financial markets and actors, including the legislative package for the revision of the banking legislation; the market abuse regulation; the regulation and the directive on markets in financial instruments; and the revision of the credit rating agencies regulation.

Hustinx also identified trends of focus for 2012, which include:

  • Employment of effective information-gathering and investigative tools by administrative authorities (both EU and national).
  • Significant exchanges of information between national authorities, quite often involving EU bodies and large-scale databases (with or without a central part) of increasing size and processing power.
  • Developments in the field of technology, mainly due to the widespread use of the Internet and geolocation technologies.

The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies, focusing on monitoring the EU administration's processing of personal data; advising on policies and legislation that affect privacy; and cooperating with similar authorities to ensure consistent data protection.  Hustinx is serving a five-year term as the EDPS, which expires in 2013.
Tags: , , , , , , ,
Posted on August 15, 2011 by HL Chronicle of Data Protection

App Privacy is in the News Again

UPDATE:  In the FTC's first case involving apps, the Commission today announced a COPPA settlement with W3 Innovations, a developer of mobile applications for Apple’s iPhone and iPod Touch, which will be required to pay a $50,000 penalty and delete illegally collected data.  The FTC said the app developers illegally collected and disclosed personal information from tens of thousands of children under age 13 without their parents’ prior consent:

In addition to collecting and maintaining children’s email addresses, the FTC alleges that the defendants also allowed children to publicly post information, including personal information, on message boards. These interactive apps send and receive information via the Internet, and are online services covered by the COPPA Rule, according to the FTC complaint.

The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose children’s personal information. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete.

According to the complaint, the defendants did not provide notice of their information- collection practices and did not obtain verifiable parental consent before collecting and/or disclosing personal information from children. The FTC charged that those practices violated the COPPA Rule.

 Some say “PC’s may be going the way of the typewriter”  given the proliferation and growing reliance on tablets and mobile devices, which are handling more of the computing once done exclusively on personal computers. An article in today’s Wall Street Journal  explains:

[m]obile devices have [] helped disrupt the distribution and pricing of software. The "app store" model, pioneered by Apple and emulated by Google and others, has given tablet and smartphone users speedy access to programs that are frequently free or cost less than $5—undermining a model that grew up around stores selling disk-based PC programs that routinely cost $40 to more than $100

With apps come an array of privacy issues.  With software hosted locally, the privacy issues are circumscribed. The user knows who is getting his or her data and how it will be used.  In the app world, which often implicates cloud computing, there is a serious question of how app developers will handle privacy. A recent study by the Future of Privacy Forum, founded and co-chaired by Hogan Lovells’ privacy lead Chris Wolf, found that nearly three-quarters of the most -downloaded mobile apps lacked even a basic privacy policy.  In May, Sen. Al Franken (D-Minn.) sent a letter to the chief executives of Apple and Google asking that their companies require app makers to have clear, understandable privacy policies. 

In a New York Times article today entitled “Industry Tries to Streamline Privacy Policies for Mobile Users,” a new tool for app developers to create a mobile privacy policy is described as is an industry-led effort to provide an opt-out of targeted advertising based on the collection of user information.  On the issue of whether an app developer should spend money to develop a privacy policy to advise and empower consumers with respect to the collection and use of information from them, Hogan Lovells’ Chris Wolf is quoted:

The cost for a legal consultation, which can range from a couple of hundred dollars to thousands, can also be a deterrent for small app developers looking to create privacy policies. But Christopher Wolf, a partner at the Hogan Lovells law firm and a co-chairman of the Future of Privacy Forum, said app developers should not claim cost as an excuse.

“I think it’s a cop-out for app developers to say they don’t have the budget for it,” Mr. Wolf said. “It’s an investment for any business that deals in consumer data. They ought to build it into the development cost.”

“Privacy by Design,” which has been described as a growing global trend, at a minimum requires app developers to articulate what they are doing with personal data, e.g.  in privacy policies. A resource to assist app developers in building privacy into their apps is hosted in a new web site, www.applicationprivacy.org developed by the Future of Privacy Forum.  Also, the Privacy & Advocacy committee of the Mobile Marketing Association (MMA) is focused on outlining global best practices as they relate to protecting the consumer's private information.  The MMA is hosting a free webinar on September 22 in which Hogan Lovells’ Chris Wolf will participate, and described this way:

As mobile marketing continues to grow, the use of data for analysis and personalization has become increasingly important in successfully providing relevant services to users. Some of the uses of mobile data, such as location and device IDs have started drawing scrutiny by media, policymakers and advocates.

What are the issues that are creating concerns? How can you avoid the risks? What are the emerging best practices? What is the MMA doing? Join leaders of the MMA and the Future of Privacy Forum to learn how you can navigate the legal and policy challenges facing the mobile advertising ecosysytem.

Registration for the free MMA webinar is accessible here.

 

Tags: , , , , , , ,
Posted on August 1, 2011 by Winston Maxwell

Looking Back at the eG8

In a recent article Christopher Wolf looks back at the eG8 conference and pleads for better transatlantic cooperation on privacy matters, explaining the tension between U.S. First Amendment traditions, and certain European proposals including the right to be forgotten.

Tags: , , , , , , , ,
Posted on July 4, 2011 by Christopher Wolf

French Parliamentary Commission Recommends Privacy Law Reform Citing Testimony of Hogan Lovells Privacy Lawyer

French FlagAfter a year of hearings, including meetings in Washington with the FTC and DOJ, a French parliamentary commission released its findings on the protection of individual rights in the digital revolution. The 384-page report from the French National Assembly covers a broad range of issues linked to data protection, including specific recommendations on EU privacy law reform. Hogan Lovells partner Winston Maxwell testified before the parliamentary commission and the commission cited Winston's testimony in connection with the commission's recommendations on the "right to be forgotten," privacy by design, and net neutrality. 

The parliamentary commission found that the "right to be forgotten," while an attractive concept, covers a broad range of different situations, and that the key element of the "right to be forgotten," i.e. that individuals have a right to access and to require the deletion of personal data about them, is already covered by existing law. Citing Maxwell's testimony, the commission concluded that the creation of a new "right to be forgotten" does not appear necessary from a legal standpoint. On the issue of privacy by design, the commission recommended that Europe invest heavily in privacy-enhancing technology, and use privacy by design to create competitive edge for European industry.

The commission issued several recommendations on cloud computing, including a startling suggestion that future legislation should prohibit cloud services located outside the EU from storing sensitive data, such as health data, genetic data, data about children, and financial data. Prohibiting cloud services based outside the EU from handling sensitive data could create a major barrier to the development of cloud computing for the financial services industry and health care industry. The commission also recommended that cloud service providers be required to conduct security audits, and that French and European authorities conduct impact assessments on the risks of cloud computing conducted outside the EU. 

The commission recommended that the Article 29 Working Party be given a budget and personnel of its own in order to ensure the group's independence. Echoing recommendations of the European Commission, the parliamentary commission urged reform of the rules on applicable law, citing diverging court decisions in France on the question of whether French data protection rules apply to Google.  

In an unexpected twist, the French parliamentary commission supported the use of a European Regulation in reforming European privacy rules, so as to ensure proper harmonisation of rules throughout Europe. This recommendation seems surprising coming from members of parliament because national parliaments generally want to maintain freedom to interpret EU rules, and a Directive, as opposed to a Regulation, gives Member States this freedom. Finally, the parliamentarians urge the French government to initiate diplomatic action to encourage the adoption of a new international treaty on data protection, under the auspices of the United Nations. The parliamentary commission echoed remarks of Hogan Lovells partner Christopher Wolf made at the eG8 conference in Paris, finding it highly regrettable that the eG8 had been organized without inviting a single data protection authority to speak.
Tags: , , , , ,
Posted on April 18, 2011 by Winston Maxwell

Europe's Article 29 Working Party issues smart meter guidelines

By Winston Maxwell (Paris) and Marco Berliri (Rome)

The European Union's Article 29 Working Party published on April 11, 2011 an opinion on smart metering, recommending Privacy by Design, data minimization, and consumer interface options that give customers increased control over their data and privacy settings.

The opinion indicates that most data collected by smart meters will be considered "personal data" under the Data Protection Directive because the data will be associated with a unique identifier such as a meter identification number, which in turn can be linked to a living individual. The opinion states that the "data controller" will in most cases be the energy supplier, but that the grid operator may also be controller, as may be the third party service provider (so-called Energy Service Companies, or ESCOs). As mentioned in the Art 29 WP's opinion 1/2010 on data controllers and processors, it is not infrequent for there to be more than one controller.

Data collected by smart meters may be processed based on consent, but the opinion warns that consent must be made on a "fully-informed" basis. The Art 29 WP recommends that the household control panel for smart meters include a push button consent option to help consumers exercise their consent options, and change the options over time. 

The opinion goes into considerable detail on some issues, commenting for example that a smart meter with a small, text only, user interface would provide consumers with insufficient access to their own data, in particular to load graphs.  The opinion also describes how the collection of data from the smart meter should be minimized, for example by keeping load graph data within the smart meter until the data actually needed by the energy supplier.  Many of the recommendations resemble existing practices in the telecoms industry for the handling of traffic data and location data.  For example, smart meter data should be deleted as soon as they are no longer needed. Controllers should develop written policies on data retention and evaluate each purpose for which smart data are needed and ensure that only the minimum data necessary for that purpose are retained, while other data are deleted. For example, some customers may request historic year-to-year consumption comparisons. For those customers, and those customers only, the controller may retain historic consumption data.

The opinion strongly recommends the implementation of Privacy by Design, including privacy impact assessments, security and privacy audits.

See the authors' previous blog entry on smart meters and privacy on design.
Tags: , , , , , , , ,
Posted on December 22, 2010 by Winston Maxwell

Court Finds NebuAd Users Gave Valid Consent to Monitoring

In 2008, when several network operators began experiments with behavioral advertising firms NebuAd and Phorm, privacy advocates cried foul, arguing that network operators should never be allowed to monitor traffic for advertising purposes because the threats to privacy are too great.  In testimony before the U.S. Congress, some network operators retorted that what certain network operators and NebuAd proposed to do is similar to what large Internet advertising networks already do when they plant cookies on users' terminals to track behavior.  Why should network operators be held to a different standard than advertising networks at the edge of the network? 

Everyone agrees that monitoring online behavior can constitute a serious violation of privacy, and that user consent is critical. But what kind of consent: opt-in or opt-out?  In Europe the recently amended e-Privacy directive appears to require an opt-in regime for cookies, but many wonder how an opt-in regime can work in practice.  The 2008 NebuAd and Phorm turmoil did not focus on consent but on whether behavioral advertising can ever be done by network operators, regardless of the users' consent.  For some, it is unthinkable that network operators could get into the behavioral advertising business, regardless of the safeguards put in place

One of the telecom operators who experimented with NebuAd in 2008 was sued in federal court for illegally monitoring user traffic.  Users brought a class action for illegal interceptions and invasion of privacy.  On December 13, 2010 a U.S. District Court in Montana held that users of the network had consented to the operator's use of NebuAd monitoring technology.  The court found that the operator "gave Plaintiffs specific notice of when the NebuAd Appliance trial would commence and provided a link for its customers to opt out of the NebuAd Appliance if they so chose."  It is not clear in the decision whether users got individual e-mails, or whether the specific notice was only posted on the operator's website.

The court held that user consent adequately covered the monitoring activities, but that the consent may not have been sufficiently broad to cover alleged modifications made to users' computer settings by the cookies sent by the NebuAd appliance.  The court therefore allowed these issues to go to trial, while dismissing most of the other claims against the network operator.

The NebuAd case focuses the debate on whether valid consent was given or not.  In France there are debates about whether ISPs may in some circumstances block certain kinds of content.  Staunch net neutrality advocates argue that operators should under no circumstances be allowed to monitor, slow or block certain content, unless they are ordered to do so by a court.  But in fact there are other circumstances where operators can legitimately monitor traffic: reasonable network management of course, but also cases where the user has unambiguously consented.  If adequate consent is given, operators could install tools to limit access to certain content, or even propose discounted Internet subscriptions for users who accept to be monitored for targeted advertising purposes. In Europe, this kind of regime already exists for location based services provided by mobile operators: operators are alllowed to use precise location information generated by their network to provided value-added services to subscribers, as long as the subscribers consent in advance and have an easy way to opt-out. 

In the context of the current focus on improvements to privacy protection, adequate safeguards need to be put in place to ensure that the tools installed by operators are not misused, and do not collect or store any more data than is necessary.  Data minimisation and anonymisation are key, and can be achieved through privacy by design. 

The NebuAd case confirms that there need not be any distinction between a network operator and a service provider at the edge of the network providing targeting advertising. In both cases, there exist potential privacy risks for the user. The key issue is what kind of consent is sufficient for these potentially invasive monitoring tools to be used, and what kind of privacy protections should be integrated into the technology through privacy by design. 
Tags: , , , , , , , , ,
Posted on September 27, 2010 by Winston Maxwell

Privacy by Design for Italian Smart Grid

On September 21, 2010 Hogan Lovells privacy partners Marco Berliri and Winston Maxwell briefed the Italian smart metering consortium E-Cube on the practical aspects of privacy by design. The seminar commenced by a presentation of the E-Cube project by Telecom Italia Director of Public Policy, Lorenzo Pupillo. The e-Cube project involves leading Italian industrial companies and universities in Italy, and is funded by the Italian government. A full presentation of the e-Cube project can be found in Dr Pupillo’s paper here.

Seven pillars of privacy by design.

After Dr Pupillo’s introduction, Marco Berliri and Winston Maxwell presented the seven principles of privacy by design, contrasting the preventive and “positive sum game” approach with the current confrontational and “zero sum game” approach that is currently the norm when dealing with data protection authorities in some European countries. Marco Berliri gave an overview of the current legislative framework for privacy in Europe, while Winston focused on the June 2010 report of the smart grid task force at the European Commission. The report, submitted by the so-called Expert Group 2 (EG2), fully endorses the privacy by design approach, recommending that European standards organizations working on smart grid standards take privacy requirements into account. The EG2 report urges smart grid stakeholders to be inspired by security and privacy practices of other industries, particularly telecommunications and banking. The EG2 report also highlights a methodology developed by a consortium of electricity providers in the Netherlands to conduct privacy impact assessments of smart grids systems.

NIST report compared.

Marco and Winston then compared the European approach as outlined by the EG2 report with the August 2010 recommendations of the NIST in the U.S. The NIST’s report on privacy over smart grid contains a useful discussion of different concepts of personal data which go from the U.S. concept of “personally identifiable information” (PII) to data about behavior inside the home that can be developed using Non-intrusive Appliance Load Monitoring (NALM) which provides a very detailed individual fingerprint of a given household’s behavior. The NIST suggests that the traditional notion of PII in the U.S. may not be adequate to address the risks posed by granular use data. Marco compared PII with the European concept of personal data. In response to a question from an E-Cube consortium member, Winston and Marco described the process of developing privacy use cases, using the two examples presented in the NIST report, as well as a use case involving the Canadian electricity company Hydro-One. Each use case requires breaking a service into small individual parts. For each part of the service one must ask whether key privacy requirements are being addressed. For example, if a consumer brings home a smart thermostat from the store and plugs it in for the first time, that thermostat will first seek to communicate with the home area network, which will in turn communicate the details of the thermostat to a central server so that the thermostat can be authenticated and registered in the service. In a privacy use case, this seemingly simple process may be broken down into five or more individual parts and for each part one must ask the questions: Is the communication link encrypted? Is the device transmitting the minimum amount of data necessary? Are organizational measures in place to ensure that the data are accessible only by the right people in the organization? Does the process contemplate a date when the data would be deleted? It is by building these individual use cases that Privacy by Design can be built up, piece by piece. As aptly put by the EG2 report: “Security is a path, not a destination!”

Sharing consumption information.

Finally, Marco and Winston compared Italian legislation which obligates electric utilities to share consumer usage data with the similar requirement adopted in December 2009 by the California Public Utilities Commission. Winston mentioned that the U.S. FCC is placing a particular emphasis on innovations at the edges in the smart grid ecosystem but this policy creates a dilemma for regulators who may not have jurisdiction over the service providers to whom the data are supplied. Winston pointed out that the California PUC is expected to issue more detailed privacy requirements before the end of 2010 and that these requirements are expected to address the issue of transfers of data to a third party service providers.

Cloud computing.

Marco reminded participants of the rules regarding transfer of personal data outside the European Union, pointing out that some data may in fact be transferred outside the European Union if an electricity service provider outsources some of its data processing, or makes use of cloud computing.

A copy of Marco and Winston’s presentation can be found here.

Tags: , , , , , , , , , , ,
Posted on July 21, 2010 by Bret Cohen

Rep. Rush Introduces Privacy Bill to Regulate Collection and Use of Personal Information

On July 19, Rep. Bobby Rush (D-Ill.), chairman of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, introduced a privacy bill, H.R. 5777, that would codify certain fair information principles into law for "covered entities" that collect, maintain, use, and transfer to third parties any "covered information" (consisting of personally identifiable information as well as any "unique identifier," including IP addresses).  Covered entities would be those that (a) store covered information from or about at least 15,000 individuals; (b) collect covered information from or about at least 10,000 individuals during any 12-month period; (c) collect or store "sensitive information" (defined as an individual's medical history, race or ethnicity, religious beliefs, sexual orientation or behavior, financial information, precise geolocation information, biometric data, or Social Security number); or (d) use covered information to study, monitor, or analyze the behavior of individuals as the entity's primary business.  The bill, titled the “BEST PRACTICES Act,” would require each covered entity, with some exceptions, to do the following:

  • Make specific privacy disclosures to individuals whose personal information it collects or maintains "in concise, meaningful, timely, prominent, and easy-to-understand notice or notices" in a manner to be specified by the Federal Trade Commission (FTC);
  • Provide individuals with a "reasonable means" to opt out of the information collection and use for non-operational purposes (though covered entities would be permitted to require consent to the collection and use as a condition of service to individuals with which it has a direct relationship);
  • Obtain opt-in consent before (a) disclosing covered information to third parties (except for joint marketing purposes); (b) collecting, using, or disclosing sensitive information; or (c) monitoring all or substantially all of an individual's Internet or computer activity;
  • Obtain opt-in consent to any "material" changes to privacy practices governing previously collected information or sensitive information;
  • Establish "reasonable procedures" to assure the accuracy of the covered information or sensitive information collected, assembled, or maintained, with the FTC issuing rules on what is "reasonable";
  • Upon request and subject to identity verification, provide individuals with "reasonable access" to, and the ability to dispute the accuracy or completeness of, covered or sensitive information about that individual if such information may be used for purposes that could result in an "adverse decision" against the individual, in a manner to be specified by the FTC;
  • Establish, implement, and maintain "reasonable and appropriate" administrative, technical, and physical safeguards for covered information stored and used by the entity;
  • Provide a process for individuals to file complaints concerning policies and procedures required by the bill;
  • Conduct a privacy risk assessment prior to the implementation of any plans by which the entity intends to collect, or believes there is a reasonable likelihood it will collect, covered or sensitive information from or about more than 1,000,000 individuals;
  • Retain covered or sensitive information only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement; and
  • Conduct periodic assessments to evaluate whether it is necessary to continue to retain information already collected, and whether ongoing information collection practices remain necessary for a legitimate business purpose.

The bill would provide exceptions from certain provisions for:

  • Covered entities that participate in FTC-sanctioned industry self-regulatory programs that provide alternate mechanisms for obtaining consumer consent to information collection and use.  These programs, at minimum, would be required to (a) provide a clear and conspicuous opt-out mechanism (which may be a preference management tool that will enable individuals to make more detailed choices about the transfer of covered information to a third party); (b) provide a clear and conspicuous mechanism to set communication, online behavioral advertising, and other preferences that, when selected by the individual, applies the individual's selected preferences to all covered entities participating in the program; and (c) establish procedures for the review of applications, periodic assessment of members, and enforcement of violations for covered entities participating in the program;
  • The collection, use, or disclosure of aggregated or anonymized information (allowing the FTC to set rules regarding the levels of aggregation or anonymization necessary to qualify for the exception); and
  • Activities covered by other federal privacy laws.

If enacted, the bill could be enforced by the FTC or state attorneys general, with civil penalties authorized up to $5,000,000 for each type of violation.  The bill also would create a private right of action for individuals whose covered or sensitive information is "willfully" collected or used without the required consent, allowing recovery of actual damages not more than $1,000, punitive damages, and costs and attorney's fees.  There would be a two-year statute of limitations.

This bill contains a number of provisions similar to a discussion draft of privacy legislation published by Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) in May.  Like the Boucher-Stearns proposal (which has not been formally introduced), the Rush bill would usher in a series of stricter European-like privacy protections to the collection and use of information, now regulated on an ad hoc basis by the FTC under its authority to regulate unfair and deceptive trade practices under Section 5 of the FTC Act.

Rush will conduct a hearing on July 22 at 2:00 PM to discuss the bill and the Boucher-Stearns proposal.

Tags: , , , ,
Posted on January 14, 2010 by Mark Brennan

FCC Seeks Comment on Numerous Broadband Privacy Issues

The Federal Communications Commission released a Public Notice this week seeking further comment on numerous privacy issues as part of its National Broadband Plan proceeding.  Based on questions raised in a recent Center for Democracy & Technology filing, some of the broad issues that the Notice seeks comment on include:

  • Consumer expectations of privacy, and how to meet those expectations as new technologies are deployed;
  • Building Privacy by Design;
  • Concerns surrounding the collection, use, and storage of transactional data; and
  • The regulation of third-party applications.

The FCC, which is working to complete the Plan and submit it to Congress by March 17, has thus far not focused extensively on how to protect consumer privacy and personal information in the broadband ecosystem.  This Notice, however, indicates that the FCC may be planning to highlight a number of privacy-related consumer protection issues in the Plan.  Moreover, depending in part on the comments received in response to the Notice, it could also open the door to future privacy and data protection proceedings at the FCC.

Comments are due on January 22, 2010, just over a week after the Commission issued the Notice.

Tags: , , , , ,
Posted on January 11, 2010 by Winston Maxwell

European DP authorities issue "Future of Privacy" roadmap

The Article 29 working party of European data protection authorities (the “WP29”) published in early January a roadmap charting the future of privacy legislation in the EU.  Entitled “The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data,” the WP29 roadmap contains insight in to areas of likely reform of European privacy law in the coming years.  After an introduction describing the history and constitutional underpinnings of privacy legislation in the EU, the Future of Privacy roadmap outlines nine areas of needed reform:

1. Extend EU privacy legislation to law enforcement, former “third pillar” areas, which were heretofore excluded from the EU Data Protection Directive.

2. Consider modifying the criteria for determining when EU privacy law applies to controllers located outside the EU, particularly where non-EU established controllers target their activities at EU residents, through advertising and local language sites.  WP29 says it is currently preparing a detailed opinion on the applicability of EU law.

3. Support global standards, in furtherance of the so-called Madrid Resolution adopted on November 6, 2009, and increase international cooperation between data protection authorities.

4. Include “Privacy by Design” as an obligation applicable to all actors in the ICT (information and communications technology) sector.  Privacy by design should focus on principles such as data minimization, controllability, transparency, user friendly systems, data confidentiality, data quality and use limitations.

5. Empower citizens by increasing their ability to enforce privacy rules, including via class actions and alternative dispute resolution (ADR) mechanisms. Increase transparency obligations for the benefit of users and clarify the concept of user “consent.”

6. Increase accountability obligations for data controllers by imposing across-the-board data breach notification obligations (currently data breach obligations apply only in the electronic communications sector), and by encouraging self-audits, privacy impact assessments, and external certification procedures.  

7. In exchange for increased self-enforcement and accountability measures, WP29 suggests lifting many administrative filing obligations with data protection authorities, reserving filing only for cases where there is a serious risk to privacy.  Even in those cases, filing could be streamlined where organizations have conducted privacy audits or privacy impact assessments.

8. Impose minimum requirements to ensure that national data protection authorities are sufficiently independent and effective, including that they have sufficient funding.

9. Require the implementation of privacy impact assessments and related accountability measures for law enforcement organizations.

Adopted on December 1, 2009, but made available on the WP29 website only recently, the  WP 29 Future of Privacy roadmap is a contribution to the European Commission’s consultation on reform of EU privacy legislation, consultation which closed on December 31, 2009. Other contributions can be viewed here.

Tags: , , , , , , , ,