The third meeting of the e-Forum privacy working group (PWG) took place on 8 December 2010 at the Silken Berlaymont Hotel, Brussels, Belgium. The main points of discussion what data can be considered to be covered by privacy legislation, the access rights of data subjects, and privacy and social networks. The meeting was also given examples of projects and initiatives that touch on privacy and data protection, and there was discussion around some of the practical issues faced by these projects. As with previous PWG meetings, discussions were engaging and lively.

For a PDF version of the minutes, download the attached document, below.

 Privacy working group, third meeting minutes

At the beginning of the meeting, Baudouin de Sonis (e-Forum) highlighted that the European Commission had opened a public consultation on revising the European Union Data Protection Directive (DPD). This consultation is open until 15 January 2011 at http://ec.europa.eu/justice/news/consulting_public/news_consulting_0006_en.htm. Mr de Sonis outlined the main objectives of the review and said they should be borne in mind during the PWG meeting:

(1) Strengthening individuals’ rights so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the "right to be forgotten" when their data is no longer needed or they want their data to be deleted.

(2) Enhancing the Single Market dimension by reducing the administrative burden on companies and ensuring a true level-playing field. Current differences in implementing EU data protection rules and a lack of clarity about which country’s rules apply harm the free flow of personal data within the EU and raise costs.

(3) Revising data protection rules in the area of police and criminal justice so that individuals’ personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.

(4) Ensuring high levels of protection for data transferred outside the EU by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in cooperation with third countries and promote high standards for data protection at a global level.

(5) More effective enforcement of the rules, by strengthening and further harmonising the role and powers of Data Protection Authorities. Improved cooperation and coordination is also strongly needed to ensure a more consistent application of data protection rules across the Single Market.

What can be considered private?

After the introductions, Hans Graux of telecoms and ICT law specialists time.lex, outlined the building blocks of EU data protection law, and pointed out gaps. The DPD relates to data subjects who are "identifiable", through personal information such as their name, address, appearance and so on. This notion of identifiability can extend to, for example, aerial photographs of houses which could be linked to an individual, or photographs of cars which could be linked to an individual through their number plate.

However, other data may not fall within the scope of the DPD due to its less clear link to an identifiable data subject. Examples include the habits and patterns of individuals built up through examining their shopping habits or online behaviour. A particularly problematic area is IP addresses. These are allocated to internet service subscribers but cannot necessarily be linked to individuals: the person who subscribes to an internet connection and the person who uses it may not be the same, and technically, IP addresses are assigned to an item of equipment rather than a person. An EU working group opinion from 2000 held that IP addresses could be considered personal data, but with some caveats and a general instruction to err on the side of caution. However, different EU countries have adopted different approaches, and the treatment of IP addresses remains "a very ambiguous area," Mr Graux said, with the lack of clarity after 15 years of discussions being "embarrassing".

Practical issues arising from the consideration, or not, of IP addresses as personal data could include their use in legal investigations, the logging of IP addresses to identify abusers of online services, the creation of IP address blacklists, and even the localisation of services (for example, providing information in a certain language on the basis of the assessment of the language of the IP address subscriber).

Mr Graux said that the concept of personal data needed to be rethought, with a clearer distinction between data that allows identification of an individual and data that does not. One complication is that in digital environments, profiling using non-identifiable data can ultimately lead to identification. It should also be noted that internet service providers are obliged to keep IP data under EU data retention laws. The lack of clarity is symptomatic of a lack of a coherent vision for electronic communications, and the trade off between privacy and law enforcement, with authorities wanting quick routes to the identification of individuals.

Following the presentation, there was some discussion about this trade off. In the UK, security services have been worried that over-strict controls on internet activity, with individuals identified through IP addresses, would lead to the mass-market emergence of virtual private networks. According to Mr Graux, "if you crack down too harshly, the internet detects censorship and routes around it," and "improvements in privacy are more likely to come from technical improvements than from policy."

Data access rights

Caspar Bowden of Microsoft discussed the right of data subjects to access their own data, which he described as the "crown jewel" of the EU data protection regime. However, surveys have shown that only around 3 percent of people have used the right of data access, though around a third of people are aware of it.

Structural problems include limited progress by data protection bodies in informing people of their rights; little regulatory guidance on authenticating data subjects; limited rights to receive data in electronic form; variations in how frequently data subjects are allowed to ask for access; confusion over costs and charging for access; time limits on how rapidly data holders should respond; uncertainty (as highlighted by the previous presentation) of what constitutes personal data and what, therefore, data subjects can have access to; and conceptual barriers, such as the idea that data protection should be technology neutral, whereas, said Mr Bowden, certain technological identifiers, such as cookies, are "absolutely critical".

To overcome barriers, transparency by design is needed: design of systems so that it is easy to fulfil data subject access requests. Because of the growing importance of data, companies have an incentive to control it more rigidly, and to create barriers to its transfer (for example if a customer wants to switch from one provider to another). However, easier data portability could lead to privacy competition, in which companies have incentives to be more transparent in order to attract customers, and to reduce transfer costs.

A major grey area, however, is profiling/behavioural data, much of which falls outside the scope of the DPD, and so cannot be accessed by data subjects or transferred. If this situation could be changed so that individuals could transfer their digital behavioural histories, valuable markets could be created. For example, more transparency of behavioural histories could open up opportunities for third-party data analysis.

The question of data access brings up the vital issue of authentication. In this respect, Mr Bowden said that privacy (in relation to behavioural histories, for example) should ideally be protected by authentication without identification/anonymous credentials. Technologies do exist for this but they are complex and hard for users to grasp. Little is being done in policy terms to facilitate anonymous credentials. The question was also raised if data access rights can be exercised without law enforcement authorities monitoring those that frequently access their data. This in itself could result in the creation of further behavioural profiles.

Authentication and petitions

Konrad Dwojak (Politech) gave the first of several examples during the day of projects with a practical privacy dimension. The eMPOWER project concerns an online petitioning system, such as might be used under the Lisbon Treaty "citizens’ initiative" right. To be credible, organisers of petitions need to show that the signatures they collect are genuine, and that there are not multiple signatures from the same person. For online petitions, some form of authentication is in principle needed. The work of eMPOWER had shown that people want simple processes if they are to sign a petition, and are less willing, for example, to sign a petition if they have to go through an authentication/registration process. However, a trial in which signatories were asked to provide their national ID numbers as ’proof’ of identity (but which did not explain why national ID numbers were requested), showed that people would provide these relatively unquestioningly, if it was part of a simple authentication process. An important consideration for signatories was who the petition organiser was. NGOs, for example, were considered "good guys", and their requests for personal information were unlikely to be questioned, Mr Dwojak said.

Historical perspective

Aine Ni Fhloinn traced the historical development of identity credentials such as passports. She said that the relative success of failure of an ID scheme could be linked to four factors: the ’fear factor’, or who was in control of the scheme, the cost, user acceptance and the impact of business innovation. Successful schemes tended to be bottom up combined with business innovation, rather than imposed systems, she said. A current successful example would be Facebook. The model put forward provoked some comments, for example that user acceptance could be imposed from above and ’forced’ on unwilling data subjects.

Privacy requirements

The nature of Facebook was also raised by Seda Gürses, who discussed privacy requirements: the criteria that systems should meet to ensure the privacy of users. Facebook has evolved in a number of ways since it was created in 2004. It now has 500 million users and, as well as collecting data, links to a number of third parties who also provide user data or use the data available through Facebook (examples include security agencies tracking people via Facebook). However, "multilateral privacy requirements engineering" in respect of systems/services such as Facebook presents a number of problems: no universal definition of privacy; the subjective nature of privacy; differing legal notions; variable compliance; and the difference between privacy (which can be a vague concept) and data protection (a series of safeguards). Privacy research has resulted in different paradigms: privacy as confidentiality (the right to be left alone), privacy as control over one’s personal information, and privacy as practice.

Data protection legislation generally defines privacy as control over one’s personal information, Ms Gürses said. However, as discussed by other speakers, there is an extensive grey area relating to relational information, or information about the attributes of an individual that could be inferred from third party information. Data protection should give transparency to practices -- how data is collected, processed and used -- but interpretations of the data protection regime generally favoured service providers, and do not address collaborative or relational information, or statistical inference. Data protection regimes could be improved by widening their scope, by avoiding overlaps between different data protection and privacy concepts, and by improving accountability and transparency, Ms Gürses said.

FASTeTEN

The last two speakers came from FASTeTEN, an EU funded secure infrastructure project. FASTeTEN allows exchange of secure electronic messages, and the service is being tested in different contexts.

Gary Simpson of the Easyconnects partnership outlined how the system is being used in South Yorkshire, England, to connect Neighbourhood Watch coordinators with the police. Neighbourhood Watch volunteers can log incidents of concern, such as vandalism or petty crime. This creates a database of information that can be mapped by the police to identify the areas where they can focus resources: it is an intelligence system through which communities can share information. It is used with car, with safeguards to prevent the filing of personal information.

Another FASTeTEN pilot project in South Yorkshire is the creation of a network of "good neighbours" to whom secure messages can be sent in particular situations, for example a notification in case a vulnerable person needs to be checked on. These notifications can contain potentially sensitive information, and secure authentication is thus needed. The question was raised if this use of secure messaging was an instance of overkill, and if the scheme could be operated through less formal means, such as a system of telephone calls. Gary Simpson said that the benefits were operational: quick messaging sent simultaneously to a number of people, with the messages coming from a trusted source.

From the Comune di Prato, Italy, Paolo Boscolo explained how a pilot project enabling citizens to fill in forms and submit them with authentication was being put in place through FASTeTEN. Italian citizens have a fiscal code number which is used as a unique identifier in public services, and in fact is mandatory for all applications to public authorities, because if identity is not known, the service cannot be provided. Mr Boscolo agreed with the conclusions of Konrad Dwojak earlier in the day, that people are more interested in simplicity in online applications than in privacy. Citizens also misunderstand the legal obligations of public authorities he added, for example asking for the deletion of personal data that by law must be retained by public bodies.

Data protection in respect of people’s dealings with public authorities could be improved if unique identifiers, such as the fiscal code in the Italian case, could be hidden or disguised, Mr Boscolo said. He added there were limited, if any, applications on the market that could do this. Furthermore, he said that many privacy questions related to the involvement of third party networks in government processes (such as payment systems) needed to be resolved.

Next meeting

The next meeting is provisionally planned for March 17th, 2011 at Brunel University, west London, UK.

Attendees: Maurizio Baroffio (European Commission - Joint Research Centre), Paolo Boscolo (Comune di Prato), Dora Conti (Commune di Prato), Caspar Bowden (Microsoft), Konrad Dwojak (Politech), Aine Ni Fhloinn (Inhouse Training), Margaret Ford (Consult Hyperion), Stephen Gardner (Eurocorrespondent), Hans Graux (time.lex), Seda Gürses (KU Leuven), Nathalie De Jaeger (CORVE), Pekka Ruotsalainen (University of Tampere), Gary Simpson (EASY Connects), Baudouin de Sonis (e-Forum), Serge Vermeir (Vlaamse Toezichtcommissie), Caroline Vernaillen (Vlaamse Toezichtcommissie), Fernando Alfonso Villanueva (Generalitat Valenciana, Spain), Michel Stassin (STERIA - Brussels), Hugo Kerschot (IS-practice Belgium), Cristina Dos Santos (CRID-University of Namur, Belgium), Zoltan Precsenyi (Symantec Corporation, Belgium), Marisa Jimenez (European Privacy Policy Centre, Belgium), Cédric Laurant (Attorney at Law, Belgium), Robert Romain (FUNDP, Belgium).