Transcript Folie 1

AmI – The European Perspective on Data Protection
Legislation and Privacy Policies
SWAMI-Workshop
21st and 22nd of March 2006 in Brussels
Dr. Martin Meints,
Henry Krasemann, both ICPP
Agenda
• Legal Grounds
–
–
–
–
European Charta
Data Protection Directive (95/46/EC)
Directive on Privacy and Electronic Communication (2002/58/EC)
Data Retention Directive
• Suggestions for the Application of Privacy Policies
– Suggestions of the Article 29 Working Party
– Technical approaches within the PRIME Project
• Conclusions
Legal Grounds
• European Charta:
– Applies, but concerning data protection not very specific
• Data Protection Directive (95/46/EC)
– Applies except for (see Recital 13):
• Public security
• State defence
• State security
• Criminal law
– States fundamental principals that are highly relevant for AmI
such as
• Data minimisation principle (Art. 6)
• Purpose binding principle (Art. 6)
• Transparency of processes (Art. 6)
• Consent of the data subject for data processing (Art. 7)
• Information of the data subject (Art. 10 and 11)
• The data subjects right to object (Art. 14)
Legal Grounds (cont.)
• Directive on Privacy of Electronic Communication
(2002/58/EC)
– Exceptions for applications are the same as for the Data
Protection Directive (95/46/EC)
– States in addition concerning location and traffic data:
• Information on traffic data (Art. 6)
• Information of the data subject with respect to location data
(Art. 9)
• Consent prior to processing and transfer of location data
needed (Art. 9)
• Consent can be withdrawn at any time (Art. 9)
• Where consent of user has been obtained (Art. 9):
– Possibility of temporarily refusing the processing
– For each connection to the network or
– For each transmission of a communication
– Using a simple means / free of charge
Legal Grounds (cont.)
• Data Retention Directive (2006/../EC; not finally defined)
– Data has to be saved by the telecommunication provider for at
least 6 months:
• Concerning telephone or mobile phone
– Originating and targeting phone number, name and address
of the user of the phone or mobile phone (including IMSI,
IMEI, Cell-ID)
– Date and time
– Services used
• Concerning the internet and VoIP:
– Originating and targeting user ID, phone number, name and
address and IP address of the user
– Date, time, time zone, for login and logout
– Services used
– See http://register.consilium.eu.int/pdf/de/05/st03/st03677re10.de05.pdf
– Economic aspects in the context of AmI unclear
Suggestions
Article 29 Data Protection Working Party
• Aims:
– Easier compliance
– Improved awareness on data protection rights and
responsibilities
– Enhanced quality of information on data protection
• Support for the concept of a multi-layered format for data
subject notices
– Improve the quality of information on data protection received
– Focusing each layer on the information that the individual needs
to understand their position and make decisions
– Where communication space/time is limited, multi-layered
formats can improve the readability of notices
Information to be given
• Essential information that should be provided in all
circumstances where data subject does not have this
information already which includes the identity of the data
controller and of his representative, if any, as well as the
purpose of the data processing
• Further information which should be provided if it is
necessary to guarantee fair processing having regard to the
specific circumstances in which the data are collected
• Information which is nationally required and goes beyond the
Directive’s requirements
– Name or address of the data protection commissioner
– Details of the database
– Reference to local laws
Layer 1
Short Notice
• Core information required under Article 10 of the Directive
– Identity of the controller
– Purposes of processing
– Any additional information which in view of the particular
circumstances of the case must be provided beforehand to
ensure a fair processing
– A clear indication must be given as to how the individual can
access additional information
Layer 1
Example
Layer 2
Condensed Notice
• All relevant information required under the Directive
–
–
–
–
–
–
–
–
The name of the company
The purpose of the data processing
The recipients or categories of recipients of the data
Whether replies to the questions are obligatory or voluntary, as
well as the possible consequences of failure to reply
The possibility of transfer to third parties
The right to access, to rectify and oppose
Choices available to the individual
Contact for questions and information on redress mechanisms
• Available on-line as well as in hard copy via written or phone
request
• Present this notice in a table format that allows
for ease of comparison
Layer 2
Example 1
Layer 2
Example 2
Layer 3
Full Notice
• Include all national legal requirements and specificities
• It may be possible to include a full privacy statement with
possible additional links to national contact information.
Research in the PRIME Project
• Traditional approach (state-of-the art): Stating of privacy
policies (P3P)
• Automated protocols for policy negotiation
– See http://www.primeproject.eu.org/public/prime_products/PRIME-White-Paper-V1.pdf
• Use of policies sticking to personal data (sticky policies)
–
–
–
–
Policies have to be acknowledged to decrypt personal data
Policies have to be acknowledged to use personal data
Current concepts include trusted third parties
See http://www.primeproject.eu.org/public/prime_products/deliverables/arch/pub_del_
D14.2.a_ec_wp14.2_V5_final.pdf
Additional Aspects
• Privacy once lost cannot be restored easily (or not at all!)
– Feedback system is very indirect
• Balancing privacy and security (crime prevention etc.) is
necessary
– What “privacy price” we are willing to pay for what level of
perceived or effective security?
• Operative aspects
– How to achieve a convenient and effective consent for data
processing in AmI environments? “Implicit consent?”
Conclusions
• Limitations
– Challenges: multilateral security and improved attacker models
– Interactive versus non-interactive (passive) authentication
(policies?)
– What about international AmI providers and legislation?
– Possibility to enforce privacy protection technically is limited
today and in future
• Trends
– AmI = RFID + biometrics + data mining etc.
• Technical maturity, security and data protection?
– Increased complexity
– Future developments in PETs?
– Data protection from the economic perspective:
USP vs. compliance vs. violation
Thank you for your attention!
Dr. Martin Meints, ICPP
Directive 95/46/EC of 24 October 1995
• Definition of “the data subject’s consent”:
shall mean any freely given specific and informed indication
of his wishes by which the data subject signifies his
agreement to personal data relating to him being processed
(Art. 2 h).
Article 6
“Member States shall provide that personal data must be:
(a) processed fairly and lawfully;”
Recital No. 38 of the Directive, “…if the processing of data is to
be fair, the data subject must be in a position to learn of the
existence of a processing operation and, where data are
collected from him, must be given accurate and full
information, bearing in mind the circumstances of the
collection...”.
Art. 10
Information in cases of collection of data from the data subject
• Member States shall provide that the controller or his
representative must provide a data subject from whom data
relating to himself are collected with at least the following
information, except where he already has it:
– (a) the identity of the controller and of his representative, if any;
– (b) the purposes of the processing for which the data are
intended;
– (c) any further information such as
• the recipients or categories of recipients of the data,
• whether replies to the questions are obligatory or voluntary,
as well as the possible consequences of failure to reply,
• the existence of the right of access to and the right to rectify
the data concerning him
• in so far as such further information is necessary, having
regard to the specific circumstances in which the data are
collected, to guarantee fair processing in respect of the data
subject.
Article 11
Information where the data have not been obtained from the
data subject
1. Where the data have not been obtained from the data subject, Member States
shall provide that the controller or his representative must at the time of
undertaking the recording of personal data or if a disclosure to a third party
is envisaged, no later than the time when the data are first disclosed provide
the data subject with at least the following information, except where he
already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing;
(c) any further information such as
• the categories of data concerned,
• the recipients or categories of recipients,
• the existence of the right of access to and the right to rectify the data
concerning him
in so far as such further information is necessary, having regard to the
specific circumstances in which the data are processed, to guarantee fair
processing in respect of the data subject.
2. Paragraph 1 shall not apply where, in particular for processing for statistical
purposes or for the purposes of historical or scientific research, the
provision of such information proves impossible or would involve a
disproportionate effort or if recording or disclosure is expressly laid down by
law. In these cases Member States shall provide appropriate safeguards.
Article 14
The data subject’s right to object
Member States shall grant the data subject the right:
(a) at least in the cases referred to in Article 7 (e) and (f), to object at
any time on compelling legitimate grounds relating to his particular
situation to the processing of data relating to him, save where
otherwise provided by national legislation. Where there is a justified
objection, the processing instigated by the controller may no longer
involve those data;
(b) to object, on request and free of charge, to the processing of
personal data relating to him which the controller anticipates being
processed for the purposes of direct marketing, or to be informed
before personal data are disclosed for the first time to third parties
or used on their behalf for the purposes of direct marketing, and to
be expressly offered the right to object free of charge to such
disclosures or uses.
Member States shall take the necessary measures to ensure that data
subjects are aware of the existence of the right referred to in the first
subparagraph of (b).
Directive 2002/58/EC – Directive on privacy and
electronic communications
• Article 6 par. 4 (traffic data):
The service provider must inform the subscriber or user of
the types of traffic data which are processed and of the
duration of such processing for the purposes mentioned in
paragraph 2 (purpose of billing) and, prior to obtaining
consent, for the purposes mentioned in paragraph 3 (purpose
of marketing).
Art. 9 Directive 2002/58/EG: LBS
• “Location data other than traffic data” relating to users
• Only processed when …
– … Made anonymous or
– … Consent of the users (to the extent / for the duration
necessary for the provision)
• Service Provider must inform the users prior to obtaining
consent about …
–
–
–
–
… Type of location data
… Purposes
… Duration of the processing
… Whether the data will be transmitted to a third party
• Possibility to withdraw the consent at any time
Art. 9 Directive 2002/58/EG: LBS
• Where consent of user has been obtained:
–
–
–
–
Possibility of temporarily refusing the processing
For each connection to the network or
For each transmission of a communication
Using a simple means / free of charge