AmI – The European Perspective on Data Protection Legislation and Privacy Policies

SWAMI-Workshop 21st and 22nd of March 2006 in Brussels

Dr. Martin Meints, Henry Krasemann, both ICPP

Agenda

• Legal Grounds– European Charta– Data Protection Directive (95/46/EC)– Directive on Privacy and Electronic Communication (2002/58/EC)– Data Retention Directive

• Suggestions for the Application of Privacy Policies– Suggestions of the Article 29 Working Party– Technical approaches within the PRIME Project

• Conclusions

Legal Grounds

• European Charta: – Applies, but concerning data protection not very specific

• Data Protection Directive (95/46/EC)– Applies except for (see Recital 13):

• Public security• State defence• State security• Criminal law

– States fundamental principals that are highly relevant for AmI such as

• Data minimisation principle (Art. 6)• Purpose binding principle (Art. 6)• Transparency of processes (Art. 6)• Consent of the data subject for data processing (Art. 7)• Information of the data subject (Art. 10 and 11)• The data subjects right to object (Art. 14)

Legal Grounds (cont.)

• Directive on Privacy of Electronic Communication (2002/58/EC)– Exceptions for applications are the same as for the Data

Protection Directive (95/46/EC)– States in addition concerning location and traffic data:

• Information on traffic data (Art. 6)• Information of the data subject with respect to location data

(Art. 9)• Consent prior to processing and transfer of location data

needed (Art. 9)• Consent can be withdrawn at any time (Art. 9)• Where consent of user has been obtained (Art. 9):

– Possibility of temporarily refusing the processing– For each connection to the network or– For each transmission of a communication– Using a simple means / free of charge

Legal Grounds (cont.)

• Data Retention Directive (2006/../EC; not finally defined)– Data has to be saved by the telecommunication provider for at

least 6 months:• Concerning telephone or mobile phone

– Originating and targeting phone number, name and address of the user of the phone or mobile phone (including IMSI, IMEI, Cell-ID)

– Date and time– Services used

• Concerning the internet and VoIP:– Originating and targeting user ID, phone number, name and

address and IP address of the user– Date, time, time zone, for login and logout– Services used

– See http://register.consilium.eu.int/pdf/de/05/st03/st03677-re10.de05.pdf

– Economic aspects in the context of AmI unclear

Suggestions Article 29 Data Protection Working Party

• Aims:– Easier compliance– Improved awareness on data protection rights and

responsibilities– Enhanced quality of information on data protection

• Support for the concept of a multi-layered format for data subject notices– Improve the quality of information on data protection received– Focusing each layer on the information that the individual needs

to understand their position and make decisions– Where communication space/time is limited, multi-layered

formats can improve the readability of notices

Information to be given

• Essential information that should be provided in all circumstances where data subject does not have this information already which includes the identity of the data controller and of his representative, if any, as well as the purpose of the data processing

• Further information which should be provided if it is necessary to guarantee fair processing having regard to the specific circumstances in which the data are collected

• Information which is nationally required and goes beyond the Directive’s requirements– Name or address of the data protection commissioner– Details of the database– Reference to local laws

Layer 1Short Notice

• Core information required under Article 10 of the Directive– Identity of the controller – Purposes of processing– Any additional information which in view of the particular

circumstances of the case must be provided beforehand to ensure a fair processing

– A clear indication must be given as to how the individual can access additional information

Layer 1Example

Layer 2Condensed Notice

• All relevant information required under the Directive– The name of the company– The purpose of the data processing– The recipients or categories of recipients of the data– Whether replies to the questions are obligatory or voluntary, as

well as the possible consequences of failure to reply– The possibility of transfer to third parties– The right to access, to rectify and oppose– Choices available to the individual– Contact for questions and information on redress mechanisms

• Available on-line as well as in hard copy via written or phone request

• Present this notice in a table format that allows for ease of comparison

Layer 2Example 1

Layer 2Example 2

Layer 3Full Notice

• Include all national legal requirements and specificities

• It may be possible to include a full privacy statement with possible additional links to national contact information.

Research in the PRIME Project

• Traditional approach (state-of-the art): Stating of privacy policies (P3P)

• Automated protocols for policy negotiation– See

http://www.prime-project.eu.org/public/prime_products/PRIME-White-Paper-V1.pdf

• Use of policies sticking to personal data (sticky policies)– Policies have to be acknowledged to decrypt personal data– Policies have to be acknowledged to use personal data– Current concepts include trusted third parties– See

http://www.prime-project.eu.org/public/prime_products/deliverables/arch/pub_del_D14.2.a_ec_wp14.2_V5_final.pdf

Additional Aspects

• Privacy once lost cannot be restored easily (or not at all!)– Feedback system is very indirect

• Balancing privacy and security (crime prevention etc.) is necessary– What “privacy price” we are willing to pay for what level of

perceived or effective security?

• Operative aspects– How to achieve a convenient and effective consent for data

processing in AmI environments? “Implicit consent?”

Conclusions

• Limitations – Challenges: multilateral security and improved attacker models– Interactive versus non-interactive (passive) authentication

(policies?)– What about international AmI providers and legislation?– Possibility to enforce privacy protection technically is limited

today and in future

• Trends– AmI = RFID + biometrics + data mining etc.

• Technical maturity, security and data protection?– Increased complexity– Future developments in PETs?– Data protection from the economic perspective:

USP vs. compliance vs. violation

Thank you for your attention!

Dr. Martin Meints, ICPP

Directive 95/46/EC of 24 October 1995

• Definition of “the data subject’s consent”: shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed (Art. 2 h).

Article 6

“Member States shall provide that personal data must be:(a) processed fairly and lawfully;”

Recital No. 38 of the Directive, “…if the processing of data is to be fair, the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection...”.

Art. 10Information in cases of collection of data from the data subject

• Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:– (a) the identity of the controller and of his representative, if any; – (b) the purposes of the processing for which the data are

intended; – (c) any further information such as

• the recipients or categories of recipients of the data,• whether replies to the questions are obligatory or voluntary,

as well as the possible consequences of failure to reply,• the existence of the right of access to and the right to rectify

the data concerning him• in so far as such further information is necessary, having

regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.

Article 11Information where the data have not been obtained from the

data subject1. Where the data have not been obtained from the data subject, Member States

shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;(b) the purposes of the processing;(c) any further information such as

• the categories of data concerned,• the recipients or categories of recipients,• the existence of the right of access to and the right to rectify the data

concerning himin so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.

Article 14The data subject’s right to object

Member States shall grant the data subject the right:(a) at least in the cases referred to in Article 7 (e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data;(b) to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses.

Member States shall take the necessary measures to ensure that data subjects are aware of the existence of the right referred to in the first subparagraph of (b).

Directive 2002/58/EC – Directive on privacy and electronic communications

• Article 6 par. 4 (traffic data): The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing for the purposes mentioned in paragraph 2 (purpose of billing) and, prior to obtaining consent, for the purposes mentioned in paragraph 3 (purpose of marketing).

Art. 9 Directive 2002/58/EG: LBS

• “Location data other than traffic data” relating to users

• Only processed when …– … Made anonymous or– … Consent of the users (to the extent / for the duration

necessary for the provision)

• Service Provider must inform the users prior to obtaining consent about …– … Type of location data– … Purposes– … Duration of the processing– … Whether the data will be transmitted to a third party

• Possibility to withdraw the consent at any time

Art. 9 Directive 2002/58/EG: LBS

• Where consent of user has been obtained:– Possibility of temporarily refusing the processing– For each connection to the network or– For each transmission of a communication– Using a simple means / free of charge