EC thinking on privacy definitely on the move…

| February 16, 2010

The European Commission (EC) and its partners hosted a conference on “Trust in the Information Society” in Spain 10-11 February where the winds of change became even more apparent.

This was a conference organised under the huge Framework Program 7 (FP 7) research stream funded by the European Commission. FP 7 has a very impressive research component on ICT Trust and Security Research under its ICT Challenge 1: Pervasive and Trustworthy Network and Service Infrastructures.  

My previous blog, Ahead of the curve? New thinking on privacy, both sides of the Atlantic Ocean, laid out some emerging indicators that fresh thinking is emerging on what is privacy & how it should be regulated. 
The European side of the Atlantic lifted the petticoat a little more at “Trust in the Information Society” in Spain 10-11 February. The winds of change became even more apparent. I believe that PPTs and/or videos of sessions will be put on that website.
To start the Conference, an old friend of Global Access Partners, from the 2003 Virtual Opportunity Congress on Security & Risk, George Metakides, presented the very impressive RISEPTIS report prepared by the Advisory Board he had chaired. One of his most remarkable comments was to the effect that a report such as this simply wouldn’t have been commissioned five years ago, let alone the nuance of content it contains about trust, identity management and privacy. He also noted how issues such as trust, privacy and identity management were rapidly rising to the top of the leadership agenda.
His remarks set the tone of the conference. 
While there were many other highlights, one of the other talks should be noted: the remarks of Peter Hustinx, the European Data Protection Supervisor. Peter is a particularly wise and nuanced diplomat: you listen to his remarks and parse every sentence for the meaning he has intentionally put there.
In particular, Peter emphasised three emerging themes and their significance:
         Privacy by design
         The rise of privacy to the top of the leadership agenda
The last of these first. He noted that the renewed emphasis on rights among the Commissioners just appointed for the next five years. Even titles will change: the Justice and Home Affairs Directorate will be re-titled and have ‘rights’ included. He also noted that in her confirmation hearing before the European Parliament, the new Commissioner for that Directorate, Viviane Reding didn’t just include privacy as a priority. She listed it as her top priority. And she has form: for the last five years she headed the Information Society & Media Directorate with an increasing emphasis on privacy, including as demonstrated through the themes of FP 7.
Peter sees the future as based on implementing stronger incentives to do the right thing by privacy: commercial reality will contribute to this but he pointed out that regulatory incentive was just as important. Globalisation and global data flows will also be very important – he thought there was a growing consensus that countries will legislate along lines of the Madrid declaration, while also recognising a need to recognise local approaches. 
He emphasised that “law should not legislate on technology”. Instead the emphasis should be on privacy by design; ie privacy should be integrated in all thinking from the very beginning. He recognised that this is not new thinking. The difference will be that privacy by design will be ‘operationalised’ a great deal more in the future. He would like to see this trend include more ‘privacy by default’ settings, with some not very subtle reference to social networking sites. 
The way he saw developments such as privacy by design becoming more deeply embedded was important. Instead of ‘legislating on technology’, this change will be driven by incentives to do so. The incentives will come from government and legislation as well as the emerging commercial reality of evolving market place demand. 
As part of this, Peter strongly endorses the importance of ensuring effective accountability and drew attention to the Accountability Project being facilitated by the data protection of France, the Commission Nationale d’Informatique et Libertés, France (CNIL). He pointed out that it meant really getting privacy right: not just seeking compliance with privacy law but demonstrating that ‘all measures have been taken to ensure that compliance will be a result’. Hence we will see the emergence of Privacy Impact Assessment and other ‘assurance services’; some pro-active, some reactive. PIAs are an example of the former: data breach notification is an example of the latter. Stronger sanctions & allocation of liability will be part of the incentive framework.
It was in this way that he saw developers being drawn into the privacy framework, along with all the other actors in the sequence from first thinking to getting an offering to the market.
Peter also thought that the rights of the citizen would not change much. Rather, he thought the emphasis would be on easier access to exercising existing rights.
Another component of the future will be much tighter cooperation between the US and EU authorities. Indeed, in his conclusion, one of Peter’s reinforcing remarks was that trust in the information society will depend on whether the authorities can cooperate effectively (and implying that they had a long way to go).
On another tack, one of the themes of the Congress was the importance of international research cooperation beyond Europe. Go to the Publications page of for the paper & PPT that I presented as part of the panel on this topic.
At the very beginning of the conference, Mario Campolargo, Director of Emerging Technologies and Infrastructures, European Commission and then George Metakides also set the tone of the Conference in a more personal way in their opening remarks. He informed us that Jacques Bus, Head of Unit Trust & Security in the Information Society & Media Directorate-General and inspiration for the Conference, would be retiring in a month. 
In a very subtle way, this turned the Conference into a celebration of the remarkable influence Jacques has had on the direction of ICT research in Europe, especially on questions of trust, reliability and privacy. I first met Jacques in 2004 the day after I finished as Privacy Commissioner and he has been a true friend and inspiration ever since. 
The EC will miss Jacques, but he isn’t disappearing into the sunset just yet. Now Jacques will be coordinating and influencing research through a number of other positions and projects he will take up. We all joyfully wished him well.
While there was no formal ‘resolution’ from the conference, an informal conclusion has now been written by the EC and posted on the conference website here>>
Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information.  He was also foundation President of the International Association of Privacy Professionals, Australia New Zealand,