Global privacy standards for the Internet and working world – PL 02 2010
30 April 2010 | 9:00-10:15
Programme overview 2010
Key issues that could be discussed: Privacy by design for services and applications (e.g. social networks, cloud computing, etc.); privacy in the workplace.
People
Key Participants
- Kevin Fraser, Council of Europe Consultative Committee of Convention 108
- Andreas Krisch, President of European Digital Rights (EDRi)
- Sophie Kwasny, Council of Europe, Directorate General of Human Rights and Legal Affairs
- Annette Mühlberg, United Services Union (ver.di)/EURALO Head of E-Government
- Jesus Rubi Navarrete, Assistant to the Director of the Data Protection Agency (Spain)
- Jose Leandro Nunez Garcia, Spanish Data Protection Agency
- Eduardo Ustarán, Field Fisher Waterhouse LLP
Moderator
- Eduardo Ustarán, Field Fisher Waterhouse LLP
Rapporteur
- Katitza Rodriguez International Rights Director, Electronic Frontier Foundation (EFF)
Remote participation moderators
- Sophie Kwasny, Council of Europe
- Jean-Philippe Moiny, FNRS
Key messages
Important risks include data retention and how this may threaten freedom of association to form and join a trade union, the risks of centralising data held by governments and companies, the lack of legal certainty when defining jurisdictions in a global world, and the effect of the Internet on the so called “right to oblivion”. Global privacy standards, privacy by design and by default for future technologies and applications, data protection education to be included in our education systems, and privacy enhancing infrastructure at work, were all highlighted as ways to move forward.
Messages (extended)
Privacy and data protection are taking an increasingly important place on both national and international agendas (whether social networking, search engines, Internet of Things, the protection of children online, collection of biometric data as way of asserting identity, cloud-computing and the international exchanges of personal data through billions of online transactions).
Several risks were highlighted: data retention and how this may threaten freedom of association to form and join a trade union; the risks of centralising data held by governments and companies; the lack of legal certainty when defining jurisdictions in a global world, and the effect of the Internet on the so called “right to oblivion”.
Some proposals were provided: the need global privacy standards to enable the development of human rights friendly future technologies. Privacy by design and by default need to be the fundamental design principle for future technologies and applications. Data Protection education needs to be included in our education systems to enable everybody to participate in the information society without putting her/his privacy at risk. Strengthening data protection authorities in order to ensure proper protection.
Civil Society made recommendations in its Madrid Civil Society Declaration: Convention 108 (and its 2001 protocol) and Joint Proposal for Data Protection.
Convention 108 is a legally binding instrument with a flexible follow-up mechanism already in place. Adoption of this binding instrument not only enhances the rights of the data subject, but also strengthens international co-operation between data protection authorities and enhances the ability of organizations to do business around the world. It was said that the Council of Europe has every interest to promote its standards in an increasingly globalize world.
The supervisory authorities from more than 50 countries from all over the world adopted the “Resolution of Madrid”, a Joint Proposal of International Standards on the Protection of Privacy aimed to harmonize the various regimes of protection existing in different geographical areas, providing a regulatory model that guarantees a high level of protection and that, simultaneously, can be adopted by any country, with the minimum adaptation necessary to its particular legal, social and economic culture. Standards like this could help to avoid jurisdiction issues in the Internet, and even, if their principles (especially the so called “Privacy by Design”) are implemented in the infrastructure of the Net, they could contribute to a better protection to individuals and to an easier and more efficient observance by industry.
There is a need of privacy enhancing infrastructure at work. There is a need to take co-decision making between work councils and employers regarding the introduction of technology that can be used for surveillance.
Law cannot be as fast as technology frameworks. However, international privacy standards like those of the Council of Europe and the Madrid Resolution are based in general principles that can apply to today’s environment. Those principles have passed the test of time.
Data Portability: A user should be able to take his data in bulk away from a service and move it to a different service.
Transcript
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
>> Good morning, everyone. Welcome to the second day. I was not planned to speak here now, and I will take only a minute of your time, and it is that I hope you had a good experience yesterday, and I hope that you will have great experience today, and in order to continue that, we have been discussing where we are going to meet next year.
So I think this is a proper time to tell you that we are quite happy to announce that the next EuroDIG will take place in Belgrade in Serbia next year.
(Applause)
This is my Serbian hat now.
(Laughter)
And of course, you are all welcome not only to come and to join us for the EuroDIG but also to help us with preparation. We’ll contact you, definitely, in person, and you please approach me or my afterwards.
But at this point I also wanted to announce or suggest that the EuroDIG meeting will take place on the 2nd and 3rd of June next year. Now, before we confirm that, we have to ask you and you have to think about your institutions. If you think there is any important, major Pan-European meeting that might be in conflict with these dates, if you think so, please let us know by the end of the day so that today at least we can try to confirm, at least provisionally, of course, these two dates – these dates for the next meeting. Thank you.
>> EDUARDO USTARAN: Good morning, everyone. Welcome. Second day of the EuroDIG 2010, and welcome to what promises to be a very exciting panel session this morning to look at some of the most difficult and challenging issues affecting the development of the Internet.
It’s a real pleasure to be here today. I’m Eduardo Ustaran, a partner at Field Fisher Waterhouse. We see daily the challenges faced by governments, by organizations, by people when they use the Internet and how that and the development of the Internet affects their lives on a daily basis.
In today’s world, we face a real dilemma. The dilemma is this: How to foster the development of the Internet and the development of what in Europe we call the Information Society in a way that safeguards the rights, the fundamental rights and the privacy of individuals, of all of us as users of the Internet.
It’s a real practical challenge because, for example, how can we make the most of online social networking and professional networking in a way that doesn’t affect our privacy? How can we take advantage of the technological opportunities presented by cloud computing and global technologies in a way that protects people’s information? How can we take advantage of this technology and, at the same time, develop and protect intellectual property in a way that doesn’t affect in a negative manner the privacy rights of individuals?
Privacy is a fundamental human right. So something that needs to be taken into account whilst at the same time we do our very best to avoid affecting the development of new technologies.
So to get the balance right, we have today a very good panel, an amazing panel, I would say, that is going to try, I believe, very, very hard to address these issues, to look at it in a pragmatic way, and to tell us about some of the solutions that are already taking place in today’s world.
So let’s get on with the proceedings, and let’s hear from our four panelists. The way this will work is our panelists will have some introductory remarks for not more than five minutes, and then we will open the session to – for questions to all of you. Let’s really try to debate issues, to look at things in a constructive way to try to position ourselves in a way that contributes to the solution of this dilemma.
So let’s start with Andreas Krisch, who will set up the background of the things that are already happening and the things that are going to happen in the future, the Internet of things. Andreas represents the European Digital Rights and has experience of these issues. Andreas.
>> ANDREAS KRISCH: Thank you very much. Yeah, may name is Andreas Krisch from European Digital Rights. European Digital Rights is an association of European privacy and human rights association which was founded in 2002, and we currently have 27 member organizations in the area of the Council of Europe and from 17 European countries.
Regularly our newsletter, which is available for free on our homepage, and you can subscribe to it via email, so if you are interested in privacy topics and digital rights topics, subscribe to our newsletter and get the information. There’s also a German version available, by the way.
So privacy standards, why do we need them, what are they for, and what are the things that need to be addressed?
I would like to start with a vote from the European Data Protection Supervisor, who, yesterday, in Prague said in context of the review of the data protection review, he said the stakes are not more and not less than how to ensure privacy and data protection in highly developed information society in 2015, 2020, or beyond. An ambitious approach is the only way in which we can assure our privacy and personal data are well protected also in the future.
I would like to add to that that maybe it’s not only 2015 or 2020 what we have to think about, but I think it’s especially in the light of the Data Protection Directive, which was adopted in 1995. We need to go beyond this state and think of an information society of the years 2025 and 2030 if we are talking about global privacy standards and the legal framework that we are shaping now for the future.
So what is new in this Information Society of the future? We see a growing consultation of Internet-based services with very much increased trends for the flow of data. If you think back to 1995 when the Data Protection Directive was adopted, email was a revolutionary technology, and it was very new to be able to communicate within seconds with everybody around the world. And now, 15 years later, we have remote participation in 13 hubs in Europe, with direct data transmission with images that are spread all over Europe, and everybody is able to participate in this meeting that we are having here. So it’s really quite different, and we have to see this picture for the future and to anticipate what will be different in 15 years’ time or 20 years’ time.
What we see today is also that some corporations are acquiring vast amounts of personal data without any independent oversight. Do we need to expect that any data that is publicly available is being collected and used for any purpose, and what does it mean if this is the case?
We see emerging developments, like cloud computing, which we already talked yesterday a little bit and the difficulties that we see with the legal systems in which these cloud computing takes place and what the risks are, therefore, for the personal data that is processed.
We see smart grids emerging that shape the way our energy supply is handled. We see RFID coming in the market to support supply chains, but also to go into consumer products and where data processing takes place without that we can even see that because it’s integrated in the products that we use, and it’s not visible anymore that there is a computer in it.
And we see the emerging of the Internet of things, the interconnection of objects that transmit information to each other. We see that cars get developed that are able to talk to each other to tell each other be careful, there is a traffic jam in 200 meters in front of you or 2 kilometers in front of you. Don’t take this road; it’s jammed. Use another way. And so on. So there are lots of interconnections, lots of data that are spread in the world without that anybody can say, okay, this data will exactly go from this point to exactly this and other point. So we need to develop standards on how to protect all this data that is in there without having particular control of one special set of data, but we need to have privacy-enhancing framework in which this data processing is possible.
We need global standards to achieve a same level of protection everywhere. So we need to make this transport of flows of information possible to enable the future information society and these future technologies because also our economies are dependent to build these systems, and there are benefits of these systems, but we do need to do it right. And we need to enable transport of flow of data without negative effects on fundamental human rights like privacy and data protection.
And we need to enable data protection for any development of future applications, like the Internet of things, intelligent transport, smart grids, so on.
The European Union needs to improve as well, I think. It’s necessary to achieve and standardize a high level of enforcement of data protection legislation. EU data protection legislation is rather good, but enforcement is a real problem. We see in many of the Member States that the existing law is enforced very weakly, and we really need to improve this, and I think that there is always also a necessity to include meaningful sanctions if some data processes do not comply with the law.
And we need to strengthen our data protection authorities so that they are able and have the resources to perform the work, and we need to ensure that international treaties, like with the U.S., for example, are made in a way that they are enforceable on both sides of the agreement and of the treaty. Because most of the treaties that are made with the U.S., for example, are well enforceable on the European side, but there are great weaknesses on the U.S. side, and it’s very difficult to exercise one’s right on the other side of the ocean.
And for example, Safe Harbor Agreement, there is a report of consulting company called Galexia said that the result was of the study that more than 200 companies in the U.S. claim to have joined the Safe Harbor Agreement without having done so, and only about 250 companies complied with the minimum requirements. And by December 2008, ten years after the Safe Harbor Agreement went into force, there has only been one court case – one single court case – for not fulfilling the requirements. And this court case ended without any sanctions. So we really need to improve the agreements that we do, and we really need to have this international standards to not having the necessity to negotiate such agreements because if it’s standardized, it’s just there, and then we can see how to enforce this. And this needs to be included in the standards as well.
So we need to shape technology, privacy by design, privacy by default as well, and we also, at this civil society, made an effort to put all these things together and all these arguments and to express our view of the situation in November 2009 at the – around the International Conference of Data Protection and Privacy Commissioners, where we adopted the Civil Society Madrid Privacy Declaration, which was signed on the 28th of January 2010, the Data Protection Day, by 111 civil society organizations from around the world and 188 individual experts that we expressed our views that I tried to summarize here.
So thank you.
>> EDUARDO USTARAN: Thank you, Andreas. Thank you for setting the scene in such a comprehensive and clear way. Our next panelist is Kevin Fraser, a representative of the Council of Europe. The Council of Europe is a veteran in dealing with – not himself – the Council of Europe is a veteran in dealing with international privacy matters. 30 years ago the Council of Europe took the initiative to approach privacy in a global way, and more than ever, as we have seen from Andreas’ presentation, those global standards, that global approach is needed.
Kevin is going to tell us about what work the Council of Europe has been doing and is in the process of implementing to address this issue. Kevin.
>> KEVIN FRASER: Thank you, Eduardo. Can I just say thank you much indeed for inviting me here today. I’m delighted to be representing the Consultative Committee of Convention 108, the Council of Europe committee dealing with data protection.
When I attended the EuroDIG 2009 conference last year in Geneva, I was privileged to hear very mature debate between people representing various interests. It seemed to me that the world in which we live in had become much smaller because of the Internet, it had become much more enriched, more integrated, and increasingly borderless. And I heard from those who are representing industry call for the Internet to be a place for innovation and a place where commercial transactions could take place both securely and responsibly. And there was a general debate about people downloading films and music and about those who are interested in protecting copyright.
I heard calls for increased privacy so that individuals could roam the Internet anonymously. And I also heard from those in the law enforcement field about how they had a duty to protect young individuals from sexual predators in the online world in much the same way as they had a duty to protect those in the offline world.
There were also clear statements about trust or, rather, about how not to abuse trust, which might already have existed, and that the Internet shouldn’t be some sort of unregulated Wild West. But neither was there a desire to overregulate the Internet by constructing some sort of Berlin Wall.
And the title of this plenary perhaps implies that global standards for the Internet working world don’t exist already, or rather, perhaps, a new global privacy standard is required. And it’s against that background that I’d like to perhaps say a few things about both the current and future challenges for data protection, where we might go, and how the Council of Europe Convention 108 might help.
I’d like to say that – at the outset that privacy and data protection have been core value to the Council of Europe from the beginning and the focal point of these activities of the Consultative Committee, and it brings together a core of individuals from the data protection community to specifically deal with data protection.
So what might be the issues for privacy standards? Well, the Convention, like many other instruments, was crafted at a time when the Internet was in its infancy. Mobile phones were hardly mobile, and the length of the call was not based on some sort of fancy pricing package but rather if you had the strength to hold the phone up for a particular amount of time. And social networking was probably sending Christmas cards to family and friends once a year.
So the world as we know it today is very different from the world that we knew in 1980, when the Convention was first drawn up, and it’s quite clear that privacy and data protection are taking increasingly important places on both national and international agendas, and that’s where weather it’s street view, social networking, the protection of children online, the collection of biometric data to a certain individual’s identity, or indeed the storage of data through cloud computing.
So what are the challenges? Well, the mobility for individuals to move freely around the world, the globalization of markets, the opportunities for business presented by new technologies to be able to authorize global services over the Internet and, indeed, to personalize services and to be able to use technologies to store data actually necessitates the transport of flow of information. In addition, the citizen now enjoys more access to information than he or she ever had before, often free, quicker, and they can access it wherever they are in the world.
And it’s this trans-border flow of personal data that requires data protection. How might the Convention help? The Convention adopted a rights-based approach intended to facilitate the flow of data across borders. The principles of that Convention are what established fairness, lawfulness, relevance, not excessive, accuracy of the data, information for the data subject, rights of access and rectification, and enforceability of those rights.
And there are key actors in the European field, at least, whose instruments are rather not legally binding or, indeed, have a geographical scope of application. And since the Convention is open for accession to Council of Europe non-Member States, its provisions elaborated under the Council of Europe potentially go beyond the European continent. And it’s interesting to see the international and European actors are looking towards the Convention 108 as the tool to respond to internationally applicable standards. And as I say, it’s open to accession by any state with the required data protection legislation. Further, the committee has already established practical collaboration with the Franklin Phone and Iberian network of data commissioners.
We are looking for new opportunities to promote the Convention worldwide by cooperating with the European Union in the promotion of international standards and to encourage support from non-Member States to accede the Convention. I am pleased to say that more and more observers are becoming interested in our work. Both the United States and the International Conference of Privacy and Data Protection Commissioners have recently object stained status of the committee, and we are pleased that the Conference itself supported the Council’s initiative to open the Convention for accession.
This Convention that we have not only enhances the rights of data subjects, but also strengthens international cooperation between data protection authorities, and it enhances the ability of organizations to do business around the world. And it’s our view that the Council of Europe has every interest to promote its standards in an increasingly globalized world.
But we do need to ensure that privacy and data protection are kept up-to-date in the light of the development of Information and Communication Technologies. And in the same way that others are looking at their own data protection rules to ensure they’re up-to-date, their net process of review is just as much valid in respect of our own Convention. We must ensure that their standards remain relevant and address the challenges raised by the use of modern technologies.
And in September last year, the Consultative Committee adopted its new work program, including making the update of a Convention a priority, to take into account the challenges posed by the Internet, possibly through the drafting of a second additional protocol.
Other priorities for the work program include the updating of two key recommendations, the use of personal data in the police sector recommendation to reflect the fact that different authorities in the field of law enforcement are dealing with the prevention, detection, and investigation of crime and the use of data for employment purposes.
And I think it’s important that as we go forward that, you know, there are going to be some anticipated changes in our working methods by working with multi-stakeholders, more than we perhaps have done to date, and that’s going to be more and more the case if we want to set standards which are implemented in practice by Member States.
Most recently, we’ve seen in the development of a draft recommendation on profiling the importance of engaging with relevant stakeholders. Such recommendations, by the way, are directed to Member States. They’re not legally binding. But even so, there are clear messages to other stakeholders about privacy by design, to recognize that software developers have a part to play in making the Internet a safe place, and the importance of those providing services to improve the transparency to citizens around the collection and processing of information that is taking place.
The draft recommendation is likely to encourage such persons, public authorities, and public and private bodies to introduce and promote self-regulation mechanisms, such as codes of conduct, ensuring respect for privacy and data protection, and to put in place the technologies to safeguard the privacy of the individual. And as I say, the Council of Europe has every intention to – or every interest to promote its standards in an increasingly globalized world.
And I hope that I’ve given you some food for thought about how the Convention might play its part in global privacy standards for the Internet and the working world. Thank you.
>> EDUARDO USTARAN: Thank you very much, Kevin, for explaining the crucial role of the Council of Europe and Convention 108 in this area.
Very closely linked to that and looking at the future, the Spanish Data Protection Authority, together with other privacy commissioners of the world, for the past 12 to 18 months has been leading a project to take that spirit of the Convention 108 global approach, sensible approach to privacy regulation to the next level.
Jesus Rubi of the Spanish [Speaking Spanish]
Is going to tell us about the work that the Spanish Data Protection Authority and other commissioners have been doing in relation to the development of global privacy standards. Jesus.
>> JESUS RUBI NAVARRETE: Thank you, Eduardo. Good morning. Thanks very much for the invitation to be in this very important forum. As has already been stated, the importance of having standards, international standards, to facilitate the flow of data with guarantees for citizens. Now, based on this, we’ve had a number of declarations, but the 31st International Declaration on Data Protection and the Commissioners on Data Protection that was held in Madrid in November of last year was a step forward in the sense that they’ve gone beyond declarations, and now they’ve drafted a document that reflects those principles, rights of citizens.
Now, the Madrid Resolution has been adopted by 50 data protection authorities in 50 countries and has the support of multinational companies, which are very aware of the need to have – to develop in this area. The Madrid Declaration is organized around a whole set of principles for data protection. It recognizes the rights of citizens. It foresees measures to implement these effectively and also reflects aspects having to do with being proactive by all organizations in guaranteeing data protection.
This Madrid Resolution, the main aim is to become the starting point for a multinational Convention which is binding, but this objective is not an objective that will be achieved from one day to the next. In the meantime, it is still practical because it’s a point of reference for those countries that adapt initiatives for their own legislation in terms of data protection and also in the industrial area, the Madrid Declaration can be a point of reference for data protection policies or, also, to develop self-regulatory methods.
The Resolution provides – it’s not a fixed snapshot, but rather, it opens a dynamic process and creates a series of measures that we are now implementing to broaden and make known to the whole world this declaration and its most important characteristics. I think that the Madrid Declaration is particularly important in terms of the development of Internet, first of all, because the Madrid Declaration, in contrast to other instruments, was adopted just last year. In other words, when we knew these new developments of Internet services that didn’t exist at this level when the European Directive on Data Protection was passed.
So I think this is particularly appropriate to guarantee the processing of personal information within the framework of globalized services. It also has an added advantage in the sense that it can solve the debate on the rule applicable in one or another country. These international standards, when they were first generalized – generally accepted, the problem of the applicable law was difficult at that time, but now we will have global standards, and these conflicts can be resolved through the collaboration and cooperation between the different authorities of the different states in this way. Now that we have implemented these national standards, this can also help to resolve the imbalances that now exist in the market where, according to the regulations that exist in one or another country, there are some companies that could have competitive advantages that could be damaging to citizens, so considering all of these standards, we could prevent these – prevent these imbalances and unfair situations.
And it has an additional advantage, which is they are designed to guarantee technological neutrality. In other words, there are a set of principles and measures and instruments for its effective enforcement that can be adapted to existing technologies or future technologies. We’ve recently been analyzing their compatible with this cloud computing phenomenon and can these standards apply to these. And finally, in the proactive policies in the standards, there are two relevant aspects. On the one hand, the need to carry out impact evaluations on privacy when we implement new developments, and together with that, the need from the very beginning of developing Internet services to foster privacy by design; in other words, to bear in mind from the very start of the development of services the need to offer tools to guarantee the protection of the privacy of individuals.
And just to finish, I want to give you an example. In the experience of the Spanish Data Protection Agency, one of the recent problems that has been growing is the situation of people that want to guarantee their right to not be indexed by search engines and Internet. There’s been a number of claims being filed in this sense. And so what can we do about that? Well, usually what we do is we develop a service, and after that, to adapt it to privacy rules, we incorporate once it has been defined, we incorporate privacy regulations with our policies that are not clear and are not clearly accessible and don’t give effective guarantees to citizens.
It would have been so complicated when we – would it have been complicated to think when this was first put together to think about the possibility of creating labels, HTML labels, so that those people that wanted to not be identified, that they could have this right to not be indexed? Well, this would make sense in the current context in which we find ourselves.
>> EDUARDO USTARAN: Thank you very much, Jesus. At the time when I was invited to become involved in the development of global privacy standards. I think it’s a very impressive project, and it’s been quite impressively implemented. So let’s see how we get on as the months go by.
But just to finalize and last but not least, going back to some of the practical aspects, practical challenges as well, of Internet and privacy matters. Annette Muhlberg of the United Services Union has a perspective of the employees, those individuals who use the Internet not just as consumers but as – for the purposes of their day-to-day work and operations.
So Annette is going to tell us what her concerns are and what the issues employees face these days when using the Internet. Annette.
>> ANNETTE MUHLBERG: Well, thank you very much for the invitation to this multi-stakeholder event on Internet and Internet governance.
This is the trade union I’m working for, the united services trade union has more than 2 million members, and these members work in shops and public service, in health and education, so it’s a wide variety of people who do work, manual work, who do the normal computer work. We also organize people in IT sector. So it’s a wide variety, and we do have a lot of experiences what’s going on in the working world in Information Society.
And I want to stress that we do need global standards and data protection in regards to the working world, that we do need implementation of privacy-enhancing technologies, and we also need organizational policies that help to enforce data protection. And I want to highlight you now why.
In the past, people said that the new information technologies would result in greater democracy and would give individuals greater scope to determine their work. But today, we find ourselves fighting to uphold basic rights. With the use of information communication technologies, a frenzy of control has broken out, and employers are increasingly treating their employees like futile serfs. They are using the technologies to find out where the employees are, whom they are talking to, whom they are telephoning with, whom they are exchanging emails with, and whether and how they are involved in trade union activities. This is not the business of employers.
They check the emails, that’s the online part. They have videos. They have RFIDs. They use the mobile stuff. In respect to RFIDs, just to show what is going on, how the changes are working now, they put RFIDs in the clothes when you put together a car, and every single movement of the worker is watched and how he behaves and where to go, and he cannot take off the clothes totally when he goes to the bathroom. It is really watched every single movement. And we do have a lot of trouble here.
And this is why I really clearly want to stress human rights do not stop when you enter the workplace. And it sounds simple, of course human rights don’t stop, but if we do not have strong sanctions against illegal acts, you know, then we do not have the possibility to really enforce data protection.
And I want to show you what the problem is with trade unions. If you have email exchange and watch these email exchange, you cannot put your opinion freely anymore. You can also see, just not by looking into the email, but just where this email comes from. You can find out if you’re a member or not of a trade union, and this is really dangerous for the freedom of association. And this is a problem within the workplace.
And may I give just an example how simple, you know, for also employees who have work councils. In the offline world, we have rules that the work council’s room is not easy to see who walks in. So they actually took care that there is – there is no civilians possible just by looking. You know, we are not talking about video; we are not talking about online; we are not talking about sophisticated technology. People were aware that there is a problem of civilians there, and they found a solution.
And now here, we have this total civilians in every movement and every communication exchange. And this is at the workplace. But we also have a problem with government activities. If there is data retention as a European directive that national states have to implement, then this is a threat to the freedom of association. This is a threat of the freedom to join – form and join a trade union because this data can be misused.
You can follow who was where, which contact you had, and we have horrible examples of civilians, of work councils, and trade unionists. And it was even my boss, the head of the trade union, who was surveyed, his telephone contacts, his email contacts were surveyed by companies of people we organize the employees. So it is not a fiction; it is reality, and it is a severe problem.
And I want to highlight just to give a glance what the upcoming problems. We also have problems with privacy in collaborative online work. We have – there are challenges, let’s put it this way, because I think collaborative work is something great. But we do have to find solutions for these.
There are also challenges in trans-national online work, and there are also challenges when you implement e-Government new strategies and you have a centralized introduction of technology and people cannot co-determine anymore at their workplace how this technology should look like, and they cannot anymore determine the privacy standards at work.
And in Germany, we do have a law that any introduction of technologies that can serve to monitor the performance and behavior of employees is subject to co-determination. It requires the agreement of workforce representatives, and we would like to see this principle applied to all major European IT projects and, of course, on the local level. I think this is a very good best practice because it helps to shape, to have a precise look on how to use the technology at the workplace right there.
So yeah, I think this is enough for a start for discussion.
>> EDUARDO USTARAN: Thank you very much. Thanks for your passionate insight into the privacy issues affecting the workforce. And I agree with you, of course, that privacy doesn’t stop at work. In fact, information about trade union membership is recognized by European law as sensitive personnel data, which is subject to provisions in the law.
But the reality is this. And I think we would all agree. The Internet is here, is happening, is developing. It’s developing very fast. Law cannot move at the same pace as technology, and I think we would all agree. So here we are, and Jesus acknowledged that, for example, the work around the Madrid Declaration will not become law, will not become a universally recognized standard overnight. And Kevin was referring to self-regulation as a possible ingredient in this context. So obviously, the advantage of an element of self-regulation in all this by the industry is that it requires the participation of those that are directly involved in the development of these technologies and the use of this Internet technology.
So in 30 seconds, and then we can open the discussion to the audience, but in 30 seconds, I would like to ask you quickly if you can tell me, from your point of view, what would be the ideal involvement of the Internet industry – many of the industry players are present here today. What is their ideal involvement in the protection of personal information and in the development of viable legal regime to deal with these issues?
>> ANDREAS KRISCH: Well, on one hand it’s rather easy to explain, but it’s difficult on the other hand. So the main thing is privacy by design and privacy by default. You have to think and say it as – you have to think privacy from the very beginning when you start to design any information system. You have to keep in mind how can I do this service, how can I do this, make this application in a way that it is privacy friendly? And this is in all the most cases, it is possible. You just have to think about it. And this is one of the problems that we also need to address. This is education, and education after technicians and after people who are designing the systems and who are in charge of developing this Internet of the future and all these future technologies. We have to start at education, at schools and universities and so on, to get knowledge to the people and to have it included in the design processes.
>> EDUARDO USTARAN: Thanks, Andreas. Kevin?
>> KEVIN FRASER: Yes, I think I’d agree. The Consultative Committee in their work on profiling were quite clear that they understand trying to deal with new regulation takes time. It’s not something that can be done overnight. One of the things we’ve done on the recommendation on profiling is to say to Internet developers, you know, take the principles of privacy by design and see what you can do to build in privacy right at the outset rather than waiting for regulation.
>> EDUARDO USTARAN: Thanks, Kevin. Jesus.
>> JESUS RUBI NAVARRETE: To complement this criteria that has been put forward and which I share, I believe that those developments must go hand in hand with informative policies addressed to the users. These should be simple, and they should be clear. And they should offer within that technological design which provides an implicit guarantee of privacy, it should provide them the possibility to protect themselves because our experience – and the Spanish Data Protection Authority has a lengthy history of prosecution of illegal conducts and of in position a very strong economic sanctions, penalties. In this environment, that type of an activity, that type of actions must continue.
But what is really efficient is to allow the user to protect him or herself in a quick and efficient manner.
>> ANNETTE MUHLBERG: Three points. Privacy-enhancing technologies, sure, work on that, please. And don’t support governments in silly e-Government projects that have a tendency to centralize the data to make everything more efficient, bundle it up. Work on decentralized versions. Help the government people to understand what is the problem with centralized data. And do not forget the organizational procedures, and cooperate with workers and work councils.
>> EDUARDO USTARAN: Okay. Thank you very much. We have heard about privacy by design, education, transparency, enabling self-protection, privacy enhancement technologies. What’s the response from the industry? Is that doable in the real world? How can we do that? How can the industry contribute to that? Any questions? Any comments?
Please. If you can briefly introduce yourself, who you are, from which organization, and then make your point.
>> Well, thank you. Thank you for the associations for the very meritorious work they are carrying out. But a very simple specification. Anyone can go to the Lockheed portal and locate their access at any moment. I’ve done it from my house this morning and I’ve done it from here today, which means there has been an inventory carried out by a large institution which locates all of our accesses.
I think that – well, in addition to this, I can – I have verified that a social network facilitates for me without my doing anything contacts which are nearby, which we’re also in a municipality which is right next to the one where I live, so I know that portals and operators in Europe – or at least in Spain, where I’m very familiar with them – are totally respectful of this type of aspects. And by the way, as has been underscored in the table, they generate enormous competitive advantages, which are acknowledged in certain companies and their listing.
However, as the moderator has said before, there’s a very different rhythm. There’s a very different pattern when it comes to comparing the industry and the legislation that is meant to address it.
>> Yes, I am the special Rapporteur for the Information Society and French government. And France supports fully the efforts of the privacy commissioners towards some kind of global framework. But I would like to make a more personal reflection here. First of all to say that I’m very happy that Annette has mentioned the expression “freedom of association,” because we had a session yesterday basically on freedom of association. There is one on privacy today. The third one is freedom of association. The more we go into social media, the more you can basically assimilate mailing lists, social spaces, and social media as spaces and the capacity for people to associate and participate in there.
The second point is that when we talk about spaces, the rules for privacy change whether your space is public or whether it is private. Just like the constitutional court in Germany, as I understand, has recognized the value of email as private correspondence, if you are on a mailing list that has closed rules for participation, there probably are analogies with real-world spaces for no intrusion or no penetration without warrant or whatever, as opposed to something that you post on a blog or information that you make accessible that are public space.
In that respect, I’m wondering, in connection with what was said yesterday, whether there is not also a generational change because the notion of privacy on social media is changing towards management of intimacy. It is completely – there are two different problems. The information that is collected without your knowing and the personal data that you voluntarily put under certain rules in an environment and you expect those rules to be respected, but this evolution is in a generational manner. It is possible that the people who have been familiar with social networks very early on will have a slightly different perception of where they want to put exactly their privacy separation.
But at the same time, we are saying law cannot go as fast as technology, but at the same time, principles can be valid for much longer time. So the question we’re facing is probably less directly implementing laws and, rather, frameworks that provide an umbrella for the different actors to discuss.
And the last point, which is a direct response to the question you were asking, when you look at a social site like Facebook, with alleged 400 million people, as long as you stay on the Facebook.com domain name, you’re actually on Facebook territory, if you think about it. Wherever you are in the world. Facebook territory is regulated in terms of privacy and functions by the terms of service of Facebook. This is the first thing that you are supposed to have read and accept.
How you can influence those terms of service is very shallow. I mean, this is decided by the company at the moment. But the reality is as long as you are on the territory, this is the law of the territory.
Is there a way to turn the problem upside down and instead of trying to harmonize things that are, today, legislated on pure national territory basis to put it the other way around and look at the topology of the Internet itself and the Internet spaces and say what about having the way you define the terms of service of a Facebook space in a more multistakeholder manner? Can we have a Facebook multistakeholder forum to define the privacy terms and all the other rules that apply?
And I don’t know if the industry is willing to go in that direction. It’s a personal suggestion, but I’d be happy to have feedback.
>> EDUARDO USTARAN: Thank you. Let me take a couple of messages from both of your comments. You were referring to Facebook. Very recently, Facebook and others, particularly in the U.S., have made some inroads towards having some kind of Internet recognition in terms of their privacy standards in a regulatory way. That, to me, suggests that perhaps, if we’re not too cynical about it, some of those companies do realize that, as the gentleman here was referring to, there are competitive advantages in trying to address privacy head on.
However, my perception is that the way regulators across the world and the FTC – there isn’t anyone from the FTC here – I’m not sure if there’s anyone in the audience – but regulators across the world do not accept regulatory developments as the right way forward. I may be wrong, but I think regulators are very cautious, and civil societies are even more cautious, civil society representatives even more cautious, despite those attempts.
So from your point of view, what is the role of self-regulation to address those kind of things, very complicated issues, but those kind of things that we’ve been talking about?
In just one minute maximum, please.
>> ANDREAS KRISCH: Okay. I think the problem is that it often is not recognized that there is a problem at all, and I would like to see it also as an answer to what the audience member just said. Is the notion of privacy changing? I don’t think so because, of course, we see 400 million people engaging in Facebook and spending lots of – sharing lots of their personal information on this platform and other platforms as well.
We see people using this. We see people on lots of social networks and other services. But I don’t think that this means that they do not care about privacy or data protection.
There was a study from the Dutch Data Protection Authority, which was very interesting in this field. They made a study on if people that say I have nothing to hide; where is the problem, how do they react when they are confronted with all of the data that is available on them? And the result of the study was that they are really shocked when they see what is all out there and what is accessible to everybody and what this could mean for their personal lives if certain persons get access to it.
And so I think the point is that there is no other Facebook privacy, frankly, Facebook available. And since it’s useful and people want to interact and communicate with each other and want to enjoy the global communication and the exchange of views and all of these things that get possible with it, so they use it, and okay, so maybe they can trust them and state they will do no harm, so okay, I try it, and as long as I do not see that there is a harm that I suffer, I do it. But I don’t think that they don’t feel that there is a problem. So it doesn’t get recognized by the companies as well because it’s not expressed very well. The people are there and are using these services, and the complaints about the privacy thing are very low because people have the feeling there is nothing I can do, so I just trust them.
>> EDUARDO USTARAN: Thanks, Andreas. Very valid point. Kevin, would you like to say something?
>> KEVIN FRASER: Yes, I would. I think from the legal point of view, the Convention and others sort of set the legal framework in which sort of places data takes place.
I want to give you an analogy here from another life which I have, which is I’m a football referee in my spare time. The rules of association football set the rules in which the game of football is to be played. But actually, many football associations have recognized that actually it’s not the rules of the game that stop children from playing football; it’s the pressure that’s put on them by parents and so on and so forth.
So what the clubs have come up with is, if you like, a self-regulatory aspect, codes of conduct in which parents are expected to behave. And I think the same analogy applies in the Internet world as well, which is that we have the laws and regulations about how data processing is to be carried out, but actually, industry itself recognizes that if it’s to be competitive, it’s to respect privacy and what have you, and it’s to be a trusted place in which to engage, then actually, there’s no need for industry to come up with its own codes of conduct outside of the regulatory framework. And I think the two sit rather well together in the same way that codes of conduct sit rather well with the rules of association football.
>> EDUARDO USTARAN: Thank you very much. Jesus.
>> JESUS RUBI NAVARRETE: It’s true that self-regulation is a useful instrument, and it’s something that should be fostered because it’s quite flexible. However, self-regulation, in order to be valid, in my opinion, must comply with some prerequisites.
First of all, you run the risk of this regulation being established at the lowest possible level when it comes to fostering guarantees. You look for the lowest common denominator among everyone who is participating in self-regulating, and therefore, there should be some referential principles, for example, the once included in the standards of the Madrid Resolution, which will guarantee an adequate level. And if this is guaranteed, self-regulation formulas must be correct or should be correct.
On the other hand, these should be self-regulatory formula with mechanisms that would truly guarantee their effectiveness.
And a brief comment about the previous intervention. It is true that sensitivity on the protection of privacy is changing, but it’s also true that we live in an environment where there’s shortcoming in initial education vis-a-vis the risks that could crop up when using 2.02 Web services. If this informative shortcoming is surpassed, then, indeed, the user should decide a level of privacy where they would like to be placed, and they should have the practical tools that will allow them to set their privacy level, probably with that tandem of more information from schools and more tools to establish privacy levels. Well, the pre-established privacy or privacy by design would be a problem that would be reduced considerably.
>> ANNETTE MUHLBERG: I was just listening to what Jesus was just saying, and I fully support what he said, but if you want to have a user that should be able to choose a certain level of privacy, I think we really have to discuss the issue of choice.
If there is no alternative to Facebook, a kid or even an adult – I’m on Facebook because I do not have another choice, and actually, I do it for work reasons, which is really a disaster because I don’t want to be on Facebook, but I have to do it because work, you know – I’m not ordered to do it. I cannot blame my boss to say, oh, you know – but if I don’t do it, I’m out of contact of all these things, and I don’t know what’s going on at work.
So it’s a real problem. And I do not have a realistic choice, and there is no alternative Facebook that has high privacy standards. That’s one thing. And then there is the issue of, oh, you agree. My God, if I don’t – if I cannot enter it without agreeing – of course I agree. I sign anything. I don’t even know what I’m signing because it’s in a foreign language, and it’s in this little window somewhere, you know, you have to – even a young person has to have glasses to see this text somewhere in there. So this is the other thing.
But then there is a third version that says, okay, you have a choice, but here is the one you don’t have to pay money. This is, for example, these loyalty cards. I mean, first, now people start to understand that the loyalty cards are – that it’s a data exchange program. A few years ago, they had no clue about this. But now, step by step, they understand this. But what do you do when a family enters a shop and you have – you don’t have much money and you can save money, realistically save money, by using these loyalty cards, meaning that you give your data away? Then you also do not have much choice if you don’t have money.
So I think there also has to be realistic choice here.
>> EDUARDO USTARAN: Thank you. Thank you. Quite a few challenges for the industry to consider. I think we could go on forever, but unfortunately, it’s time to wrap up. In order to do that, we have our special Rapporteur, Katitza Rodriguez of the Electronic Frontier Foundation. I don’t know, Katitza, if you want to make a comment before wrapping up, please proceed to make your comment, then it would be helpful if you could wrap up, give the final minutes to the speakers.
>> KATITZA RODRIGUEZ: I just want to say that in cases like we hear about Facebook and the change of privacy policy last week, we need to have another alternative, and users should be able to easily and effectively take data in bulk away from that social network and be able to move it to a different one that provide privacy protections that work freely.
So this is not a privacy itself, but it’s linked in a way we need data portability, and that is important. That’s all.
>> EDUARDO USTARAN: Okay.
>> KATITZA RODRIGUEZ: Okay. So now –
>> EDUARDO USTARAN: Please. In your role as Rapporteur, what are your views?
>> KATITZA RODRIGUEZ: Well, I will just make a few comments of what was said right now. It was said that privacy and data protection are taking an increasingly important place on both national and international agendas, whether social networks, search engines, the protection of children, collection of biometric data as a way of asserting identity, cloud computing and the international exchange of personal data for online transactions.
There was mentions of risk, mentioned, for example, of retention and how it treats the human rights of freedom of association to form and join trade union. It was mentioned also ways to – some solutions were provided. We need global privacy standards to enable the development of human right for future technologies. It was mentioned privacy by design and by default needs to be fundamental design principles for future technologies and applications. Data protection educations needs to be included in our education systems to enable everybody to participate in the Information Society.
Data protection authorities to ensure proper protection. It was mention to standards for legally binding instruments with a flexible follow-up mechanism already in place. Adoption of this binding instrument not only engages the right of that subject but also strengthens International cooperation between data protection and – and engages the ability of organizations to do business around the world.
It was said that the Council of Europe was very interested to promote standards and collaborative work. It was also mentioned the authorities from more than 50 countries from all over the world adopted the Resolution of Madrid, a proposal for international standards. A need to harmonize values, regimes of protection of privacy existing in different geographical areas, providing a regulatory model that would guarantee a high level of protection and that simultaneously can be adopted by any country with a minimum adoption necessary to particular legal, social, and economic culture.
It was said that a standard like this could avoid issues in the Internet, and even if there are principles, especially privacy by design, should be – are implemented in the protection, they could contribute to better protection and to easier and more efficient observance by industry.
It was said also about privacy and infrastructure at work and the need to take co-decision making between work councils and employers regarding the introduction of technology that can be used for surveillance.
There was a discussion about fostering a technology framework that provides an umbrella and the importance of the role of self-regulation. It was also said that self-regulation to implement a minimum level of data protection, but it would be good if those self-regulations are based at least on minimum standards like the Madrid – higher standards or accurate level of protection like the Madrid Resolution.
Finally, I was saying about the importance of data portability and to take your data from one service provider when they don’t give you good privacy protection. Thank you.
>> EDUARDO USTARAN: Thank you. Thank you very much for your summary, Katitza. So closing remarks or closing statements from our panelists, again, in one minute, final point, the things that we need to remember. Please, Andreas.
>> ANDREAS KRISCH: Thank you. So I think the important things that needs to be done is, on one hand, working on the standardization, getting the same level of protection, if possible, everywhere, with having privacy by design, privacy as the default in any application, and we also have to consider advancing what European Union currently is doing to think about the rights of assignment of chips so everybody can have the right to disconnect from these systems and enjoy private life.
And the Madrid Civil Society Declaration that I mentioned, there is also in there that we urge countries to join, of course, the COE Convention 108 and to become part of and support this, and the important thing also is to have data protection in our education systems, and here I want to introduce one of our – the result of one of our latest projects. We made a project on data protection situations in various countries in Europe, and while doing this, we developed a comic book aiming at young adults and informing them about privacy risks. And if you are interested in it, I think there are still a few copies out there on the tables, and if you are interested to have it in your own language, we have the possibility to do translations, but we need funding for that, so if you can support us with that, it would be most welcome.
Thank you.
>> EDUARDO USTARAN: Thanks, Andreas. Kevin.
>> KEVIN FRASER: I shall be even quicker. On behalf of the Consultative Committee, I would encourage non-Member States to accede to the Convention, and to you in the audience, I make a special plea to accede to the council when we make various recommendations.
>> EDUARDO USTARAN: Excellent. Jesus.
>> JESUS RUBI NAVARRETE: I think that we have a two-pronged challenge. Data protection authorities should foster flexible guarantee systems which are adaptable to the development of services, but the industry also faces very important challenges. It must evaluate the impact on privacy of the services that it draws out, and it should also evaluate those – the desirability of giving users the right to manage their options and to make use of their options when it comes to privacy.
>> EDUARDO USTARAN: Annette.
>> ANNETTE MUHLBERG: A lot has been said. I would just finally say please, if you develop technology, think of those who use it, if they are users in their leisure time or if they are users at work, and do think about organizational procedures, and do work together with work councils and trade unions. Thank you.
>> EDUARDO USTARAN: I think it’s very, very difficult to find real solutions, concrete solutions, to all these challenges in 75 minutes, but at least I think we have had a good opportunity to hear concerns, some very valid concerns, but also to hear and explore some of the possible approaches to these issues, and global standards to – clearly have to be the way forward to a global challenge.
I hope this has given all of you some food for thought, things to go back to your offices, think about, see how you can implement all these points, and I think it’s time to get on with the rest of the day, the rest of the conference. We have some exciting sessions ahead, so I just wanted to finish up by thanking the panel. Many thanks to all of you for your participation. To the audience and those who have contributed, thank you.
(Applause)