On July 6, Dr. Paolo Balboni participated in Cloud Security: una sfida per il futuro in Rome, Italy. He discussed the legal issues and opportunities associated with cloud computing for Public Administrations and Government at large. He explained the important components of cloud computing service agreements. Dr. Balboni also discussed the recently published guidelines on cloud computing issued by the Italian Data Protection Authority.
On 30 June 2011, at the Brussels premises of Neth-ER, EPA fellow Davide M. Parrilli, attended an expert panel discussion about the relationship between privacy and internet innovation. The occasion was the presentation of the preliminary results of a study for the European Parliament by Rand Europe and TNO. Mr. Parrilli provided the following blog post about the event and his observations:
There is an unanimous consensus that privacy cannot be neglected when talking about internet innovation, but also that privacy plays a pivotal role in stimulating innovation with respect to citizens’ rights. Privacy may be perceived from several perspectives, ranging from privacy as the ‘right to be let alone’ to spatial privacy. Innovation undoubtedly has an impact on privacy: such an impact can be perceived to be positive (for instance, in the case of blind authentication technologies or privacy friendly searches) or negative (for instance, in the case of Cloud computing).
A multi-level approach allows us to assess to what extent innovation respects users’ privacy and how innovation can be fully compliant with the expectations of users under the privacy perspective, taking into account market and system failures. Examples of the former are imperfect and asymmetric information and market dominance, while failures in infrastructural investments and lock-in/path dependency failures are examples of the latter.
It is curious to highlight that Cloud computing and law enforcement agencies and practices are also considered as system failures, since many governments do not trust Cloud computing yet and the interaction between the different national data protection authorities is perceived not to be sufficient.
These assumptions are in my opinion only partially true. Cloud computing may not be completely secure yet, but one must consider that (I) complete and absolute security does not exist in practice, that (II) not all Clouds infrastructures have the same (low or high) level of security, and finally that (III) judging Cloud computing as a system failure does not take into account that the Cloud may (and surely will) evolve and become more and more secure.
In regards to the interaction between the different national data protection authorities, at European level there is a framework for cooperation, and furthermore the Privacy Directive sets rules (that can be improved, but that are quite clear) to assess the national law that is applicable and the national data protection authority that is competent, so that considering law enforcement agencies as system failures is not fully justified.
Rand Europe and TNO’s study, that from the legal perspective is focused on the applicable regulatory framework ranging from the Data Protection Directive to the European Charter of Fundamental Rights, takes into consideration five case-studies (Cloud computing, behavioral targeting, location based services, RFID and biometrics) indicating the most relevant tensions and approaches/solutions to make these technologies compliant with the privacy requirements.
The most relevant considerations arising out of the study are that privacy enforcement needs to be stronger, but that this is quite difficult due to harmonization problems among countries. Furthermore privacy innovation is limited and business practices are more oriented towards data collection and use, and privacy is only secondary to business models. As corollary to this assumption, the study indicates that companies with inherently privacy friendly approaches have modest market shares and are not very visible to the public at large.
The debate among the participants revealed that there was no general consensus regarding these statements, but everybody agreed that technology and market innovation raise privacy issues and that business models must take into serious consideration the end-use perspective about privacy.
Nevertheless there are still several questions to ponder – the most relevant concern whether changes in privacy increase or decrease societal trusts and whether privacy and innovation can be linked in a virtuous cycle.
The discussion needs to be continued in other forums, including regulatory forums. Innovation and privacy cannot be neglected, since they concern economic growth and the respect of citizens’ rights – topics to be taken very seriously.
The United States, Australia and Canada require EU airlines to share passenger data on international flights – referred to as Passenger Name Record (PNR) – for individuals traveling to and from Europe. This information is then analyzed and used for counter-terrorism activities.
Protecting citizens from terrorism is a top priority, and I commend the dedication of our international authorities to work together on policies to combat serious crimes and terrorism. This important effort requires effective collaboration on both sides of the Atlantic.
At the same time, privacy considerations cannot be set aside in this pursuit. Europe and its counterparts should proceed in a manner that also upholds privacy standards. A proposal such as PNR raises eyebrows with the collection and storage of personal data. As a result, it absolutely must be executed in a way that does not infringe upon an individual’s fundamental right to privacy. These two important components can conflict with one another at times, but that creates further incentive to work harder and find a way to balance them appropriately.
For now, Europe needs to be cautious on PNR. The Guardian recently released a confidential draft between the U.S. and EU stating that passenger data would be stored for up to 15 years. European Commission lawyers deemed it “not compatible with fundamental rights.” This draft is cause for reflection. Has this agreement proven to have any effect? What will retaining data for a longer period of time accomplish? How often will this be evaluated to ensure it is achieving the goal? These are questions that all sides, including the national governments and parliaments in each Member State, must consider.
As negotiations on PNR move forward, I am hopeful both sides will find common ground on a system that will protect us from terrorism while at the same time respecting our fundamental right to privacy.
Yes, according to Europe’s Data Protection Supervisor Peter Hustinx, who declared that the Data Retention Directive, passed in 2006 in response to terrorist attacks in Madrid and London, does not adequately meet privacy and data protection standards. The Directive requires Internet Service Providers to store users’ traffic and location data for a minimum of six months for European law enforcement authorities.
After analyzing the European Commission’s recent evaluation report bringing to light considerable issues associated with the Directive, Mr. Hustinx concluded that the Directive fails to comply with privacy and data protection considerations because, among other reasons, “data retention could have been regulated in a less privacy-intrusive way.“ Mr. Hustinx continued, “[t]he quantitative and qualitative information provided by the Member States is not sufficient to draw a positive conclusion on the need for data retention as it has been developed in the Directive.”
Moreover, the opinion also touched on the lack of harmonisation, which was described as the Directive’s “main purpose” and that “such a lack of harmonisation is detrimental to all parties involved: citizens, business operators as well as law enforcement authorities.”
As already expressed in several circumstances, EPA is concerned about the merits of several provisions in the Directive – particularly the issues outlined by Mr. Hustinx. We fully understand fighting crime and terrorism are top priorities. However, that does not mean the government can disregard a person’s fundamental right to privacy. Laws in Europe and Member States must strike a balance between protecting citizens and respecting personal lives. The situation in Greece is also concerning, where lawmakers transposed the Directive into their national legislation but included a requirement for data to be stored only within Greece. This presents considerable challenges to harmonization, as was discussed in the opinion.
Peter Hustinx is not the first individual to voice serious concerns about the Directive, but his opinion is loud and clear. Hopefully the Commission will listen to Mr. Hustinx’s advice, which is to investigate whether the Directive is necessary or if a more targeted measure is appropriate.
The European Commission’s inaugural Digital Agenda Assembly in Brussels last week gathered hundreds of attendees – both in person and online – for a two-day conference packed with speeches, panel debates and workshops to discuss Europe’s role in the digital world. European Commission Vice-President responsible for the Digital Agenda Neelie Kroes delivered a “State of the Digital Union” and was joined by Robert Madelin, European Commission, Director-General for the Information Society and Media, Zsolt Nyitrai, Minister of State for Infocommunications in Hungary, and many Members of the European Parliament.
Dr. Balboni participated as a speaker in the workshop, Building confidence for the digital single market, which highlighted trustmarks, price comparison websites and online dispute resolution (ODR) as potential ways to help foster e-consumers’ trust and confidence in e-commerce. Consensus existed among attendees that trustmarks could play a significant role in reassuring e-consumers and also responsibly growing European e-commerce. Dr. Balboni discussed the merits behind the European Union establishing an accreditation system for Trustmarks Organisations (TMO) in order to promote trustworthy trustmark schemes. As written in his book “Trustmarks in e-commerce: the Value of Web Seals and the Liability of their Providers,” Dr. Balboni explained that a TMO service quality should be measured on the basis of: 1. TMO independency; 2. Impartiality in the auditing procedure; 3. Security of trustmarks; 4. Active monitoring of the certificate owner practice; 5. TMO enforcement power; and 6.TMO accountability.
Moreover, Dr. Balboni observed that these mechanisms – trustmarks, price-comparison websites and online dispute resolution – would be most effective if not developed independently, but combined in coordination with the European Union. For example, a European Online Platform where European enterprises could find information on how to set up an online business in accordance with EU laws; available European trustmarks schemes, as well as online dispute resolution and prize comparison initiatives. In this way, the EU could also help online enterprises to better compete in the global online market.
The presentations from the workshop, including Dr. Balboni’s, are available on workshop’s website.
