AmI

1
AmI The European Perspective on Data Protection
Legislation and Privacy Policies

• SWAMI-Workshop
• 21st and 22nd of March 2006 in Brussels
• Dr. Martin Meints,
• Henry Krasemann, both ICPP

2
Agenda

• Legal Grounds
• European Charta
• Data Protection Directive (95/46/EC)
• Directive on Privacy and Electronic Communication
  (2002/58/EC)
• Data Retention Directive
• Suggestions for the Application of Privacy
  Policies
• Suggestions of the Article 29 Working Party
• Technical approaches within the PRIME Project
• Conclusions

3
Legal Grounds

• European Charta
• Applies, but concerning data protection not very
  specific
• Data Protection Directive (95/46/EC)
• Applies except for (see Recital 13)
• Public security
• State defence
• State security
• Criminal law
• States fundamental principals that are highly
  relevant for AmI such as
• Data minimisation principle (Art. 6)
• Purpose binding principle (Art. 6)
• Transparency of processes (Art. 6)
• Consent of the data subject for data processing
  (Art. 7)
• Information of the data subject (Art. 10 and 11)
• The data subjects right to object (Art. 14)

4
Legal Grounds (cont.)

• Directive on Privacy of Electronic Communication
  (2002/58/EC)
• Exceptions for applications are the same as for
  the Data Protection Directive (95/46/EC)
• States in addition concerning location and
  traffic data
• Information on traffic data (Art. 6)
• Information of the data subject with respect to
  location data (Art. 9)
• Consent prior to processing and transfer of
  location data needed (Art. 9)
• Consent can be withdrawn at any time (Art. 9)
• Where consent of user has been obtained (Art. 9)
• Possibility of temporarily refusing the
  processing
• For each connection to the network or
• For each transmission of a communication
• Using a simple means / free of charge

5
Legal Grounds (cont.)

• Data Retention Directive (2006/../EC not finally
  defined)
• Data has to be saved by the telecommunication
  provider for at least 6 months
• Concerning telephone or mobile phone
• Originating and targeting phone number, name and
  address of the user of the phone or mobile phone
  (including IMSI, IMEI, Cell-ID)
• Date and time
• Services used
• Concerning the internet and VoIP
• Originating and targeting user ID, phone number,
  name and address and IP address of the user
• Date, time, time zone, for login and logout
• Services used
• See http//register.consilium.eu.int/pdf/de/05/st0
  3/st03677-re10.de05.pdf
• Economic aspects in the context of AmI unclear

6
Suggestions Article 29 Data Protection Working
Party

• Aims
• Easier compliance
• Improved awareness on data protection rights and
  responsibilities
• Enhanced quality of information on data
  protection
• Support for the concept of a multi-layered format
  for data subject notices
• Improve the quality of information on data
  protection received
• Focusing each layer on the information that the
  individual needs to understand their position and
  make decisions
• Where communication space/time is limited,
  multi-layered formats can improve the readability
  of notices

7
Information to be given

• Essential information that should be provided in
  all circumstances where data subject does not
  have this information already which includes the
  identity of the data controller and of his
  representative, if any, as well as the purpose of
  the data processing
• Further information which should be provided if
  it is necessary to guarantee fair processing
  having regard to the specific circumstances in
  which the data are collected
• Information which is nationally required and goes
  beyond the Directives requirements
• Name or address of the data protection
  commissioner
• Details of the database
• Reference to local laws

8
Layer 1Short Notice

• Core information required under Article 10 of the
  Directive
• Identity of the controller
• Purposes of processing
• Any additional information which in view of the
  particular circumstances of the case must be
  provided beforehand to ensure a fair processing
• A clear indication must be given as to how the
  individual can access additional information

9
Layer 1Example
10
Layer 2Condensed Notice

• All relevant information required under the
  Directive
• The name of the company
• The purpose of the data processing
• The recipients or categories of recipients of the
  data
• Whether replies to the questions are obligatory
  or voluntary, as well as the possible
  consequences of failure to reply
• The possibility of transfer to third parties
• The right to access, to rectify and oppose
• Choices available to the individual
• Contact for questions and information on redress
  mechanisms
• Available on-line as well as in hard copy via
  written or phone request
• Present this notice in a table format that allows
  for ease of comparison

11
Layer 2Example 1
12
Layer 2Example 2
13
Layer 3Full Notice

• Include all national legal requirements and
  specificities
• It may be possible to include a full privacy
  statement with possible additional links to
  national contact information.

14
Research in the PRIME Project

• Traditional approach (state-of-the art) Stating
  of privacy policies (P3P)
• Automated protocols for policy negotiation
• See http//www.prime-project.eu.org/public/prime_p
  roducts/PRIME-White-Paper-V1.pdf
• Use of policies sticking to personal data (sticky
  policies)
• Policies have to be acknowledged to decrypt
  personal data
• Policies have to be acknowledged to use personal
  data
• Current concepts include trusted third parties
• See http//www.prime-project.eu.org/public/prime_p
  roducts/deliverables/arch/pub_del_D14.2.a_ec_wp14.
  2_V5_final.pdf

15
Additional Aspects

• Privacy once lost cannot be restored easily (or
  not at all!)
• Feedback system is very indirect
• Balancing privacy and security (crime prevention
  etc.) is necessary
• What privacy price we are willing to pay for
  what level of perceived or effective security?
• Operative aspects
• How to achieve a convenient and effective consent
  for data processing in AmI environments?
  Implicit consent?

16
Conclusions

• Limitations
• Challenges multilateral security and improved
  attacker models
• Interactive versus non-interactive (passive)
  authentication (policies?)
• What about international AmI providers and
  legislation?
• Possibility to enforce privacy protection
  technically is limited today and in future
• Trends
• AmI RFID biometrics data mining etc.
• Technical maturity, security and data protection?
• Increased complexity
• Future developments in PETs?
• Data protection from the economic perspective
  USP vs. compliance vs. violation

17
Thank you for your attention! Dr. Martin
Meints, ICPP
18
Directive 95/46/EC of 24 October 1995

• Definition of the data subjects consent
  shall mean any freely given specific and
  informed indication of his wishes by which the
  data subject signifies his agreement to personal
  data relating to him being processed (Art. 2 h).

19
Article 6

• Member States shall provide that personal data
  must be (a) processed fairly and lawfully
• Recital No. 38 of the Directive, if the
  processing of data is to be fair, the data
  subject must be in a position to learn of the
  existence of a processing operation and, where
  data are collected from him, must be given
  accurate and full information, bearing in mind
  the circumstances of the collection....

20
Art. 10Information in cases of collection of
data from the data subject

• Member States shall provide that the controller
  or his representative must provide a data subject
  from whom data relating to himself are collected
  with at least the following information, except
  where he already has it
• (a) the identity of the controller and of his
  representative, if any
• (b) the purposes of the processing for which the
  data are intended
• (c) any further information such as
• the recipients or categories of recipients of the
  data,
• whether replies to the questions are obligatory
  or voluntary, as well as the possible
  consequences of failure to reply,
• the existence of the right of access to and the
  right to rectify the data concerning him
• in so far as such further information is
  necessary, having regard to the specific
  circumstances in which the data are collected, to
  guarantee fair processing in respect of the data
  subject.

21
Article 11Information where the data have not
been obtained from the data subject

• 1. Where the data have not been obtained from the
  data subject, Member States shall provide that
  the controller or his representative must at the
  time of undertaking the recording of personal
  data or if a disclosure to a third party is
  envisaged, no later than the time when the data
  are first disclosed provide the data subject with
  at least the following information, except where
  he already has it
• (a) the identity of the controller and of his
  representative, if any
• (b) the purposes of the processing
• (c) any further information such as
• the categories of data concerned,
• the recipients or categories of recipients,
• the existence of the right of access to and the
  right to rectify the data concerning him
• in so far as such further information is
  necessary, having regard to the specific
  circumstances in which the data are processed, to
  guarantee fair processing in respect of the data
  subject.
• 2. Paragraph 1 shall not apply where, in
  particular for processing for statistical
  purposes or for the purposes of historical or
  scientific research, the provision of such
  information proves impossible or would involve a
  disproportionate effort or if recording or
  disclosure is expressly laid down by law. In
  these cases Member States shall provide
  appropriate safeguards.

22
Article 14The data subjects right to object

• Member States shall grant the data subject the
  right
• (a) at least in the cases referred to in Article
  7 (e) and (f), to object at any time on
  compelling legitimate grounds relating to his
  particular situation to the processing of data
  relating to him, save where otherwise provided by
  national legislation. Where there is a justified
  objection, the processing instigated by the
  controller may no longer involve those data
• (b) to object, on request and free of charge, to
  the processing of personal data relating to him
  which the controller anticipates being processed
  for the purposes of direct marketing, or to be
  informed before personal data are disclosed for
  the first time to third parties or used on their
  behalf for the purposes of direct marketing, and
  to be expressly offered the right to object free
  of charge to such disclosures or uses.
• Member States shall take the necessary measures
  to ensure that data subjects are aware of the
  existence of the right referred to in the first
  subparagraph of (b).

23
Directive 2002/58/EC Directive on privacy and
electronic communications

• Article 6 par. 4 (traffic data) The service
  provider must inform the subscriber or user of
  the types of traffic data which are processed and
  of the duration of such processing for the
  purposes mentioned in paragraph 2 (purpose of
  billing) and, prior to obtaining consent, for the
  purposes mentioned in paragraph 3 (purpose of
  marketing).

24
Art. 9 Directive 2002/58/EG LBS

• Location data other than traffic data relating
  to users
• Only processed when
• Made anonymous or
• Consent of the users (to the extent / for the
  duration necessary for the provision)
• Service Provider must inform the users prior to
  obtaining consent about
• Type of location data
• Purposes
• Duration of the processing
• Whether the data will be transmitted to a third
  party
• Possibility to withdraw the consent at any time

25
Art. 9 Directive 2002/58/EG LBS

• Where consent of user has been obtained
• Possibility of temporarily refusing the
  processing
• For each connection to the network or
• For each transmission of a communication
• Using a simple means / free of charge