1

Concept for deliverable on

privacy issues on pan-European White Pages

service 3rd TF-LSD Meeting Antalya, 13.5.2001

Peter Gietz

Peter.gietz@DAASI.de

2

Agenda Preliminary remarks European privacy legislation Other texts on the matter Privacy issues of the CIP WPS Organizational and technical

solutions

3

Personal Statement Privacy legislation is • not a bug it´s a feature• Not a burden but a good thing• Not the technical possibilities count but the

feasability of these possibilities

4

Discussion features Privacy discussion is more

focused on e-Commerce than on directories

Legislation more complies to data servers, not indexing system

5

International Issue European solution is only half the way to go Worldwide regulations exist (OECD, UN) 40 countries around the world have

enacted, or are preparing to enact privacy legislation• E.g.: Switzerland, Hungary, Kanada, Australia

Hong Kong, Taiwan, Japan, Malaysia, South Korea.

„The US has isolated itself from the rest of the world“ (EPIC)

Only has legislation for Federal authorities Possible solution: „Safe Harbor“

6

Safe Harbor Organized by Department of

Commerce Catalogue of adequate processing

rules for data from Europe Companies can proclaim their

committment www.export.gov/safeharbor

7

Codes of Conduct Self defined rules to comply with

EU-regulations One for customer data and one

for employee data Privacy statements Formalizeable see P3P initiative

of W3 Consortium

8

OECD Regulations OECD Recommendation

concerning and Guidelines governing the protection of privacy and transborder flows of personal data, O.E.C.D. Document C(80)58(Final), October 1, 1980• http://www.rewi.hu-berlin.de/Datenschutz/

International/1980_oecd_privacy_guidelines.txt• Promotes selfregulatory measures

9

United Nations Regulation

Guidelines concerning computerized personal data files, adopted by the General Assembly on 14 December 1990 • http://www.datenschutz-berlin.de/recht/int/uno/

gl_pbden.htm

10

1995 Directive Directive on the protection of

individuals with regard to the processing of personal data and on the free movement of such data (95/46, October 1995)• http://www.privacy.org/pi/intl_orgs/ec/eudp.html

Preamble:• Data-processing systems are designed to serve man

• Data should be able to flow freely

• But: They must respect the fundamental freedoms and rights

11

Article 1: Object of the directive

• Member states shall protect the right to privacy with respect to the processing of personal data

• but shall not restrict or prohibit free flow of information between member states

12

Article 2: Definitions• „personal data“: any information relating to an

identifiable natural person (called „data subject“) White Pages data

• „processing“: (whether or not automated) collection, storage, retrieval, dissemination, erasure etc. storage, update, replication and retrieval

• „personal data filing system“: structured set of personal data which are accessible according to specific criteria, whether centralized or decentralised, ... Directory Service

13

Definitions contd.• „controller“: natural or legal person, public authority,

agency that determines the purpose and means of the processing Designer of Directory service

• „processor“: natural or legal person, etc. which processes personal data on behalf of the controller Data manager

• „third party“: natural or legal person, etc. other than the data subject, the controller or the processor, or the person who is authorized to process the data all others

14

Definitions contd.• „recipient“: natural or legal person, etc. natural or legal

person, etc. to whom data are disclosed, whether third party or not, but not inquiring authorities Directory service user

• „the data subject‘s consent“: any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed ?? See below

15

Article 3: Scope• Processing of data wholly or partly by automatic

means and nonautomatic if part of a filing system.

• But not in cases of public security, defence, State security and activities of the State in areas of criminal law

• And not if done by a natural person in the course of purely personal or household activity

16

Article 6: principals• Fairly and lawfully• Collected for specified, explicit and legitimate

purpose and not further processed incompatible to that.

• Historical, statistical or scientifical purposes are never incompatible

• Adequate, relevant and not exessive• Accurate and up to date• Identifyable not longer than neccessary

17

Article 7: Criteria• Data subject consented or• If neccessary for the performance of a contract

to which the data subject is party or• For compliance with legal obligation of

controller or• To protect vital interest of the data subject or• To perform a task carried out in the public

interest ...• For the purpose of the legitimate interest of the

controller or recipient except if against interest or fundamental rights of the data subject

18

Article 10/11 Information

• Controller has to inform data subject about:• Identity of controller

• Purpose of processing

• Recipients of the data

• Existence of the right of access and rectify the data

• Whether controller asks the data from data subject or gets them otherwise

19

Article 12: Right of Access Data subject has the right to

obtain from controller:• Without constraint at reasonable intervals

without excesive delay• Confirmation whether or not data about him are

processed, for what purpose, which data categories and recipients

• Form and logic of the processing

• Rectification, erasure or blocking of data• Notification of recipients about rectification etc.,

unless this prooves impossibleor involves dispropriate effort

20

Article 14: Right to object

Data subject has the right • to object to the processing• on compelling legitimate grounds• Especially if data are to be used for direct

marketing

21

Article 17: Security Controller must implement

measures to protect personal data against:• Accidental or unlawful destruction or loss• Unauthorized alteration, disclosure or access• Especially when processing involves

transmission over a network• Apropriate to the risks• Processor must be governed by a contract or

legal act binding in writing or equivalent form

22

Article 25: Transfer to third countries -

Principals Third country must ensure an adequate level of protection

Member state shall take measures necessary to prevent transfer to such a country

Commission shall enter into negotiations with a view to remedying the situation

Member states shall take the necessary measures to comply with the Commision‘s decision

23

Article 26: Transfer to third countries -

Derogations Transmission to Countries with

unadequate privacy legislation may take place if:• Data subject has given his consent or • Neccessary for performance of a contract

between data subject and controller or• Contract between controller and third party in

the interest of data subject or• On important public interest grounds or

24

Derogations contd.• To protect vital interest of data subject or• Transfer is made from a register which

according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case

25

Article 29: Working Party

Working party on the protection of individuals with regard to the processing of personal data is hereby set up.

WG with Chair, secretary and rules of procedure

Independent advisory status Gives opinion on the level of

protection in the comunity and in third countries

26

Working Party Composed a number of

documents on Transfer of personal data to third countries:• Defining what constitutes adequate protection• Possible ways forward in assessing adequacy• On processing of personal data on the Internet• Recommendation 1/99 on Invisible and

automatic processing of personal data on the Internet performed by software and hardware

• ...

27

1997 Directive Directive concerning the processing of

Personal data and the protection of privacy in the telecommunications sector (97/66/EC, 15. December 1997)• http://europa.eu.int/ISPO/infosoc/telecompolicy/en/

9766en.pdf

• Enhancement of the 1995 directive for the telecommunications sector, especially ISDN and mobile networks

28

Article 2: Definitions• „subscriber“: any natural or legal person that is

party to a contract with the provider of publicly available telecommunications service

• „user“: any natural person using such a service for private or business purpose, without neccessarily having subscribed to it

29

Definitions contd.• „public telecommunications network“: transmission

system and switching equipment and other resources which are used in whole or in part for the provision of publicly available telecommunications service

• „ telecommunications service“: service that consists wholly or partly in the transmission and routing of signals on telecommunications network, with the exception of radio- and TV-broadcasting

30

Article 11: Directories

• Personal data contained in printed or electronica directories of subscribers available to the public should be limited to what is neccessary to identify a particular subscriber unless the subscriber has given his consent to the publication of additional personal data.

31

Other European texts COM(99) 337 final: Proposal for a

regulation of the European Parliament for the protection of natural persons at the processing of personal data by organs and institutions of the Community and for the free flow of data, 1999

Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Council of Europe, European Treaty Series No. 108. Signed January 28, 1981

32

Other valuable texts SURFnet: Privacy aspects of directory

Services – Directory Services and the changes in privacy legislation – new boundaries for a new paradise [no date, but seems quite new]

Arbeitskreis „Technische und organisatorische Datenschutzfragen“: Datenschutzrechtliche Aspekte beim Einsatz von Verzeichnisdiensten [Privacy legislation aspects of using directory services], 26.10.2000

33

Other valuable texts Catherine Treca (CNRS/UREC), Erik

Huizer (SURFnet): An overview of international privacy issues concerning the provision of Directory Services (Draft sent to IETF ids WG 21.7.1994 [sic])

Work of the The RARE WG on Networked Application Services and the IETF ids WG

Who knows what came out of this?

34

Other texts RFC 1355: J.Curran (NNSC), A.

Marine (SRI): Privacy and accuracy issues in Network Information Center databases, August 1992

35

Privacy Issues Controller and processor are the

maintainers of the actual data server

Do the maintainer of the index service have the same legal bindings to the data subject?

If not all data subjects have consented to transmission to unadequate legislation countries, transmission to those countries has to be prevented

36

Solutions

Thanks to SURFnet

37

Organizational Solutions

• Define and stick to purpose of service• Call for a data protection officer• Define who is the controller and who is processor• Define and restrict population of data subjects• Define procedures how the data are gathered

and processed• Inform data subjects about e.g. via email:• Who collected data • What data • For what purpose• About the rights of the data subject

38

Organizational Solut. contd.

• Define procedure of informing the data subjects about rights and data updates

• Define how data subjects can make use of their rights (e.g. via signed e-mail, Web-Formular)

• Better have user consent when he applies for a user account

• Only collect minimum set of data attributes

• Publish and disseminate all organizational definitions in a policy text

39

Technical Solutions• Establish adequate security agains loss, damage

and unlawful access or manipulation of the data• Restrict maximum number of retrievable entries• Disallow wildcards• Restrict number of searchable attributes• Do robots detection and refuse services to them• Restrict access to user from countries with

adequate privacy legislation• Disallow access from proxies

40

Technical Solut. contd.

• Encrypt Indexobjects while on the net• Define Crawler policies• Only let registered crawlers access the data• Enforce digital signatures for e-Mail-consent of

the data subjects

41

Proposed structure of deliverable

1. Discussion of EU-Regulation2. Generic description of CIP index

system3. Privacy issues of the system4. Organizational and technical

solutions

42

How to proceed? Should be restrict ourselfes to

EC-Direcive or interprete othe mentioned regulatory texts?

How detailed should we be? How much of the directive should

we quote? Should a template privacy policy

text be included? Does it make sence to contact

Working Party?

43

How to proceed? Contd.

Who will actively join this work? I intend to get the first draft

version out soon But the matter is very difficult

and it is easy to make mistakes