Commission workshop on Privacy Enhancing Technology

On 4 July, the European Commission organised a technical workshop on
Privacy Enhancing Technologies (PETS) in Brussels. 39 experts, from Europe,
the USA and Canada were invited to participate, ranging from Commission
officials to academic experts, from data protection authorities to business
representatives. Amongst the invitees were also 2 EDRI-members; FIPR and
Bits of Freedom.

After a somewhat predictable debate about the meaning of the acronym PET,
the need to create PET-lovers, and possible other acronyms such as PUT and
PAT, the value of existing privacy enhancing technologies was discussed.
Basically, technology is considered privacy-friendly when it disables
traceability to a person (be it a person or a company). In the
implementation report of the 1995 privacy directive (95/46/EC), the
European Commission announced determined efforts to encourage and promote
the use and further development of these technologies.

John Borking, former member of the Dutch data protection authority,
defended PET as the most suitable method to prevent the linking of
databases. When he unfolded the theory of machine-made privacy choices, he
was sharply attacked by the Swedish business representative Stephan
Goldberg. According to Goldberg, “that kind of privacy-ontology is mainly a
reflection of the typical idea of engineers that law is simple, and can
thus easily be implemented in technology”.

A large part of the workshop was devoted to anonymity. According to
Stephanie Perrin, as a government official largely responsible for
privacy-legislation in Canada, the nucleus of any privacy legislation is
anonymity. She expressed regrets about the fact that PET is now largely
associated with weaker protection mechanisms, like opt-out boxes on
websites and cookie-management tools. As executive officer of Zero
Knowledge Systems, creators of the defunct anonymizer tool ‘Freedom’, she
was closely involved with the creation of a tool with anonymity in the
core. But acknowledging the market-failure of this and similar tools, she
argued the Commission should help develop these tools and generally focus
on anonymity.

Peter Hustinx, chief of the Dutch data protection authority and candidate
for the new function of EU Data Protection Supervisor, didn’t agree.
Besides anonymity, it is also useful to promote the use of partial,
non-personalised, data. Legally such a requirement can be based on article
17 of the 1995 privacy directive (95/46/EC), which requires that
controllers implement security measures which are appropriate to the risks
presented for personal data in storage or transmission, with a view to
protect personal data against accidental loss, alteration, unauthorised
access, in particular where the processing involves the transmission of
data over a network, and against all other unlawful forms of processing.
According to Hustinx, this article is too easily considered old-fashioned
in its stress on security, but it also prevents unlawful collection and
processing of personal data.

Implementation report on Directive 95/46/EC (15.05.2003)
http://europa.eu.int/comm/internal_market/privacy/lawreport_en.htm