Standardization in support of the European legal framework.

WAP-W3C Mobile Web Privacy Workshop
7-8 December 2000
Munich, Germany

Henry Ryan, <henryryan@eircom.net>

The "Initiative on Privacy Standardization in Europe" (IPSE) is compiling an official report on the role of standardization which will, where agreed necessary, prepare recommendations for relevant standardization actions to help business and other enterprises implement the relevant legislative acts. The project is being overseen by a Steering Group (SG) and carried out by a team of business, technology, communications, legal and consumer experts appointed by the SG. The expert team is being led by Stephanie Perrin (ZeroKnowledge, Canada) and includes Henry Ryan, (Lios Geal Consultants, Ireland), Freddie Dawson (DG-Media UK), Rosemary Jay (Masons, UK) and a Consumer Representative (to be appointed).

The Business Objective

With the correct, legal use of employee and customer personal data by business becoming more and more a "hot" issue in Europe and around the globe, CEN/ISSS - the Brussels-based European standardisation organisation - together with CENELEC and ETSI have approved a study on privacy standards relevant to European and international privacy policies and regulatory considerations. This work is being conducted under a mandate (Mandate M/289) issued by the European Commission's SOGITS (a high-level group of officials involved in policy-making for information technology issues). Its recommendations, after public review and if necessary adjustment, will be the basis of any deliberate standards development related actions. At minimum IPSE will clarify the role of standards in the assurance of privacy regulations. Where necessary and agreed in public review it can recommend specific actions to be undertaken, by whom and in what timeframe. As envisaged in the approved IPSE terms of Reference this deliverable could include a proposed business plan for a CEN/ISSS Workshop on Privacy and Data Protection.

Regulatory Issues

The regulatory issues of privacy in electronic commerce (which includes mobile electronic commerce in this context) are stated in the preamble to the European Directive on Electronic Commerce (Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market ). This states that protection of individuals with regard to the processing of personal data is solely governed by Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and by Directive 97/66/EC concerning the processing of personal data and the protection of privacy in the telecommunications sector. In the same paragraph the Electronic Commerce Directive excludes it's use to prevent the anonymous use of open networks such as the Internet.

Outline for the Study

The IPSE study on the role of standards setting as a contribution to compliance within the European legal framework on data protection and privacy is in two parts:

The first to be completed by end of Q1 2001, will provide a detached, reasoned, multiview analysis of the Privacy scene, including major players, technologies, initiatives, and policies. This will cover aspects such as an inventory and short analysis of existing and developing general and sectoral Codes of Conduct (60+ Codes already established), Best Practice guidelines, Privacy Enhancing Technologies (e.g. P3P (W3C), MS/IE5., LPWA, Crowds, Anonymiser), Seals/Trust schemes (e.g. OECD Privacy Policy Generator) and evolving policy/legislative development. The objective is to determine the feasibility and contribution of standardisation for business, at a technical and/or managerial level.

The second part will provide recommendations for future actions for possible standards setting based on an understanding of the business needs and drivers. The proposed topics are likely to address three key areas:

Codes of conduct

• operational guidelines for the preparation of privacy policies and sector-specific codes of conduct
• guidance material, model programmes/clauses, best practice implementation
• recognition of existing sector-specific codes of conduct within a consensus-building platform e.g.a CEN/ISSS Workshop
• elaboration of a European general code of conduct
• compliance control mechanisms - audit
• elaboration of a minimum set of requirements for a privacy-enhancing seal programme and inter-related conformity assessment mechanisms
• guidelines for implementation of bilateral international agreements on privacy
• elaboration of a contractual model to be used in the bilateral agreements

Privacy-enhancing technologies

• Elaboration of a validation document for technologies - how to check that the existing "standards/technology systems" comply with the Directive's provisions
• Validation of technical tools needed for the implementation of sector-specific or European codes of conduct
• Validation of privacy-enhancing technical tools addressing the requirements of the Directive
• European localisation requirements of W3C/P3P
• Creation of a web-based repository of available privacy (managerial and technical) tools

International Standards

• consider the adequacy of current protection for personal data sent outside the Union. Not all countries have legislation in place for this purpose nor will national or sectoral self-regulation or contractual clauses provide a solution in every case
• address the perceived need to further enhance international consensus building with for example international agreed implementation guidelines complementing the OECD guidelines in this area
• consider the current activities of the ISO Committee on Consumer Policy (COPOLCO) Working group on Consumer protection in the Global Market and their proposal to develop an international standard on effective market-based codes of conduct.

It should be noted that this set of possible work areas is neither exhaustive nor definitive. By assigning this work to the IPSE SG and by making its stage deliverables widely and publicly available , the CEN/ISSS Secretariat intends to stimulate careful and balanced consideration of the key privacy issues and the scope of managerial/technical resolutions to the identified issues. In so doing a solid base will be established to support relevant agreed standards work programme where these are likely to meeet the essential requirements of the regulatory framework.

The IPSE SG welcomes inputs from all interested parties. Comments on any issue including technology and practical experiences should be addressed to the CEN Secretariat:

Georgia Skouma - Workshop Manager

CEN/ISSS

CEN - European Committee for Standardization

Rue de Stassart 36, B-1050 Brussels

Tel.: +32 2 550 08 89

Fax: +32 2 550 09 66

E-mail: georgia.skouma@cenorm.be

Web:

//end