Policy and legislation

Policy objectives

The enforcement of the EU data protection and privacy legal framework would be made easier if data processing products and processes were designed and built from the beginning with legal requirements in mind. This is referred as 'data protection by design'. Standards may lay out the basic requirements for data protection by design for products and processes, minimising the risk of (i) divergent national approaches, with their related risks to freedom of movement of products and services, and (ii) the development of several, potentially conflicting, private de-facto standards.

This could be combined with the emergence of certification services:  businesses who want their products and processes audited as being "privacy by design"-compliant, would have to fulfill a set of requirements defined through appropriate EU standards and robust, independent third-party certification mechanisms.

The principles of data protection by design and by default , as well as the need to undergo a data protection and privacy impact assessment are included in the recently adopted General Data Protection Regulation 2016/679/EU (GDPR). This regulation replaced the Data Protection Directive 95/46/EC and has applied since 25 May 2018.

EC perspective and progress report

The focus will be on establishing a number of reference standards and/or specifications relevant to privacy in the electronic communications environment  to serve as a basis for encouraging the consistent adoption of standardised practices across the EU and, where relevant, on developing harmonised standards.

The Commission has recently proposed a mandate to European standards organisations seeking to routinely include privacy management methodologies in both the design and production phases of cybersecurity technologies generally.

References

The following legal instrument should be considered at European level:

• The Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive). This Directive is under revision with the Commission that adopted on 10 January 2017 a proposal a Regulation on privacy and electronic communications that will replace the old directive and address its flaws to ensure an increased level of protection of citizens' confidentiality of communications [23].
  • Regulation (EU) 2016/679 on the protection of natural persons with regard to personal data processing and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Article 253 calls for data protection by design and by default.
  • The Directive 2014/53/EU on the harmonization of the laws of the Member States relating to the making available on the market of radio equipment and repealing the Radio Equipment and Telecommunications Terminal Equipment (R&TTE) Directive 1999/5/EC.  Article 3(3)(c) of this Directive requires that radio equipment within certain categories or classes shall be so constructed that it […] incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected”. The Commission is empowered to adopt delegated acts specifying which categories or classes of radio equipment are concerned by each of the requirements.

In June 2015, the Commission published a study on the “ePrivacy Directive: assessment of transposition, effectiveness and compatibility with the proposed data protection regulation, SMART 2013/0071”. It contains an in-depth analysis of the national implementation of several key provisions (namely Article 1 and 3 on the scope, Article 5 on confidentiality of communications, Article 5(3) on cookies and similar technologies, Article 6 and 9 on traffic and location data and Article 13 on commercial communications. See the study: http://ec.europa.eu/digital-agenda/en/news/eprivacy-directive-assessment-transposition-effectiveness-and-compatibility-proposed-data

Requested actions

In the light of the accountability and privacy by design principles, ICT standards generally should be created in order to ensure a high-level of protection of individuals with regard to personal data processing, and the free movement of such data, and the application of privacy by design methodologies. Privacy and data protection standards should thus be examined, developed or improved if necessary, so as to provide standardised methods that support that review and improvement in due respect of EU data protection rules.

Proposed specific areas for SDOs to focus on are:

Action 1:  Continuing work on standardising browser functionalities and defaults to enable users to easily control whether they want to be tracked.

Action 2:  SDOs to work on standardised solutions for location data used by mobile applications.

Action 3: SDOs to investigate standards for supporting compliance and certification of compliance with GDPR and possible other EU data privacy requirements.

Action 4:  Promote EU-wide attention to standardisation of privacy statements and terms & conditions, given that there is mandatory acceptance of diverse, ambiguous and far-reaching online privacy conditions, and taking into account the GDPR. The Kantara CIS work and the data use statements described in ISO/IEC 19944 could be used as a basis for this action.

Action 5: SDOs to continue investigating technical measures apt to make personal data anonymous or pseudonymised (and therefore unintelligible by those who are not authorised to access them).

Action 6:  SDOs to continue investigating how to warrant a user-centric approach in privacy & access management:  see http://www.laceproject.eu/blog/give-students-control-data/ and
http://www.lvm.fi/julkaisu/4440204/mydata-a-nordic-model-for-human-centred-personal-data-management-and-processing.

Action 7: SDOs to prevent unwarranted pervasive monitoring by default when developing standards. This is not only relevant in the context the internet but also the IoT.

Action 8: SDOs to develop secure coding standards for secure application development: EU-wide attention to standardisation of privacy statements and terms & conditions as far as possible, given the existing state of mandatory acceptance of diverse, ambiguous and far-reaching online privacy conditions, taking into account the GDPR and the emergence of the IoT, where (embedded) devices process the device owner's personal data and possible different device users' personal data, creating additional challenges to transparency and informed consent.

Activities and additional information 

Related standardisation activities

Various activities are in place, as detailed in the table below. Due account should also be taken of the activities of the DG GROW working group on “Privacy by Design”, which includes standardisation participants and other stakeholders. The Commission issued in October 2014 the standardisation request M/530 “Standards for privacy & personal data protection management”, in support of privacy management in design, development, production, and service provision processes of security technologies. The goal is that manufacturers & providers manage privacy & personal data protection issues through privacy-by-design.

ETSI

ETSI TC CYBER (TC CYBER publications and TC CYBER work programme) covers privacy in response to European Commission (EC) Mandate M/530 on Privacy by Design, with a new TS on mechanisms for privacy assurance and the verification of Personally Identifiable Information, a TS on Identity Management and Discovery for IoT, which will identify means to prevent identity theft and resultant crime, and TR 103 370 a Practical introductory guide to Technical Standards for Privacy. TC CYBER also released two specifications on Attribute-Based Encryption (ABE) that describe how to protect personal data securely—with fine-grained access controls (TS 103 458 and TS 103 532).

The work done on middlebox security protocols can also be used to prevent pervasive monitoring by default.

https://www.etsi.org/technologies-clusters/technologies/cyber-security

3GPP TS 33.501 “Security architecture and procedures for 5G System” covers privacy for mobile.

ETSI ISG CIM is working on requirements for enabling privacy and security when registering/exchanging context information which may contain identification of natural persons (ETSI GR 007).

CEN and CENELEC

CEN-CLC/JTC 13 'Cybersecurity and Data protection' develops standards for data protection, information protection and security techniques with specific focus on cybersecurity covering all concurrent aspects of the evolving information society, including privacy guidelines. The JTC adopts international standards (such as JTC 1) as ENs, with additional specific European requirements in the context of specific European legislative and policy context (Cybersecurity Act, GDPR, NIS, sectoral legislation), to support privacy protection in the European context. 

CEN-CLC/JTC 8 'Privacy Management in Products and Services' has been disbanded and is now active as CEN-CLC/JTC 13/WG 5. CEN-CLC/JTC 13 took over the work items of CEN-CLC/JTC 8, and continues the development of the EN on 'Privacy protection by design and by default'; This EN will provide the component and subsystems developers with an early formalized process for identification of privacy objects and requirements, as well as the necessary guidance on associated assessment. This project is being developed in response to the Standardisation Request M/530 on 'privacy and personal data protection management in the design and development and in the production and service provision and process in the security technologies'.

Moreover, CEN/TC 224 'Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment' develops standards for strengthening the interoperability, security and privacy of personal identification and its related personal devices and systems. In 2018 and 2019, CEN has published the following standards:

• EN 419 231:2019 'Protection profile for trustworthy systems supporting time stamping'
• EN 419 241-1:2018 'Trustworthy Systems Supporting Server Signing - Part 1: General System Security Requirements'
• EN 419 221-5:2018 'Protection Profile for Trust Service Provider Cryptographic modules - Part 5: Cryptographic module for trust services'

IEEE

IEEE has several standards activities in the ePrivacy space:

• A draft recommended practice to specify a privacy threat model for IEEE 802 technologies and provide recommendations on how to protect against privacy threats, which is important as IEEE 802 technologies play a major role in Internet connectivity. 
• Several projects in the area of personal data privacy, as an outcome of the IEEE Global Initiative for Ethical Considerations in Autonomous and Intelligent Systems. 
• A new pre-standardisation activity will develop a framework towards solutions that facilitate digital inclusion, trust, personal data agency and security. 
• IEEE also has other new Projects for privacy in consumer wireless devices and drones.

https://ieeesa.io/rp-eprivacy

W3C

An initiative to develop specifications by which Internet users may exress their permission (or the withholding of their permission) to have their presence and activities on websites tracked (the "Do Not Track" concept), and to help Internet users to express their consent or refusal to be tracked on the internet. The working group will be closed towards year end 2018. Information will remain available at:

http://www.w3.org/2011/tracking-protection/

The W3C Data Privacy Vocabularies and Controls CG (DPVCG) develops a taxonomy of privacy terms, which includes in particular terms from the new European General Data Protection Regulation (GDPR), such as a taxonomy of personal data as well as a classification of purposes (i.e., purposes for data collection), and events of disclosures, consent, and processing such personal data. This will help to create data protection aware data handling policies for systems based on linked data such as the Web of Things.

OASIS

Privacy by design documentation for software engineers standards project (PbD-SE): https://www.oasis-open.org/committees/pbd-se

Privacy management reference model (PMRM) https://www.oasis-open.org/committees/pmrm

IETF

The SIP Best-practice Recommendations Against Network Dangers to privacY (sipbrandy) WG will define best practices for establishing two-party, SIP-signaled SRTP sessions with end-to-end security associations, including a single, preferred SRTP key exchange mechanism. These practices are expected to be deployable across typical SIP networks, without the sharing of SRTP keying material with intermediaries or third parties. These practices should protect against man-in-the-middle attacks.

The DNS PRIVate Exchange (dprive) WG develops mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring (RFC 7258). The set of DNS requests that an individual makes can provide an attacker with a large amount of information about that individual. DPRIVE aims to deprive the attacker of this information.

The Internet Architecture Board has established a Privacy and Security Program to serve as a forum for synthesizing privacy thinking within the technical standards community and to create privacy design considerations for use within the IETF. RFC6973 "Privacy Considerations for Internet Protocols" offers guidance for developing privacy considerations for inclusion in protocol specifications.

https://trac.ietf.org/trac/iab/wiki/Multi-Stake-Holder-Platform#ePrivacy

The DNS Over HTTPS (doh) WG standardises encodings for DNS queries and responses that are suitable for use in HTTPS. This enables the domain name system to function over certain paths where existing DNS methods (UDP, TLS [RFC 7857], and DTLS [RFC 8094]) experience problems. DNS Queries over HTTPS (RFC8484) was published in October 2018.

ISO/IEC JTC 1

SO/IEC JTC 1 SC 7 on System and software engineering published a set of standards (ISO/IEC 25000 series and specifically 25024) that includes the possibility to design specific privacy measures.

https://www.iso.org/committee/45086.html

ISO/IEC JTC 1 SC 27 on IT Security Technologies published a Code of Practice for the protection of personally identifiable information (PII) in the public cloud (ISO/IEC 27018:2014), and is developing a draft international standard privacy capability assessment model (ISO/IEC DIS 29190). Another relevant working item is ISO/IEC 27552 - Enhancement to ISO/IEC 27001 forprivacy management - Requirements.

http://www.iso.org/iso/iso_technical_committee?commid=45306

ITU-T

The ITU, through a variety of activities, is examining matters related to building confidence and security in the use of ICT, including stability and measures to combat spam, malware, etc., and the protection of personal data and privacy (ref. Plenipotentiary Conference, Guadalajara 2010, Resolution 130). ITU-T has been developing ITU-T standards which address protection of personally identifiable information such as in Recommendations ITU-T
H.233, H.234, H.235.0, H.235.9, J.93, J.96, J.125, T.807, X.272, X.1081, X.1086, X.1092, X.1142, X.1144, X.1171, X.1250, X.1252, X.1275, X.1580, Y.2720, and Y.2740
ITU-T Focus Group on Data Processing and Management (FG-DPM) has developed several deliverables pertaining to privacy and security for data within the IoT and smart city ecosystem. With the conclusion of the work of the FG-DPM, its deliverables will be transferred to SG20. More info: https://www.itu.int/en/ITU-T/focusgroups/dpm/Pages

ITU-T SG17 is the lead Study Group on Security at the ITU-T. It continues work on security techniques for the governance of information security (X.1054rev) and Framework for the creation and operation of a cyber defence center (X.fram-cdc), among others.
More info: https://itu.int/go/sg17

Other activities related to standardisation

Kantara

User-Managed Access (UMA)

UMA is an OAuth-based protocol designed to ensure the privacy of websites by giving web users a unified control point for authorising access to online personal data, content, and services, no matter where they are hosted.
http://kantarainitiative.org/confluence/display/uma/Home  

Consent & Information Sharing Workgroup (CIS)

People's capacity to manage their privacy is increased if they are able to aggregate and manage consent & information sharing relationships with   consent receipts. Standardised consent receipts also provide the opportunity for organisations to advertise trust. The core receipt specification addresses general, or regulatory, consent requirements. More elaborate consent receipts can become a vehicle for trust networks, federations, trust marks, privacy icons, assurances, certifications and self-asserted community and industry reputations.
https://kantarainitiative.org/confluence/display/infosharing/Home 

Additional information

Management of controls over the access to and ownership of data should be considered essential for effective implementation of privacy measurements.

[23] Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 10.01.2017, COM (2017)10 final https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications