Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Privacy standards may soon emerge in Europe [2000] PLBIRp 18; (2000) 53 Privacy Laws and Business International Report 18

Privacy standards may soon emerge in Europe

THE NEED FOR PRIVACY STANDARDS is being debated among international business. While some consider standards the best way forward to provide additional guidance on how to comply with new European data protection laws, others would be satisfied with codes of conduct.

Self-regulation has been recognised as a part of a working data protection regime - the EU Data Protection Directive specifically mentions codes of conduct. The question of whether codes could be supplemented by standards that would set precise guidelines in a formal manner has arisen from business needs. Apart from seeking practical tools for ensuring compliance with the laws, organisations may seek to adopt measures that easily demonstrate to consumers that their privacy is ensured. However, would standards be general, sector-specific or task-specific?

SEMINAR EXPLORED THE OPTIONS

An Open Seminar, organised by the European Standardisation Organisations CEN/ISSS in Brussels on 23-24th March sought to find answers to these questions. CEN/ISSS has already held three workshops discussing selfregulatory initiatives. This meeting was organised in order to gather further views on the possibility of standardisation.

The meeting was chaired by Nick Mansfield, Chairman of the International Commerce Exchange (ICX), which had been involved in organising the meeting. He stressed that standards and codes of conduct complement each other, and work best together. Standards would bring a degree of formality and transparency. He also emphasised that self-regulatory solutions have to be found soon - preferably by the end of the year.

ICX, a group of international businesses, has developed its own draft code of conduct, which is general in nature (PL&B Feb 2000 p.3-4).

The code will be made public on completion. It has already received support from some of the European Data Protection Authorities. ICX has hoped that the code could be developed into a standard in the future. However, in the light of this meeting, it seems more likely that standards may emerge in sector-specific areas.

SELF-REGULATION TAKES MANY FORMS

CEN/ISSS had previously identified four specific possibilities for selfregulation:

1. General Guidelines

2. Sectoral Codes

3. Privacy Enhancing Technologies (PETs)

4. An international dimension

There has been some progress in the field of sectoral codes. Three organisations, representative of their field of business, have now submitted their codes to the EU Data Protection Working Party for approval. The FEDMA code, which addresses European direct marketers, as well as the code by IATA, international airlines, are being studied by the Working Party (PL&B Oct 99 p.10- 12). A third code was submitted in March by AESE, the Association of Executive Search Consultants. The relationship between codes of conduct and possible standards was not totally clear to participants. Evangelo Vardakas, Director of the European Commission's Enterprise Directorate, said that a range of codes is hoped for, but they leave space also for standardisation. Francis Aldhouse, UK Deputy Data Protection Commissioner, said that all standards, especially technical ones, may not be suitable for codes of conduct, but there is no conflict as they can work together.

STANDARDS COULD SERVE THE NEEDS OF E-COMMERCE

PETs were seen as a field where standards could bring some additional value. As the technologies are generally unknown to the users, something is needed to validate them. John Borking, Vice President of the Netherlands' Data Protection Authority chaired a session, which looked at some of the new technologies. He said that PETs can be used in two ways, either to empower the individual to make choices about their privacy, or introduce PETs for organisations to use. In the latter case, the individual cannot influence the level of privacy offered.

It was thought that PETs and standards are especially well suited for ensuring privacy in electronic commerce. Initiatives such as the OECD privacy policy generator (PL&B Oct '99 p.5) and trustmark programmes were mentioned. There was some concern about whether adopting standards in this field would stop product development and innovation. Professor Jos Dumortier of ICRI, who had prepared a comprehensive discussion paper for the meeting, stressed, however, that because there are so many different products, consumers need an indication on which ones they can trust. Formal standardisation achieved by a consensus-based approach would bring just that benefit. Martin Grosskopf, Project Manager of CSA International (a Canadian standards body), told the seminar that there is support for a consensus-based web trustmark in Canada. They could produce something in the next 6-8 months, but this would be just a start, not a national standard.

He went on to describe how Canada adopted its existing privacy standard, the CSA Model Code for the Protection of Personal Information (PL&B Sept '98 p.16-17). The code, which was adopted in 1996, needs to be revised in 2001. However, a new privacy law for the private sector will be adopted this spring. It is based on the code, but any future changes to the code will not be reflected in the law. He reminded the Europeans that the development of codes takes time especially because of the need to seek consensus.

The British Standard 7799 on information security was also mentioned as an example of an existing privacy standard. A representative of the International Standards Organisation (ISO), Mike Smith, said that the ISO was not planning to do any work on privacy standards at the moment. However, should all the stakeholders agree on the need for standards, the ISO would be interested in co-operating in the future.

CRITICISM

Those challenging the idea of standards brought into the discussion other aspects, such as the fact that small and medium sized organisations are not represented in the discussions, and would probably not even have the resources to participate.

Some business representatives did not see any value in standards as opposed to codes of conducts. It was also questioned whether consumers would have any say in standards development.

CONCLUSIONS

Professor Dumortier outlined three possible levels of standards in his discussion paper:

1. General

2. Sector-specific

3. Task-specific

Each level would require both management documents and technical tools. Dumortier said that on a general level, global initiatives would have to lead to a set of documents and software tools in order to aid compliance with the EU Data Protection Directive. A sector-specific standard could be developed in the fields of electronic commerce, health care or human resources management. With regard to specific tasks, P3P is a good example of a privacy tool that is already being developed.

Peter Hustinx, President of the Netherlands' Data Protection Authority, thought that standards would be best for specific areas rather than for general application.

Evangelo Vardakas, Director of the European Commission's Enterprise Directorate, said that there is still some confusion over the various possibilities for standards. Also, further clarifications are needed on what is meant by an open, consensusseeking approach. While there are parties that do not wish to participate in the standards process, this should not stop others from starting to work.

Nick Mansfield of ICX concluded by saying that codes of conduct have a range of different values. The value of standards would be that they remove problems of acceptability as the process is transparent. He continued to say that, in the next eight months, ICX and CEN/ISSS will prepare a business proposal on how to proceed, and address one of the levels in the early autumn.

The discussion paper for the seminar, prepared by Professor Jos Dumortier and Caroline Goemans, can be found at http://www.law.kuleuven. ac.be/icri. For more information about CEN/ISSS work on privacy standards, see http://www.cenorm.be, or e-mail isss@cenorm.be. The ICX website is at http://www.icx.org, and the secretariat can be contacted at info@icx.org