The European Union Agency for Network and Information Security (ENISA) has published a new report on online privacy and data protection.
The agency believes the key to protecting privacy, which has been declared a fundamental right, is to focus on privacy and data protection from the beginning of the design process.
The problem is that existing policy doesn’t offer any incentives for adopting privacy by design. In addition to new policies, ENISA says new electronic communication standards should also focus more on privacy and data protection.
The study points out that encryption, anonymous communications protocols, private database searches, attribute-based credentials, and other privacy-enhancing technologies have been demonstrated to be effective.
Encryption is becoming widely used, especially because of the recent revelations about the advanced capabilities of spy agencies. However, other technologies have not become a standard and they’re not utilized as much as they should be in system design, ENISA noted.
“The term ‘Privacy by Design’, or its variation ‘Data Protection by Design’, has been coined as a development method for privacy-friendly systems and services, thereby going beyond mere technical solutions and addressing organisational procedures and business models as well,” the report reads. “Although the concept has found its way into legislation as the proposed European General Data Protection Regulation, its concrete implementation remains unclear at the present moment.”
The report is addressed to policy makers, data protection authorities, researchers, engineers, and regulators. It details approaches, strategies, and technical aspects, and provides recommendations on how to implement privacy by design with the aid of engineering methods.
ENISA says legislators need to promote data protection and privacy in their norms, and policy makers should come up with incentives for privacy-friendly services. Standardization bodies are advised to include privacy considerations into the standardization process, and provide standards for the interoperability of privacy features.
The agency also believes data protection authorities should play an important part in providing independent guidance and tools for privacy engineering. The research community should focus its efforts on privacy engineering and, in collaboration with software development tool providers, offer solutions enabling intuitive implementation of privacy properties.
The EU agency published its report just as British Prime Minister David Cameron announced his intention to introduce a new law banning encrypted communications that cannot be accessed by authorities. Experts believe this approach will not do much good. On the contrary, it will put consumers and organizations at risk.
ENISA’s report, Privacy and Data Protection by Design, is available online.
