Privacy Seals: A way forward for building trust. The EuroPriSe project. 1

Transcription

1 Privacy Seals: A way forward for building trust. The EuroPriSe project October 2007 Florence Emilio Aced Félez Agencia de Protección de Datos de la Comunidad de Madrid emilio.aced@madrid.org

2 Where are we? 2 Data protection is A successful European Story UE affords highest protection in the world But there is a need for Fostering compliance and trust Ways to make explicit best practices Tools for consumers and companies to identify trusted parties Constant innovation

3 Way forward 3 Positive incentives Privacy Enhancing Technologies Privacy Management (PRIME) Privacy Seals Voluntary scheme Regulated Self-Regulation Public recognition of privacy best practices Easily identifiable by all parties

4 Gütesiegel Based on successful experience of the Gütesiegel (Schleswig-Holstein) 4 ICPP Privacy Seal Privacy Seal: product audit Scope: privacy and data protection regulations including regulations on IT security Voluntary, but regulated by state law Product evaluation by legal and technical experts admitted by ICPP Criteria based on legal regulations

5 Gutesiegel IT Product or Service Admitted Expert checks Product or Service 5 Granting of Privacy Seal Accredited Certification Body checks ER

6 European Privacy Seal 6 Supported by the EU

7 Scope The European Privacy Seal certifies that an IT product or IT based service facilitates the use of that product or service in a way 7 compliant with European regulations on privacy and data protection, taking into account the legislation in the pilot countries.

8 Consortium 8 ICPP (Schleswig-Holstein - Coordinator) CNIL (French Data Protection Authority) APDCM (Madrid Data Protection Authority) VaF (Slovakia) TÜViT (Germany) Borking Consultancy (The Netherlands) Ernst & Young (Sweden) OEAWT/ITN (Austria) Londonmet (United Kingdom)

9 Main Actors 9 Standard and Certification bodies Board for Accreditation and Conformity Assessment Public Authorities Ministries Agencies Accredited certification bodies Center for work on standards Potential Experts Legal Technical Associations Manufacturers and Vendors Service or product provider Associations Consumers Authorities and Associations Others European Organizations EU entities Other cross-european organizations

10 EuroPriSe IT Product or Service Admitted Expert checks Product or Service 10 Granting of Privacy Seal Accredited Certification Body checks ER

11 EuroPriSe Criteria Set 1 Overview on Fundamental Issues Fundamental Aspects of Processing 1.2 Fundamental Technical Construction Set 2 Legitimacy of Data Processing 2.1 Legal Basis for the processing 2.2 Special Requirements relating to the various phases of the processing 2.3 Compliance with general data protection principles and duties 2.4 Special types of processing operations

12 EuroPriSe Criteria 12 Set 3 technical-organisatorial measures Passwords, firewalls, encryption, pseudonymisation, logs, anti-virus protection, support for the DPO, special duties in special contexts, etc.) Set 4 data subject rights Right to be informed; right of access; right of correction or erasure/blocking; right to object)

13 Experts Admittance 13 Expert admittance procedure Proof of qualification: legal and/or technical Submit work specimens Proof reliability and independence Training Publication of expert admittance and area of qualification in public register list Accreditation of certification bodies Official national institutions & private organisations Acceptance of certification scheme & royalties Training

14 EuroPriSe Board 14

15 EuroPriSe Board 15

16 EuroPriSe 16 A certificate, based on a transparent and revisable procedure Supervised by independent authorities or trustees Uniform criteria based on the European Privacy Directives Valid throughout the European Member States A positive incentive to develop and deploy privacy compliant and privacy enhancing products and services on the market (regulated self-regulation)

17 Conclusions 17 Contributes to effective application of, and compliance with European privacy and data protection legislation. Increases understanding of European privacy and data protection legislation. Increases awareness around privacy and data protection. Increases user, consumer and citizen trust in products and services. Is good practice for privacy and data protection in products and services.

18 Conclusions 18 Increases market transparency. Provides strong competitive advantage for manufacturers and vendors. Reduces the increase in workload of supervising authorities. Fosters market acceptance of privacy protection. Promotes European cross-border sales. Creates new market opportunities.

19