Warsaw Declaration Cites 'Appification'; World DPAs Discuss PRISM Revelations

By Stephen Gardner  

Sept. 25 --Data protection officials from 52 countries meeting at the 35th International Conference of Data Protection and Privacy Commissioners in Warsaw, Poland, Sept. 25 announced that they had agreed on a declaration that the "appification" of society must be carefully managed to counter privacy threats.

The Warsaw declaration, which was adopted in a Sept. 24 closed session, said that "app developers are often unaware of the privacy implications of their work, and unfamiliar with concepts like privacy by design." To counter this, privacy commissioners should work to raise awareness within the industry, the declaration said.

However, much of the discussion at the conference Sept. 25 was on the revelations about the U.S. National Security Agency's PRISM Internet surveillance program, and similar programs run by other governments, and actions privacy commissioners can take to guarantee the privacy rights of individuals based on a principle of nondiscrimination.

 

Resolutions Adopted.

In the Sept. 24 closed session, the group also adopted resolutions on:

•  profiling;

•  Web tracking;

•  transparency of data protection practices;

•  digital education; and

•  international enforcement cooperation.

The privacy commissioners also adopted a resolution on the conference's strategic direction, to guide its working groups through 2016.

The resolution on profiling stated that profiling operations should be minimized and should be based on clearly determined needs, and that the subjects of profiling should be informed.

The resolution on Web tracking emphasized that the tracking of online behavior could be a threat to privacy, and organizations involved in Web tracking should therefore adopt data protection principles.

Wojciech Rafal Wiewiørowski, Poland's Inspector General for Personal Data Protection, said in a Sept. 25 statement that the conference resolutions may become laws but can "already serve as a set of guidelines" for data protection commissioners "that should be taken into account both when making decisions in particular cases, and when commenting on legal acts."

 

PRISM Concerns.

The conference adopted a global data protection standards resolution prompted, in part, by concerns over U.S. surveillance activity.

Jacob Kohnstamm, chairman of the Article 29 Working Group of European Data Protection Authorities and chairman of the Dutch Data Protection Authority, also served as chairman of the conference's executive committee that met to adopt the resolutions.

Kohnstamm said that the PRISM internet surveillance program and related NSA surveillance actions showed that "we need a better balance between security and surveillence, and privacy."


 

PRISM "shows that we need to be stronger," and EU lawmakers should work to revise the bloc's data protection regime by early 2014, ahead of European Parliament elections in May 2014.  
Peter Hustinx, European Data Protection Supervisor  

By issuing orders under the Foreign Intelligence Surveillance Act (FISA) to companies, compelling them to release the personal data of users, the NSA was "building haystacks in order to find the needle," Kohnstamm said.

In addition, FISA orders apply to non-U.S. citizens outside the United States, and "the non-Americans do not like to be discriminated against," Kohnstamm said.

"The whole world is protesting about what is happening," he said.

Kohnstamm connected the conference resolution on global data protection to the PRISM revelations, saying "we call on governments to start negotiations within the U.N." on a protocol to Article 17 of the International Covenant on Civil and Political Rights.

The focus of the resolution is that the collection and storage of personal data should be regulated by law, and that individuals should be allowed to know what information is held about them, and should have a right to rectify incorrect information.

According to the resolution document, the U.S. Federal Trade Commission abstained from voting on it.

 

EU Response to PRISM.

In addition to pushing for an international data protection standard, conference speakers said that the European Union should respond to the PRISM revelations by finalizing its data protection reform, and by reevaluating the U.S.-EU Safe Harbor Program.

Peter Hustinx, the European Data Protection Supervisor, said that for the EU, PRISM "shows that we need to be stronger," and lawmakers should work to revise the bloc's data protection regime by early 2014, ahead of European Parliament elections in May 2014.

The European Commission, the EU's executive arm, published in January 2012 a proposed data protection regulation to replace the 1995 EU Data Protection Directive (95/46/EC) (11 PVLR 178, 1/30/12).

The "new legal framework will provide much more effective protection in practice," Hustinx said.

Rafal Trzaskowski, a Polish center-right member of the European Parliament, speaking in a session on data protection and global trade law, said that the PRISM revelations had shown that "we have to look at the Safe Harbor agreement and try to recalibrate that."

The U.S.-EU Safe Harbor Program, which is administered by the U.S. Department of Commerce, allows companies to transfer personal data from the EU. Under the Safe Harbor Program, U.S. companies self-certify their agreement to abide by the Safe Harbor framework, which includes seven privacy principles similar to those found in the Data Protection Directive.

In the wake of the PRISM revelations, "the most important thing is to get trust back, and it will be immensely difficult," Trzaskowski said.

 

New DPA Members.

The group also adopted a resolution to grant member accreditations to the Data Protection Office of Mauritius, the Kosovo National Agency for Personal Data Protection and the Ombudsman's Office of the city of Buenos Aires, Argentina.

The group granted observer status to: the South Korea National Information Security Agency; the Russia Federal Service for the Supervision of Telecommunications, Information Technology and Mass Communications; the Canadian International Industrial Security Directorate; the Personal Data Protection Commission of the Republic of Singapore; the Bremen, Germany, data protection authority; the Ecuador data protection authority; and the Ecuador telecommunications regulator.

2014 Global DPA Meeting Set for Mauritius

The 36th International Conference of Data Protection and Privacy Commissioners will be held in September 2014 in Mauritius.

The conference also named Mauritius as the venue for the 36th International Conference of Data Protection and Privacy Commissioners in September 2014.

 

'Appification' Alert.

The Warsaw declaration said that about 6 million mobile apps are currently available, with 30,000 new apps created each day.

Apps allow for "continuous digital monitoring, often without users being aware that this happens and what their data are used for," according to the Warsaw declaration.

Kohnstamm said Sept. 25 that "we don't want to spoil the fun that goes with apps," but data protection should be taken into account in all apps to "minimize the surprise" that users might feel if they are not sufficiently warned of the uses to which their data might be put.

Apps should not contain hidden features or collect data without the user's knowledge, and users should be able to "decide what information to share with whom and for what purposes," the Warsaw declaration said.

The declaration added that app developers should make clear decisions about what information they need to collect for the performance of the app, and should not collect information without user consent.

Operating system providers also share some responsibility for data collection by apps because they "create and maintain the framework in which apps are used," the declaration said.

By Stephen Gardner  

To contact the reporter on this story: Stephen Gardner in Warsaw at correspondents@bna.com.

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com.


Full text of the "Warsaw declaration on the 'appification' of society" is available at http://op.bna.com/pl.nsf/r?Open=dapn-9bvqgn.  

Links to the resolutions adopted by the conference are available at https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/Intconference.