The 35th International Data Protection and Privacy Commissioners Conference, which comprises national, regional and local data protection and privacy authorities from all five continents, convened in Warsaw last week. The Conference adopted a total of nine resolutions and a declaration, which is the highest number of resolutions since the Conference’s first annual meeting back in 1979. This year’s resolutions focus on two main topics:

  • Internet and technology issues, such as
    • web tracking
    • profiling
    • apps
    • openness and privacy notices
  • International enforcement coordination

Web Tracking

Whilst recognizing some consumer benefits of web tracking, the Conference was concerned with the serious privacy risks tracking poses, particularly with respect to the data protection principles of transparency, purpose limitation and individual control. The Resolution on web tracking and privacy (the Slovenian and French data protection authorities abstained from voting) calls on all stakeholders to, among other things:

  • Ensure adequate transparency about all types of web tracking practices and provide notice of the use of tracking elements; invisible tracking elements should not be used except in certain limited cases;
  • Provide control over the use of tracking elements to enable informed consumer choices, including by offering easy tools to users and promoting technical standards;
  • Respect the principle of privacy-by-design, use techniques such as anonymization and pseudonymization and conduct privacy impact assessments; and,
  • Avoid tracking children.

Profiling

The Conference’s unease with the generation of interest or user profiles also led to the adoption of a separate resolution that highlights concerns regarding the use of Big Data applications. The Resolution on profiling, which is very much in line with a similar resolution adopted in 2012, centers around the following data protection principles:

  • Purpose limitation: the need and practical use of specific profiling operations should be clearly determined and appropriate safeguards ensured before starting with the profiling;
  • Data quality: it should be ensured that only the necessary amount of and sufficiently up to date and accurate data is collected and that profiles and algorithms are continuously validated;
  • Transparency: society should be informed about profiling operations, including the way profiles are assembled, to the maximum extent possible;
  • Rights of individuals: individuals should be able to maintain control over their own data and be informed about their rights, human intervention should be provided where appropriate and appropriate oversight about all profiling operations should be ensured.

Apps

Mobile applications (apps) are covered in the Warsaw declaration on the “appification” of society. The declaration highlights the shared responsibility for privacy of both app developers and providers of operating systems.

  • App developers should take into account privacy by design, data minimization and the need for informed user consent for data collection beyond what is necessary.
  • Providers of operating systems bear responsibility for their app platforms. They should offer granular privacy settings on mobile devices, offering full user control.

The privacy and data protection commissioners have expressed their willingness to engage with the app industry to encourage better privacy practices. At the same time, they have threatened enforcement action if self-regulation and voluntary compliance are not successful.

Openness and Privacy Notices

In 2013, nineteen authorities participated in the first Global Privacy Enforcement Network (GPEN) Privacy Sweep, where they examined websites to assess the transparency of organisations’ privacy practices. They found that one out of five websites did not have a privacy policy or buried the privacy policy in the legal notice or terms and conditions. The authorities were also critical of privacy policies for not providing clear and meaningful information or containing (sufficient) contact information.

In its Resolution on openness of Personal Data Practices the Conference recognizes the importance of allowing individuals to make informed choices and the principle of transparency or openness. Organizations are urged to provide sufficient and meaningful information to individuals, in clear and plain language and in an easily accessible format (very much in line with the European Commission’s legislative proposal for a General Data Protection Regulation). The Conference also promotes the use of privacy seals, certification and trustmarks. In light of recent revelations about government surveillance programs, the Conference (with the exception of the U.S. Federal Trade Commission (the “FTC”) which abstained from voting), also calls for greater openness of governments about their data collection practices.

International Enforcement Coordination and International Law

In its Resolution on International Enforcement Coordination the Conference encourages efforts to bring about more effective coordination of cross-border investigation and enforcement in appropriate cases. A Working Group has been mandated to develop a common approach to cross border case handling and enforcement coordination. Privacy enforcement authorities are encouraged to look for concrete opportunities to cooperate. In addition, the Conference supports the development of a secure information platform enabling privacy enforcement authorities to share confidential information.

In their Resolution on anchoring data protection and the protection on privacy in international law the Conference (with the exception of the FTC which abstained from voting) recalls the importance of instruments in international law for the protection of personal data and observes a pressing need for a binding international agreement on data protection. It therefore calls upon governments to advocate the adoption of an additional protocol to the International Covenant on Civil and Political Rights (the “ICCPR”). The ICCPR  which has been adopted by the General Assembly of the United Nations in 1966, provides for a legal framework for privacy protection in its Article 17.