In the last years the general level of awareness for information security and privacy has increased a lot. This due to a number of recent developments.
- Headlines about major breaches at both government organisations and corporations;
- The continued evolution of technologies that permits individuals to connect and communicate, resulting in an increasing amount of personal information being available online;
- Revelations about the extent of government surveillance of individual communications and other online activities.
These developments contain a serious risk for privacy and data protection.
PET’s and GDPR compliance
Privacy Enhancing Technologies (PETs) can address these risks. PETs are a coherent system of ICT measures that protect privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system. Article 25 (and related recitals 28, 29 and 78) of the GDPR contain the principle of data protection by design that requires controllers and processors to embed privacy measures and PETs directly into the design of information technologies and systems.
The use of PETs should result in making breaches of certain data protection rules more difficult and/or helping to detect therm. PETs can help organisations to ensure the protection of data protection, including aspects of compliance with the General Data Protection Regulation (GDPR). There exist various examples of PETs that focus on different GDPR-topics:
Informed consent is a key principle in the GDPR. Data subjects need to have a clear understanding of what they are consenting to. PET’s can help to ensure that the data subject’s consent to processing of their data is an informed one.
GDPR Article: 7, Recitals: 32, 33, 42, 43
For example: “E-P3P is a privacy-specific access control language that allows organisations to design and deploy machine-readable privacy policies, including identifying opt-in or opt-out choices (depending on the nature of the information) and placing restrictions on access to personal information, and design access control policies to give effect to the privacy policies”.
Data minimisation is another fundamental GDPR-principle. It requires that services and applications only process the minimum amount of information strictly necessary for the service or for a particular processing activity.
The use of PETs can help to design information and communication systems and services in a way that minimises the collection and use of personal data and facilitate compliance with data protection rules.
GDPR Article: 5, Recital: 39
For example: PETs in this category include websites that deliberately choose not to collect and store personal information such as search terms, search history, IP addresses and so on. Famous example DuckDuckGo.
The principle of transparency requires that personal data shall be processed in a transparent manner in relation to the data subject. PETs can also help in delivering a clear transparency to data subjects.
GDPR Article: 12, Recital: 58
For example: “Data Track, a tool that intended to provide a history of all online transactions, storing for the user information regarding which personal information has been disclosed to whom. Data Track was also intended to provide transparency to users of their online transactions and to enable them to later question data controllers over whether they really treated their personal information as promised”.
Data subject rights
The GDPR provides rights to the data subjects related to the processing of their personal data (right to access, right to rectification, etc.) PETs can assist data subjects exercising their rights.
GDPR Article: 12-22, Recitals: 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 91
For example: “AMI (Access My Info), a step-by-step wizard that results in the generation of a personalised formal letter requesting access to the information a provider stores and utilises about a person.”
The GDPR obligates data controllers and processors to take appropriate technical and organisational measures to protect personal data against unlawful processing and to ensure a level of security appropriate to the risk. PETs can support the controller and/or processor obligation to take appropriate measures.
GDPR Article: 32, Recitals: 76, 77, 78, 83
For example: Encryption tools, preventing hacking when information is transmitted over the internet.
At the moment, a wide range of PETs have been proposed, but only a few seem to be successful. There are a few reasons why the success of the PETs is limited.
- The current economic and regulatory environments provide little incentive for deploying promising consent technologies. Most of revenue streams of the online industry are based on the collection of as much personal data as possible, that might change with the GDPR
- The tools are considered as too complex by average individuals. Most of the PETs are unknown for potential users and lead to scepticism and distrust
- There is a lack of awareness of the existence of these tools
So now what?
As is stated in the article there has been done very little research concerning the success of PETs. For instance, in this research there isn’t looked at the adoption rates of the different technologies. They also did not research why some PETs were successful. So, we can’t use this information to adapt the current PETs to make them more attractive.
To make PETs more successful, it is clear that there has to be done more research. This research can contribute to the quality and effectiveness of the current PETs and the upcoming ones. It can also give us a better image on how we can deploy the PETs the best way in the market so that more companies will make use of them. At last there also has to be more general awareness concerning PETs not only for individuals but also for companies.
We can conclude that PETs have a lot of value but there is still a long way to go.