On 4 July, the European Commission organised a technical workshop on Privacy Enhancing Technologies (PETS) in Brussels. 39 experts, from Europe, the USA and Canada were invited to participate, ranging from Commission officials to academic experts, from data protection authorities to business representatives. Amongst the invitees were also 2 EDRI-members; FIPR and Bits of Freedom.
After a somewhat predictable debate about the meaning of the acronym PET, the need to create PET-lovers, and possible other acronyms such as PUT and PAT, the value of existing privacy enhancing technologies was discussed. Basically, technology is considered privacy-friendly when it disables traceability to a person (be it a person or a company). In the implementation report of the 1995 privacy directive (95/46/EC), the European Commission announced determined efforts to encourage and promote the use and further development of these technologies.
John Borking, former member of the Dutch data protection authority, defended PET as the most suitable method to prevent the linking of databases. When he unfolded the theory of machine-made privacy choices, he was sharply attacked by the Swedish business representative Stephan Goldberg. According to Goldberg, "that kind of privacy-ontology is mainly a reflection of the typical idea of engineers that law is simple, and can thus easily be implemented in technology".
A large part of the workshop was devoted to anonymity. According to Stephanie Perrin, as a government official largely responsible for privacy-legislation in Canada, the nucleus of any privacy legislation is anonymity. She expressed regrets about the fact that PET is now largely associated with weaker protection mechanisms, like opt-out boxes on websites and cookie-management tools. As executive officer of Zero Knowledge Systems, creators of the defunct anonymizer tool 'Freedom', she was closely involved with the creation of a tool with anonymity in the core. But acknowledging the market-failure of this and similar tools, she argued the Commission should help develop these tools and generally focus on anonymity.
Peter Hustinx, chief of the Dutch data protection authority and candidate for the new function of EU Data Protection Supervisor, didn't agree. Besides anonymity, it is also useful to promote the use of partial, non-personalised, data. Legally such a requirement can be based on article 17 of the 1995 privacy directive (95/46/EC), which requires that controllers implement security measures which are appropriate to the risks presented for personal data in storage or transmission, with a view to protect personal data against accidental loss, alteration, unauthorised access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. According to Hustinx, this article is too easily considered old-fashioned in its stress on security, but it also prevents unlawful collection and processing of personal data.
Implementation report on Directive 95/46/EC (15.05.2003)
http://europa.eu.int/comm/internal_market/privacy/lawreport_en.htm