Privacy, recognised as a fundamental right by the Treaty of the EU and the Universal Declaration of Human Rights, is a much debated concept in respect to the online world. Many services are provided free in exchange for personal information that is used to sell advertising. And emerging new technologies make it increasingly easy to collect, store and process huge amounts of personal data of Internet users. The challenge is to ensure that users are fully aware of what private information is being collected and what it is being used for and that they are empowered to make real choices about whether they want that to happen or not.
The ability to collate, mine and monetise data can deliver huge financial rewards – but, consumers must be able to trust those with access to personal data that are using it only in ways for which they have given express permission.
ICOMP believes that complying with privacy rules is not only respectful of users but is also a pre-condition for effective competition in the online marketplace. Competition based on the quality of the privacy practices can and will normally lead to continuous improvement of users’ privacy and stimulate innovation in this area. Those companies offer better privacy protection than their competitors will gain competitive advantage. However, appropriate enforcement of existing regulatory frameworks is required to ensure a fair playing field for all and to guard against a race to the bottom in terms of privacy protection.
ICOMP acknowledges that the current debate on the revision of the EU´s data protection legislation touches upon many of these issues. The complexity of this matter is often such that it is hard to find the right balance between guaranteeing adequate protection of privacy and allowing users access to the free services they love. It is for this reason that ICOMP formulated a number of principles for effective privacy protection, which should guide the deployment of online services and platforms alike.
PRINCIPLES FOR EFFECTIVE PRIVACY PROTECTION
- Data minimisation: only those data should be collected that are necessary for the service requested; this principle applies both to data expressly requested from the user and for all other data collected by the provider of the service.
- Proportionality: the “value” of the data to the person whose data are being collected should not exceed the advantage that he or she gains by using the service or “app”. This principle applies in addition to the principle of data minimisation.
- Proactive not Reactive: Privacy invasive events must be prevented and anticipated before they happen.
- Privacy by Default: No action should be required on the part of the individual to protect their privacy — it should be built into the system, by default.
- Privacy Embedded into Design: Privacy should be embedded into the design and architecture of IT systems and business practices, not bolted on as an add-on.
- Full Functionality: All legitimate interests and objectives should be accommodated in a positive-sum “win-win” manner.
- End-to-End Security – Lifecycle Protection: Ensures a secure lifecycle management of information, end-to-end.
- Visibility and Transparency: The privacy component parts and operations should remain visible and transparent to users and providers alike.
- Respect for User Privacy: Keep the interests of the individual uppermost by offering strong privacy defaults, such as appropriate notice and opt-out options, and empowering user-friendly options.