The Annual Privacy Forum took place on 7 June 2017. This event, which has been organised by the European Network and Information Security Agency (ENISA) on an annual basis since 2012, and supported by the EDPS, brings together researchers, regulators and business dealing with privacy in the IT services we use on a daily basis.
I had the honour of giving the opening keynote speech and took the opportunity to refer to the recent cyber-attack known on social media as #WannaCry.
The attack demonstrated the importance of advice previously issued by both the EDPS and ENISA: If we create backdoors to our devices or our encryption schemas, criminals and terrorists, the supposed targets of these measures, will abuse the reduced security of our devices or encryption for their own purposes. I pointed out that appropriate security measures, required under data protection law, would have prevented the recent attacks and should have been applied to all important IT systems.
Installing security updates, deactivating unnecessary features and taking regular backups on secure media protected billions of IT systems against the WannaCry attacks, or at least made the data encryption attack pointless. The work of ENISA and Computer Emergency Response Teams, such as CERT-EU, plays a very important role in this.
I also remarked that the idea of security vs. privacy is actually a false dichotomy, which provoked some discussion. It is important to remember that the individual, and our ability to each live our own lives in dignity and free from the interference of others, and particularly the state, lies at the heart of both concepts.
Many interesting and important topics of discussion were on the Forum’s agenda and my EDPS colleague Peter Kraus participated in one of them as a member of the panel. Presenting on the practical implementation of the GDPR in mobile applications, he represented the views of Data Protection Authorities (DPAs) on this issue alongside Data Protection Commissioner of Schleswig-Holstein, Marit Hansen. Peter Fleischer of Google and Arndt Gerdes of Huawei Technologies provided the views of the private sector.
Peter Kraus made the point that those responsible for personal data (controllers) have to be aware of the difficulty of obtaining consent on certain mobile devices. He gave the example of mobile devices which have no visible display. Additionally, in cases such as smart cars, where multiple, complex and diverse processing operations might be expected to take place, it would be difficult for users to provide meaningful consent.
Informed consent means that the user must be able to understand the consequences of giving consent. This is especially important in cases where consent is given for two distinct services, as the user may not be aware of the possible implications of a controller combining the received data sets.
With its combination of technical presentations and policy debates, the Annual Privacy Forum provides an interesting mix of information and discussion on privacy, security and technology issues. The EDPS was proud to contribute to this discussion and we look forward to providing continued support for this event in the future.