Engineering privacy: the IPEN Initiative
“How can we develop internet structure, services and apps which respect user privacy and personal data?” This question was at the core of today’s meeting of privacy experts and developers from industry, academia and free software in Berlin. The first workshop of the Internet Privacy Engineering Network (IPEN) was an important step in building a community which works on developing engineering solutions to effectively protect and enhance privacy on the internet.
The IPEN workshop in Berlin was co-organised by several European data protection authorities, privacy researchers and expert groups as an opportunity to work on closing the gap between technical solutions and privacy needs.
Peter Hustinx, EDPS, said: "Over the past 10 years, data protection authorities have strengthened their technical expertise considerably, allowing them to define data protection requirements for new technologies more precisely. Today's event marks a new phase in the dialogue of these authorities with system developers to start cooperating directly on the privacy engineering challenge."
Alexander Dix, Berlin Commissioner for Data Protection and Freedom of Information, said: "For over 30 years, the Berlin Group has been analysing the privacy risks of technology and advising on the safeguards. In doing so, it has brought privacy commissioners and scientific experts from all over the world closer together. I am delighted to see that IPEN is building on this experience in addressing the issues of engineering privacy on the internet."
Peter Schaar, Chairman of the European Academy for Information Freedom and Data Protection (EAID), said: "Cooperation of data protection experts and internet developers requires both communities to make efforts to understand each other. Bridging this communication gap is a learning challenge that EAID can facilitate with our access to experts from all the relevant fields."
Protection of privacy on the Internet has become one of the most challenging issues in the field of data protection. In particular, last year’s revelations of mass surveillance triggered a debate among internet engineers, who see it as their responsibility to safeguard the personal data and privacy of internet users. IPEN, launched in 2014 by the EDPS in collaboration with national DPAs, academics and engineers, is one of the results. It is designed to serve as a platform for the cooperation and exchange of ideas between Data Protection Authorities (DPAs) and internet engineers.
IPEN encourages IT specialists to develop privacy friendly solutions and to recognise the impact of their technical choices on users' privacy. As a network of privacy experts from the technical, developer and policy communities, IPEN will work on three main tasks:
- To share information about on-going initiatives and projects addressing privacy-related development needs;
- To identify 'use cases' - where tech engineers identify a series of steps that will enable them to solve a specific problem - for which privacy can be implemented at the design level; and,
- To launch projects for the development of tools and building-blocks which enable and enhance privacy.
In addition, IPEN will build a repository of relevant resources, making its findings and knowledge base accessible to all participants, developers and privacy experts.
Thus far, IPEN has been presented at a number of events and has garnered support from 'hackers', open source developers, internet and web engineers, academic researchers and developers, as well as experts in national DPAs.
Background information
The workshop in Berlin was co-organised by the EDPS, the DPAs of France, the UK, the Netherlands, Ireland, Berlin and Schleswig Holstein, the Oxford Internet Institute, University College London, the OWASP Privacy Risks Project and the European Academy for information Freedom and Data Protection (Berlin).
The IPEN meeting agenda and list of speakers are available on the EDPS website.
Privacy and data protection are fundamental rights in the EU. Under the Data Protection Regulation (EC) No 45/2001, one of the duties of the EDPS is to advise the European Commission, the European Parliament and the Council on proposals for new legislation and a wide range of other issues that have an impact on data protection. Furthermore, EU institutions and bodies processing personal data presenting specific risks to the rights and freedoms of individuals ('data subjects') are subject to prior-checking by the EDPS. If in the opinion of the EDPS, the notified processing may involve a breach of any provision of the Regulation, he shall make proposals to avoid such a breach.
Personal data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.
Privacy: the right of an individual to be left alone and in control of information about him or herself. The right to privacy or respect for private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Data processing: processing of personal data refers to any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. See EDPS glossary for more information.