The 2019 Internet Privacy Engineering Network (IPEN) workshop takes place today at LUISS Guido Carli University in Rome, Italy. Co-hosted by LUISS University and the Università di Roma Tor Vergata, this year’s workshop will focus on what constitutes state of the art technology in data protection by design, in an effort to help establish a common understanding of this concept, the European Data Protection Supervisor explained.
Under the EU’s General Data Protection Regulation (GDPR) and the new data protection rules for the EU institutions, the need to consider personal data protection when designing technological solutions is now a legal obligation. This includes embedding measures into new technologies to ensure that the fundamental rights of individuals are adequately protected when their personal data is processed. To do this, controllers and developers, regulators and legal experts all need to understand what they should consider as state of the art technology. This includes being able to determine which practices do not meet this standard, as well as which practices help to enhance data protection.
Wojciech Wiewiórowski, Assistant Supervisor, said: “The EU’s new data protection rules provide us with the tools to empower society and protect individuals when using information technology. However, the success of these tools relies largely on the implementation of the principles of data protection by design and by default by technology designers and controllers, and their enforcement by regulators. A common understanding of what is considered to be state of the art in this area is therefore essential, and will contribute to ensuring the creation of new and smart design in processes, technologies and business models that will ensure effective protection of individuals and their dignity. IPEN provides a forum for discussion for developers, legal experts and regulators to advance this common understanding, and is a network through which pragmatic technological solutions can be evaluated, considered and developed in conjunction with scientists and IT experts.”
With the help of experts from academia, industry and public authorities, the workshop will explore four key areas: the concept of state of the art in the fields of law, information security and privacy engineering; the creation of business models based on privacy-friendly technologies; privacy engineering, or how to embed data protection by design into technological development; and anonymisation and de-identification, focusing on the circumstances under which it can be assumed that data is no longer related to an identifiable individual. Maurizio Naldi, from the Università di Roma Tor Vergata, Assistant EDPS Wojciech Wiewiórowski and Giovanna Bianchi Clerici from the Garante per la protezione dei dati personali will also address participants.
The workshop marks a change in approach for IPEN, which in its work to date has focused more generally on exploring the concepts at stake for privacy engineering, clarifying their interpretation and providing a platform for showcasing available privacy-friendly solutions. The 2019 workshop aims to move forward from this general approach to establish a more specific and practical understanding of privacy-friendly technological development.
The protection of personal data is a fundamental right guaranteed by Article 8 of the EU Charter of Fundamental Rights. The specific rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725. These rules replaced those set out in Regulation (EC) No 45/2001 on 11 December 2018. The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising them on policies and legislation that affect privacy and personal data protection and cooperating with other supervisory authorities to ensure consistency in the protection of personal data.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
IPEN: The Internet Privacy Engineering Network was established by the EDPS in 2014 to promote and advance the state of the art in privacy engineering. The Network invites participants from different areas, such as regulation, academia, open source and business development to come together to find engineering solutions to privacy challenges. The main objective is to integrate data protection and privacy into all phases of the technological development process.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.
EU Data Protection Reform package: On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:
The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU) and are fully applicable across the EU.
Regulation 45/2001, which addresses data protection in the EU institutions and bodies, was replaced by Regulation (EU) 2018/1725 on 11 December 2018.