EU policy recommendations to enhance privacy and strengthen security

December 7, 2015

I am invited to a high-level conference co-organised by the LIBE Committee and the STOA Panel of the European Parliament together with the Luxembourg Presidency in Brussels this week. The title of the conference is "Protecting online privacy by enhancing IT security and strengthening EU IT capabilities". The aim is to discuss, interact and come up with bold, innovative, out-of-the-box ideas to help foster an EU online privacy protection and IT security strategy for the next years. In preparation they have asked all participants to submit their top-3 policy recommendations. Below you'll find mine.

1. Focus on the user

Many secure and privacy friendly products and services are hard to use properly by the average user, or lack functionality that is important to the user. Sometimes this is because we still do not properly understand how to make such systems more user friendly, or how to achieve certain functionality efficiently without sacrificing privacy or security. In these cases, policies should be developed to stimulate research to bride these gaps. In other cases we know how to make such user-centric products and services, but they are not actually developed or offered in the market. In these cases policies must be designed that help overcome these barriers to deployment of such user centric products and services, that protect the privacy and security of their users without sacrificing the functionality that users look for in such products and services.

2. Both privacy and security are fundamental rights

Any policy recommendation that aims to increase online privacy protection needs to acknowledge the fact there are strong forces from (national) security and law enforcement circles pushing for policies that aim to reduce privacy in order to increase (homeland) security. Both sides of the debate need to realise that privacy and security are both fundamental rights, and both deserve protection. Both sides also need to realise that they are not necessarily in contradiction with each other. I believe it is high time to have a fundamental debate involving all stakeholders to explore how to make progress on this issue. Europe could take the lead in this. Unfortunately, we are lacking solid and independently verifiable figures on the effectiveness of current investigative and surveillance powers. This makes it hard to determine the proportionality and subsidiarity of these measures. A first step towards resolving the issue is therefore to create policies that aim to increase the transparency of intelligence agencies and law enforcement. These policies should be aimed at increasing the amount of information available on the effectiveness of their operations, the negative impact of these operations on privacy and other civil liberties, and in general increase the transparency and the strength of independent oversight.

3. Stimulate privacy by design

Many companies and organisations struggle with implementing data protection requirements in their day to day activities. In particular, privacy by design turns out to be a hard concept to grasp and make concrete. Europe should stimulate the development of methodologies and tools that make privacy by design more concrete and that help companies and organisations to implement it in practice. Also, Europe could support the creation of an independent platform where knowledge institutes, companies, policy makers, data protection authorities and other stakeholders can meet to discuss gaps, exchange information on best practices, and perhaps join forces to develop such methodologies and tools.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
Short report of the “Protecting online privacy by enhancing IT security and strengthening EU IT capabilities” conference. // Jaap-Henk Hoepman
, 2015-12-11 08:46:47

[…] Below I will describe what, according to the experts present, the problems are, what their causes are, how they can be solved and what European policies might help to achieve that. Before the conference I submitted my own policy recommendations, described here. […]