(A.) Policy and legislation
(A.1) Policy objectives
The ePrivacy Directive and the General Data Protection Regulation provide the legal framework to ensure digital privacy for EU citizens. The European Commission proposed a Regulation3 in 2017 to modernise the ePrivacy Directive and provide stronger privacy protection to users of all electronic communications services. The EU General Data Protection Regulation ensures that personal data can only be gathered under strict conditions and for legitimate purposes. Organisations that collect and manage your personal information must also protect it from misuse and respect certain rights.
The ePrivacy Directive builds on the Charter of Fundamental Rights of the European Union and protects the privacy and confidentiality of electronic communications and the terminal equipment of the user of electronic communications networks and any information stored on such equipment.
The enforcement of the EU data protectionand privacy legal framework would be made easier if data processing products and processes were designed and built from the beginning with legal requirements in mind. This is referred to as ‘data protection by design’. Standards may lay out the basic requirements for data protection by design for products and processes, minimising the risk of (i) divergent national approaches, with their related risks to freedom of movement of products and services, and (ii) the development of several, potentially conflicting, private de-facto standards.This could be combined with the emergence of certification services: businesses who want their products and processes audited as being “privacy by design”-compliant, would have to fulfil a set of requirements defined through appropriate EU standards and robust, independent third-party certification mechanisms.
The principles of data protection by design and by default , as well as the need to undergo a data protection and privacy impact assessment are included in the General Data Protection Regulation 2016/679/EU (GDPR). This regulation replaced the Data Protection Directive 95/46/EC and has applied since 25 May 2018.
(A.2) EC perspectiveand progress report
The focus will be on establishing a number of reference standards and/or specifications relevant to privacy in the electronic communications environment to serve as a basis for encouraging the consistent adoption of standardised practices across the EU and, where relevant, on developing harmonised standards.
The Commission has issued a standardisation request to European standards organisations seeking to routinely include privacy management methodologies in both the design and production phases of security technologies generally. (Privacy by design)
(A.3) References
The following legal instrument should be considered at European level:
Regulation (EU) 2016/679 on the protection of natural persons with regard to personal data processing and on the free movement of such data, and repealing Directive 95/46/EC General Data Protection Regulation). Article 253 calls for data protection by design and by default.
Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive)
The Directive 2014/53/EU on the harmonization of the laws of the Member States relating to the making available on the market of radio equipment and repealing the Radio Equipment and Telecommunications Terminal Equipment (R&TTE) Directive 1999/5/EC. Article 3(3)(e) of this Directive requires that radio equipment within certain categories or classes shall be so constructed that it […] incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected”. The Commission is empowered to adopt delegated acts specifying which categories or classes of radio equipment are concerned by each of the requirements and there is ongoing work on the matter.
(B.) Requested actions
In the light of the accountability and privacy by design principles, ICTstandards generally should be created in order to ensure a high-level of protection of individuals with regard to personal data processing, and the free movement of such data, and the application of privacy by design methodologies. Privacy and data protection standards should thus be examined, developed or improved if necessary, so as to provide standardised methods that support that review and improvement in due respect of EU data protection rules.
Proposed specific areas for SDOs to focus on are:
Action 1 Continuing work on standardising browser functionalities and defaults to enable users to easily control whether they want to be tracked.
Action 2 SDOs to work on standardised solutions for location data used by mobile applications.
Action 3 SDOs to investigate standards for supporting compliance and certification of compliance with GDPR and possible other EU data privacy requirements. Also a gap analysis should be run so to understand needed future work that may have to be prioritised.
Action 4 Promote EU-wide attention to standardisation of privacy statements and terms & conditions, given that there is mandatory acceptance of diverse, ambiguous and far-reaching online privacy conditions, and taking into account the GDPR. The Kantara CIS work and the data use statements described in ISO/IEC 19944 could be used as a basis for this action.
Action 5 SDOs to continue investigating technical measures apt to make personal data anonymous or pseudonymised (and therefore unintelligible by those who are not authorised to access them).
Action 6 SDOs to continue investigating how to warrant a user-centric approach in privacy & access management: see http://www.laceproject.eu/blog/give-students-control-data/ and http://www.lvm.fi/julkaisu/4440204/mydata-a-nordic-model-for-human-centred-personal-data-management-and-processing.
Action 7 SDOs to prevent unwarranted pervasive monitoring by default when developing standards. This is not only relevant in the context the internet but also the IoT.
Action 8 SDOs to develop secure coding standards for secure application development: EU-wide attention to standardisation of privacy statements and terms & conditions as far as possible, given the existing state of mandatory acceptance of diverse, ambiguous and far-reaching online privacy conditions, taking into account the GDPR and the emergence of the IoT, where (embedded) devices process the device owner›s personal data and possible different device users› personal data, creating additional challenges to transparency and informed consent.
(C.) Activities and additional information
(C.1) Related standardisation activities
Various activities are in place, as detailed in the table below. Due account should also be taken of the activities of the DG GROW working group on “Privacy by Design”, which includes standardisation participants and other stakeholders. The Commission issued in October 2014 the standardisation request M/530 “Standards for privacy & personal data protection management”, in support of privacy management in design, development, production, and service provision processes of security technologies. The goal is that manufacturers & providers manage privacy & personal data protection issues through privacy-by-design.
ETSI
ETSI TC CYBER (TC CYBER work programme) is the most security-focused technical committee in ETSI and leads the response to European Commission (EC) Mandate M/530 on Privacy by Design. TC CYBER is recognized as a major trusted centre of expertise offering market-driven standardisation solutions that increase privacy and security for organizations and citizens across Europe and worldwide. TC CYBER published standards on cryptography for protecting personal data securely, with fine-grained access controls (Attribute-Based Encryption) and a practical introductory guide to Technical Standards for Privacy as well as mechanisms for privacy assurance. More generally, TC CYBER works on mechanisms for IoT discovery that prevent and restrict superfluous disclosure of device identity information to form a connection, which protects user and device privacy. TC CYBER’s series on Middlebox Security Protocols creates protocols for a new generation of more privacy-focused proxies, whilst also providing robust security. Consumer IoT security and privacyEN 303 645, the first globally applicable standard for IoT security, covers data protection.
https://www.etsi.org/technologies-clusters/technologies/cyber-security
ETSI ISG CIM is working on requirements for enabling privacy and security when registering/exchanging context information which may contain identification of natural persons (ETSI GR 007).
3GPP TS 33.501 “Security architecture and procedures for 5G System” covers privacy for mobile.
CEN and CENELEC
CEN-CLC/JTC 13 ‘Cybersecurity and Data protection’ develops standards for data protection, information protection and security techniques with specific focus on cybersecurity covering all concurrent aspects of the evolving information society, including privacy guidelines. The JTC adopts international standards (such as JTC 1) as ENs, with additional specific European requirements in the context of specific European legislative and policy context (Cybersecurity Act, GDPR, NIS, sectoral legislation), to support privacy protection in the European context.
CEN-CLC/JTC 13 is finalizing the development of prEN 17529 ‘Data protection and privacy by design and by default’. The EN will provide the component and subsystems developers with an early formalized process for identification of privacy objects and requirements, as well as the necessary guidance on associated assessment. This project is being developed in response to the Standardisation Request M/530 on ‘privacy and personal data protection management in the design and development and in the production and service provision and process in the security technologies’.
Moreover, CEN/TC 224 ‘Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment’ develops standards for strengthening the interoperability, security and privacy of personal identification and its related personal devices and systems.
IEEE
IEEE has several standards activities in the ePrivacy space:
• Under the LAN/MAN Standards Committee a Recommended Practice (IEEE 802E-2020) has been developed to specify a privacy threat model for IEEE 802 technologies and provide recommendations on how to protect against privacy threats, which is important as IEEE 802 technologies play a major role in Internet connectivity.
• Several projects are ongoing in the area of personal data privacy, as an outcome of the IEEE Global Initiative for Ethical Considerations in Autonomous and Intelligent Systems. These projects include:
IEEE P1912 Privacy and Security Framework for Consumer Devices,
IEEE 2410-2021: Standard for Biometric Privacy,
IEEE P2876 Privacy in Online Gaming, and
IEEE P7002 - IEEE Draft Standard for Data Privacy Process,
IEEE P7012 - Standard for Machine Readable Personal Privacy Terms.
Some standards activities address privacy for children and youth, including:
IEEE P2089 standard for Age Appropriate Digital Services based on 5Rights Principles, and
IEEE P7004.1 - Recommended Practices for Virtual Classroom Security, Privacy and Data Governance.
Another area is privacy of data in healthcare:
-IEEE P2933 - Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS - Trust, Identity, Privacy, Protection, Safety, Security,
-IEEE P2968.2 - Trial Use Recommended Practice for Decentralized Clinical Trials Threat Modeling, Cybersecurity, and Data Privacy,
-Industry Connections - Transforming the Telehealth Paradigm: Sustainable Connectivity, Accessibility, Privacy, and Security for All, and
- IEEEP2049.2 - Standard for Human Augmentation: Privacy and Security.• Pre-standardisation activities will develop frameworks towards solutions that facilitate digital inclusion, support privacy through trust, personal data agency, sovereignty, resilience, and security.
IEEE also has other new standardisation projects for privacy in consumer wireless devices and drones.
For more information please visithttps://ieeesa.io/rp-eprivacy
W3C
An initiative to develop specifications by which Internet users may express their permission (or the withholding of their permission) to have their presence and activities on websites tracked (the “Do Not Track” concept), and to help Internet users to express their consent or refusal to be tracked on the internet. The working group will be closed towards year end 2018. Information will remain available at:
http://www.w3.org/2011/tracking-protection/
The W3C Data Privacy Vocabularies and Controls CG (DPVCG) develops a taxonomy of privacy terms, which includes in particular terms from the new European General Data Protection Regulation (GDPR), such as a taxonomy of personal data as well as a classification of purposes (i.e., purposes for data collection), and events of disclosures, consent, and processing such personal data. This will help to create data protection aware data handling policies for systems based on linked data such as the Web of Things.
OASIS
TheOASIS Privacy Management Reference Model (PMRM) TCprovides a guideline or template for developing operational solutions to privacy issues. It also serves as an analytical tool for assessing the completeness of proposed solutions and as the basis for establishing categories and groupings of privacy management controls. One of its outputs is aQuick Start Guide for Data Protection to Support Regulatory Compliance.
TheOASIS Classification of Everyday Living (COEL) TCprovides a privacy-by-design framework for behavioral data collection and reporting. It provides a framework for implementing a distributed system capable of capturing data relating to an individual as discrete events.
TheOASIS Context Server (CXS) TCwas chartered to create specifications for Customer Data Platforms as a core technology for enabling the delivery of personalized user experiences. A CDP not only aggregates personal data from various sources, but can also manage consents and profiles. In specific cases, CDP may act as the source-of-truth across systems, and enable effective privacy management.
TheOASIS Privacy by Design Documentation for Software Engineers (PbD-SE) TCprovided privacy governance and documentation standards for software engineers. It enables software organizations to embed privacy into the design and architecture of IT systems, without diminishing system functionality.
IETF
TheSIP Best-practice Recommendations Against Network Dangers to privacY (sipbrandy) WGwill define best practices for establishing two-party, SIP-signaled SRTP sessions with end-to-end security associations, including a single, preferred SRTP key exchange mechanism. These practices are expected to be deployable across typical SIP networks, without the sharing of SRTP keying material with intermediaries or third parties. These practices should protect against man-in-the-middle attacks.
TheDNS PRIVate Exchange (dprive) WGdevelops mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring (RFC 7258). The set of DNS requests that an individual makes can provide an attacker with a large amount of information about that individual. DPRIVE aims to deprive the attacker of this information.
TheDNS Over HTTPS (doh) WGstandardised encodings for DNS queries and responses that are suitable for use in HTTPS. This enables the domain name system to function over certain paths where existing DNS methods (UDP, TLS [RFC 7857], and DTLS [RFC 8094]) experience problems.DNS Queries over HTTPS (RFC8484)was published in October 2018.
ThePrivacy Pass (privacypass) WGis standardising a protocol that provides a performant, application-layer mechanism for token creation and anonymous redemption. Servers (Issuers) create and later verify tokens that are redeemed by an ecosystem of clients, such that:
- An Issuer cannot link a redeemed token to one of N previously created tokens using the same key with probability non-negligibly larger than 1/N.
- Clients can verify that a token created by an Issuer corresponds to a committed keypair.
- Tokens are unforgeable.
- The token issuance and redemption mechanisms are efficient.
TheQUIC (quic) WGis developing the QUIC protocol which provides end-to-end security for transport connections, including protection of header fields that are left unprotected by TLS. The QUIC working group’s specifications are currently in last call, and will soon become recognised standards. The use of QUIC in the Internet is already quite high and growing.
Many network topologies lead to situations where transport protocol proxying is beneficial. For example, proxying enables endpoints to communicate when end-to-end connectivity is not possible, or to apply additional encryption where desirable (such as a VPN). Proxying can also improve client privacy, e.g., by hiding a client’s IP address from a target server. TheMultiplexed Application Substrate over QUIC Encryption (masque) WGis developing mechanism(s) that allow configuring and concurrently running multiple proxied stream- and datagram-based flows inside an HTTPS connection. These mechanism(s) are collectively called MASQUE.
TheMAC address Device Identification for Network and Application Services (madinas) Working Groupis documenting recommended means to reduce the impact of randomized and changing MAC addresses (RCM) while ensuring that the privacy achieved with RCM is not compromised. The Working Group will liaise with other relevant organizations, such as IEEE ٨٠٢ and the Wireless Broadband Alliance (WBA), by coordinating on the different recommendations, as well as potential follow-up activities within or outside the IETF.
ThePrivacy Enhancements and Assessments Research Group (PEARG)in the IRTF is a general forum for discussing and reviewing privacy enhancing technologies for network protocols and distributed systems in general, and for the IETF in particular.
https://trac.ietf.org/trac/iab/wiki/Multi-Stake-Holder-Platform#ePrivacy
ISO/IEC JTC 1
ISO/IEC JTC 1 SC 7on System and software engineering published a set of standards (ISO/IEC 25000 series and specifically 25024) that includes the possibility to design specific privacy measures.
https://www.iso.org/committee/45086.html
ISO/IEC JTC 1 SC 27on IT Security Technologies published a Code of Practice for the protection of personally identifiable information (PII) in the public cloud (ISO/IEC 27018:2014), and is developing a draft international standard privacy capability assessment model (ISO/IEC DIS 29190). Another relevant working item is ISO/IEC 27552 - Enhancement to ISO/IEC 27001 for privacy management - Requirements.
http://www.iso.org/iso/iso_technical_committee?commid=45306
ISO/IEC JTC 1 SC 27 WG 5 Identity management and privacy technologies
Published standards:
ISO/IEC 29100:2011”Privacy framework”
Provides a general conceptual framework on the topic of privacy and personal data
ISO/IEC 24760 “IT Security and Privacy — A framework for identity management” (3 parts from 2019, 2015, and 2016)
Gives a framework to assess and influence, who individuals can be identified or not identified in the context of data and who can how influence and control this
ISO/IEC 29101:2018 “Privacy architecture framework”
Provides a conceptual framework on the handling of privacy and personal data
ISO/IEC 20889:2018 “Privacy enhancing data de-identification terminology and classification of techniques”
Defines a terminology and classifies techniques to assess whether data are personal data or not
ISO/IEC 29134:2017 “Guidelines for privacy impact assessment”
Provides a conceptual framework to assess the impact of data (processing) on privacy and how data strategies can consider that
ISO/IEC 29146:2016 “A framework for access management”
Provides a conceptual framework to manage and strategize access to data
ISO/IEC JTC 1/SC 27/WG 5 SD4 “Standard Privacy Assessment (SPA)”
Provides guidance to consider privacy when and while developing standards, especially standards on handling data, freely available at https://www.din.de/en/meta/jtc1sc27/downloads
Standards under development:
ISO/IEC DIS 27559 “Privacy enhancing data de-identification framework” Provides a conceptual framework to assess whether data are personal data or not
ITU-T
ITU-T SG17 works on data security privacy-reserving technologies such as de-identification and multi-party computation. It has approved Recommendations ITU-T X.1058 “Information technology - Security techniques - Code of practice for Personally Identifiable Information protection”, ITU-T X.1087 “Technical and operational countermeasures for telebiometric applications using mobile devices”, ITU-T X.1148 “Framework of de-identification process for telecommunication service providers”, ITU-T X.1171 “Threats and requirements for protection of personally identifiable information in applications using tag-based identification”, ITU-T X.1212 “Design considerations for improved end-user perception of trustworthiness indicators”, ITU-T X.1250 “Baseline capabilities for enhanced global identity management and interoperability”, ITU-T X.1252 “Baseline identity management terms and definitions”, ITU-T X.1275 “Guidelines on protection of personally identifiable information in the application of RFID technology”, ITU-T X.1403 “Security considerations for using distributed ledger technology data in identity management”, ITU-T X.1451 “Risk identification to optimize authentication”, ITU-T X.1363 “Technical framework of personally identifiable information (PII) handling system in IoT environment”, ITU-T X.1770 “Technical guidelines for secure multi-party computation” (under approval as of Sept 2021) and is developing many more draft Recommendation in this domain: (X.5Gsec-t, X.guide-cdd, X.sec-QKDN-tn, X.smsrc, X.scpa, X.sgos, X.rdda, X.vide, etc).
More info:http://itu.int/ITU-T/go/tsg17
oneM2M
Standardize secure links between connected devices, gateways, communications networks and cloud infrastructure. The oneM2M SDS – System Design and Security working group is also responsible for security and privacy.
Potential required enhancements to oneM2M specifications, to support regulations like GDPR or PIPA, are investigated and defined in the current oneM2M work item: WI-0095 - oneM2M System Enhancements to Support Data Protection Regulations.
All oneM2M Specifications are openly accessible underSpecifications (onem2m.org).
(C.2) Other activities related to standardisation
Kantara
User-Managed Access (UMA)-UMA is an OAuth-based protocol designed to ensure the privacy of websites by giving web users a unified control point for authorising access to online personal data, content, and services, no matter where they are hosted.
http://kantarainitiative.org/confluence/display/uma/Home
Consent & Information Sharing Workgroup (CIS)
People’s capacity to manage their privacy is increased if they are able to aggregate and manage consent & information sharing relationships with consent receipts. Standardised consent receipts also provide the opportunity for organisations to advertise trust. The core receipt specification addresses general, or regulatory, consent requirements. More elaborate consent receipts can become a vehicle for trust networks, federations, trust marks, privacy icons, assurances, certifications and self-asserted community and industry reputations.
https://kantarainitiative.org/confluence/display/infosharing/Home
C.3) additional information
Management ofcontrols over the access to and ownership of data should be considered essentialfor effective implementation of privacy measurements.
3Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 10.01.2017, COM (2017)10 final https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications