Interoperable Europe logo
Rolling Plan for ICT standardisation
Join this collection

ePrivacy (RP2024)

(A.) Policy and legislation

(A.1)   Policy objectives

The ePrivacy Directive and the General Data Protection Regulation provide the legal framework to ensure digital privacy for EU citizens. The European Commission proposed a Regulation in 2017 to modernise the ePrivacy Directive and provide stronger privacy protection to users of all electronic communications services. The EU General Data Protection Regulation ensures that personal data can only be gathered under strict conditions and for legitimate purposes. Organisations that collect and manage your personal information must also protect it from misuse and respect certain rights.

The ePrivacy Directive builds on the Charter of Fundamental Rights of the European Union and protects the privacy and confidentiality of electronic communications and the terminal equipment of the user of electronic communications networks and any information stored on such equipment.

The enforcement of the EU data protection and privacy legal framework would be made easier if data processing products and processes were designed and built from the beginning with legal requirements in mind. This is referred to as 'data protection by design'. Standards may lay out the basic requirements for data protection by design for products and processes, minimising the risk of (i) divergent national approaches, with their related risks to freedom of movement of products and services, and (ii) the development of several, potentially conflicting, private de-facto standards.

This could be combined with the emergence of certification services:  businesses who want their products and processes audited as being "privacy by design"-compliant, would have to fulfil a set of requirements defined through appropriate EU standards and robust, independent third-party certification mechanisms.

The principles of data protection by design and by default , as well as the need to undergo a data protection and privacy impact assessment are included in the General Data Protection Regulation 2016/679/EU (GDPR). This regulation replaced the Data Protection Directive 95/46/EC and has applied since 25 May 2018.

(A.2) EC perspective and progress report

The focus will be on establishing a number of reference standards and/or specifications relevant to privacy in the electronic communications environment  to serve as a basis for encouraging the consistent adoption of standardised practices across the EU and, where relevant, on developing harmonised standards.

The Commission has issued a standardisation request to European standards organisations seeking to routinely include privacy management methodologies in both the design and production phases of security technologies generally. (Privacy by design)

(A.3) References

The following legal instrument should be considered at European level:

  • Regulation (EU) 2016/679 on the protection of natural persons with regard to personal data processing and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Article 253 calls for data protection by design and by default.
  • COM/2017/010 final: Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)
  • The Directive 2014/53/EU on the harmonization of the laws of the Member States relating to the making available on the market of radio equipment and repealing the Radio Equipment and Telecommunications Terminal Equipment (R&TTE) Directive 1999/5/EC.  Article 3(3)(e) of this Directive requires that radio equipment within certain categories or classes shall be so constructed that it […] incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected”. The Commission is empowered to adopt delegated acts specifying which categories or classes of radio equipment are concerned by each of the requirements and there is ongoing work on the matter.

(B.) Requested actions

In the light of the accountability and privacy by design principles, ICT standards generally should be created in order to ensure a high-level of protection of individuals with regard to personal data processing, and the free movement of such data, and the application of privacy by design methodologies. Privacy and data protection standards should thus be examined, developed or improved if necessary, so as to provide standardised methods that support that review and improvement in due respect of EU data protection rules.

Proposed specific areas for SDOs to focus on are:

Action 1:  Continuing work on standardising browser functionalities and defaults to enable users to easily control whether they want to be tracked.

Action 2:  SDOs to work on standardised solutions for location data used by mobile applications. ISO/IEC 29184 Information technology - Online privacy notices and consent is adopted unmodified as EN ISO/IEC 29184.

Action 3: SDOs to investigate standards for supporting compliance and certification of compliance with GDPR and possible other EU data privacy requirements. . Also a gap analysis should be run so to understand needed future work that may have to be prioritised.

Action 4:  Promote EU-wide attention to standardisation of privacy statements and terms & conditions, given that there is mandatory acceptance of diverse, ambiguous and far-reaching online privacy conditions, and taking into account the GDPR. The Kantara CIS work and the data use statements described in ISO/IEC 19944 could be used as a basis for this action.

Action 5: SDOs to continue investigating technical measures apt to make personal data anonymous or pseudonymised (and therefore unintelligible by those who are not authorised to access them).

Action 6:  SDOs to continue investigating how to warrant a user-centric approach in privacy & access management:  see http://www.laceproject.eu/blog/give-students-control-data/ and 
http://www.lvm.fi/julkaisu/4440204/mydata-a-nordic-model-for-human-centred-personal-data-management-and-processing.

Action 7: SDOs to prevent unwarranted pervasive monitoring by default when developing standards. This is not only relevant in the context the internet but also the IoT.

Action 8: SDOs to develop secure coding standards for secure application development: EU-wide attention to standardisation of privacy statements and terms & conditions as far as possible, given the existing state of mandatory acceptance of diverse, ambiguous and far-reaching online privacy conditions, taking into account the GDPR and the emergence of the IoT, where (embedded) devices process the device owner's personal data and possible different device users' personal data, creating additional challenges to transparency and informed consent.

(C.) Activities and additional information 

(C.1) Related standardisation activities

Various activities are in place, as detailed in the table below. Due account should also be taken of the activities of the DG GROW working group on “Privacy by Design”, which includes standardisation participants and other stakeholders. The Commission issued in October 2014 the standardisation request M/530 “Standards for privacy & personal data protection management”, in support of privacy management in design, development, production, and service provision processes of security technologies. The goal is that manufacturers & providers manage privacy & personal data protection issues through privacy-by-design.

ETSI

ETSI TC CYBER (TC CYBER work programme) is the main committee in ETSI that develops standards for security and privacy and leads the response to European Commission (EC) Mandate M/530 on Privacy by Design. TC CYBER is recognized as a major trusted centre of expertise offering market-driven standardisation solutions that increase privacy and security for organizations and citizens across Europe and worldwide. TC CYBER published standards on cryptography for protecting personal data securely, with fine-grained access controls (Attribute-Based Encryption) and a practical introductory guide to Technical Standards for Privacy as well as mechanisms for privacy assurance. More generally, TC CYBER works on mechanisms for IoT discovery that prevent and restrict superfluous disclosure of device identity information to form a connection, which protects user and device privacy. TC CYBER's series on Middlebox Security Protocols creates protocols for a new generation of more privacy-focused proxies, whilst also providing robust security. Consumer IoT security and privacy EN 303 645, the first globally applicable standard for IoT security, covers data protection; the TS version (TS 103 645) is being enhanced to expand, amongst other things, the data protection provisions. TC CYBER has published work on the misuse of IoT home devices by perpetrators of domestic abuse, with a first step in the Guide to Cyber Security for Consumer Internet of Things (TR 103 621 V1.2.1) which now contains text on coercive control.

ETSI's security and privacy work is presented here https://www.etsi.org/technologies-clusters/technologies/cyber-security

ETSI ISG CIM is working on requirements and recommendation for enabling privacy and security when registering/exchanging context information, in particular using the NGSI-LD interface (ETSI GS CIM 009 V1.7.1), which may contain identification of natural persons (ETSI GR CIM 007).

3GPP TS 33.501 “Security architecture and procedures for 5G System” covers privacy for mobile.

CEN & CENELEC

CEN-CLC/JTC 13 'Cybersecurity and Data protection' develops standards for data protection, information protection and security techniques with specific focus on cybersecurity covering all concurrent aspects of the evolving information society, including privacy guidelines. The JTC adopts international standards (such as JTC 1) as ENs, with additional specific European requirements in the context of specific European legislative and policy context (Cybersecurity Act, GDPR, NIS, sectoral legislation), to support privacy protection in the European context.

EN 17529 'Data protection and privacy by design and by default has been published in the meantime. Furthermore JTC13 develops prEN 17926 Privacy Information Management System per ISO/IEC 27701 - Refinements in European context to respect European requirements for Privacy Information Management Systems. This project is being developed in response to the standardisation Request M/530 on 'privacy and personal data protection management in the design and development and in the production and service provision and process in the security technologies'.

Moreover, CEN/TC 224 'Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment' develops standards for strengthening the interoperability, security and privacy of personal identification and its related personal devices and systems.

IEEE

IEEE has several standards and pre-standards (IC) activities in the ePrivacy space:

  • Under the LAN/MAN Standards Committee a Recommended Practice (IEEE 802E) has been developed to specify a privacy threat model for IEEE 802 technologies and provide recommendations on how to protect against privacy threats, which is important as IEEE 802 technologies play a major role in Internet connectivity.
  • Several projects are ongoing in the area of personal data privacy, as an outcome of the IEEE Global Initiative for Ethical Considerations in Autonomous and Intelligent Systems, including:
  • IEEE 7002, Standard for Data Privacy Process 
  • IEEE P7012, Standard for Machine Readable Personal Privacy Terms
  • Other relevant standards and pre-standards activities include:
  • IEEE 2410, Standard for Biometric Privacy
  • IEEE P1912, Privacy and Security Framework for Consumer Devices
  • IEEE P2876, Privacy in Online Gaming
  • IEEE P3117, Standard for Interworking Framework for Privacy-Preserving Computation  
  • IEEE P3156, Standard for Requirements of Privacy-preserving Computation Integrated Platforms
  • IEEE P3169, Standard for Security Requirement of Privacy-Preserving Computation

Pre-standards activities include:

  • IC Cyber Security for Next Generation Connectivity Systems, with the aim to evaluate and rethink architectures that enhance Cyber Security in digital systems and also addressing privacy aspects.
  • IC Synthetic Data. 

Some standards activities address privacy for children and youth, including:

  • IEEE 2089, Standard for an Age Appropriate Digital Services Framework Based on the 5Rights Principles for Children
  • IEEE P7004, Child and Student Data Governance

Another area is privacy of data in healthcare:

IEEE also has other new standardisation projects for privacy in consumer wireless devices and drones.

For more information, see: https://ieee-sa.imeetcentral.com/eurollingplan/

W3C

An initiative to develop specifications by which Internet users may express their permission (or the withholding of their permission) to have their presence and activities on websites tracked (the "Do Not Track" concept), and to help Internet users to express their consent or refusal to be tracked on the internet. The working group will be closed towards year end 2018. Information will remain available at:

http://www.w3.org/2011/tracking-protection/

The W3C Data Privacy Vocabularies and Controls CG (DPVCG) develops a taxonomy of privacy terms, which includes in particular terms from the new European General Data Protection Regulation (GDPR), such as a taxonomy of personal data as well as a classification of purposes (i.e., purposes for data collection), and events of disclosures, consent, and processing such personal data. This will help to create data protection aware data handling policies for systems based on linked data such as the Web of Things.

OASIS

The OASIS Privacy Management Reference Model (PMRM) TC provides a guideline or template for developing operational solutions to privacy issues. It also serves as an analytical tool for assessing the completeness of proposed solutions and as the basis for establishing categories and groupings of privacy management controls. One of its outputs is a Quick Start Guide for Data Protection to Support Regulatory Compliance.

The OASIS Classification of Everyday Living (COEL) TC provides a privacy-by-design framework for behavioral data collection and reporting. It provides a framework for implementing a distributed system capable of capturing data relating to an individual as discrete events.

The OASIS Context Server (CXS) TC was chartered to create specifications for Customer Data Platforms as a core technology for enabling the delivery of personalized user experiences. A CDP not only aggregates personal data from various sources, but can also manage consents and profiles. In specific cases, CDP may act as the source-of-truth across systems, and enable effective privacy management.

The OASIS Privacy by Design Documentation for Software Engineers (PbD-SE) TC provided privacy governance and documentation standards for software engineers. It enables software organizations to embed privacy into the design and architecture of IT systems, without diminishing system functionality.

IETF

The DNS PRIVate Exchange (dprive) WG develops mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring (RFC 7258). The set of DNS requests that an individual makes can provide an attacker with a large amount of information about that individual. DPRIVE aims to deprive the attacker of this information.

The Privacy Pass (privacypass) WG is standardising a protocol that provides a performant, application-layer mechanism for token creation and anonymous redemption. Servers (Issuers) create and later verify tokens that are redeemed by an ecosystem of clients, such that:

  • An Issuer cannot link a redeemed token to one of N previously created tokens using the same key with probability non-negligibly larger than 1/N.
  • Clients can verify that a token created by an Issuer corresponds to a committed keypair.
  • Tokens are unforgeable.
  • The token issuance and redemption mechanisms are efficient.

The QUIC (quic) WG is developing the QUIC protocol which provides end-to-end security for transport connections, including protection of header fields that are left unprotected by TLS. The QUIC working group's specifications are currently in last call, and will soon become recognised standards. The use of QUIC in the Internet is already quite high and growing.

Many network topologies lead to situations where transport protocol proxying is beneficial. For example, proxying enables endpoints to communicate when end-to-end connectivity is not possible, or to apply additional encryption where desirable (such as a VPN). Proxying can also improve client privacy, e.g., by hiding a client's IP address from a target server. The Multiplexed Application Substrate over QUIC Encryption (masque) WG is developing mechanism(s) that allow configuring and concurrently running multiple proxied stream- and datagram-based flows inside an HTTPS connection. These mechanism(s) are collectively called MASQUE.

The MAC address Device Identification for Network and Application Services (madinas) Working Group is documenting recommended means to reduce the impact of randomized and changing MAC addresses (RCM) while ensuring that the privacy achieved with RCM is not compromised. The Working Group will liaise with other relevant organizations, such as IEEE 802 and the Wireless Broadband Alliance (WBA), by coordinating on the different recommendations, as well as potential follow-up activities within or outside the IETF.

There are many situations in which it is desirable to take measurements of data which people consider sensitive. For instance, a browser company might want to measure web sites that do not render properly without learning which users visit those sites, or a public health authority might want to measure exposure to some disease without learning the identities of those exposed. In these cases, the entity taking the measurement is not interested in people's individual responses but rather in aggregated data (e.g., how many users had errors on site X). Conventional methods require collecting individual measurements in plaintext and then aggregating them, thus representing a threat to user privacy and rendering many such measurements difficult and impractical.

New cryptographic techniques address this gap through a variety of approaches, all of which aim to ensure that the server (or multiple, non-colluding servers) can compute the aggregated value without learning the value of individual measurements. The Privacy Preserving Measurement (ppm) Working Group will standardize protocols for deployment of these techniques on the Internet.

The ​Oblivious HTTP Application Intermediation (ohai) Working Group will define a protocol for anonymization of HTTP requests using a partly-trusted intermediary, a method of encapsulating HTTP requests and responses that provides protected, low-latency exchanges. Applications and use cases best suited for this protocol are those that have discrete, transactional queries that might reveal small amounts of information that accumulate over time. Examples include DNS queries, telemetry submission, and certificate revocation checking.

The Privacy Enhancements and Assessments Research Group (PEARG) in the IRTF is a general forum for discussing and reviewing privacy enhancing technologies for network protocols and distributed systems in general, and for the IETF in particular.

https://wiki.ietf.org/en/group/iab/Multi-Stake-Holder-Platform#h-303-eprivacy

ISO/IEC JTC 1

ISO/IEC JTC 1 SC 7 on System and software engineering published a set of standards (ISO/IEC 25000 series and specifically 25024) that includes the possibility to design specific privacy measures.

https://www.iso.org/committee/45086.html

ISO/IEC JTC 1 SC 27 on IT Security Technologies published a Code of Practice for the protection of personally identifiable information (PII) in the public cloud (ISO/IEC 27018:2014), and is developing a draft international standard privacy capability assessment model (ISO/IEC DIS 29190). Another relevant working item is ISO/IEC 27552 - Enhancement to ISO/IEC 27001 for privacy management - Requirements.

http://www.iso.org/iso/iso_technical_committee?commid=45306

ISO/IEC JTC 1 SC 27 WG 5 Identity management and privacy technologies

Published standards:

  • ISO/IEC 29100:2011”Privacy framework”-Provides a general conceptual framework on the topic of privacy and personal data
  • ISO/IEC 24760 “IT Security and Privacy — A framework for identity management” (3 parts from 2019, 2015, and 2016)-Gives a framework to assess and influence, who individuals can be identified or not identified in the context of data and who can how influence and control this
  • ISO/IEC 29101:2018 “Privacy architecture framework”-Provides a conceptual framework on the handling of privacy and personal data
  • ISO/IEC 20889:2018 “Privacy enhancing data de-identification terminology and classification of techniques”-Defines a terminology and classifies techniques to assess whether data are personal data or not
  • ISO/IEC 29134:2017 “Guidelines for privacy impact assessment”-Provides a conceptual framework to assess the impact of data (processing) on privacy and how data strategies can consider that
  • ISO/IEC 29146:2016 “A framework for access management”-Provides a conceptual framework to manage and strategize access to data
  • ISO/IEC JTC 1/SC 27/WG 5 SD4 “Standard Privacy Assessment (SPA)”-Provides guidance to consider privacy when and while developing standards, especially standards on handling data, freely available at https://www.din.de/en/meta/jtc1sc27/downloads

Standards under development:

  • ISO/IEC DIS 27559 “Privacy enhancing data de-identification framework”-Provides a conceptual framework to assess whether data are personal data or not
ITU-T

ITU-T SG17 works on data security privacy-reserving technologies such as de-identification and multi-party computation.

It has approved Recommendations:

  • ITU-T X.1058 “Information technology - Security techniques - Code of practice for Personally Identifiable Information protection”
  • ITU-T X.1087 “Technical and operational countermeasures for telebiometric applications using mobile devices”
  • ITU-T X.1148 “Framework of de-identification process for telecommunication service providers”
  • ITU-T X.1171 “Threats and requirements for protection of personally identifiable information in applications using tag-based identification”
  • ITU-T X.1212 “Design considerations for improved end-user perception of trustworthiness indicators”
  • ITU-T X.1250 “Baseline capabilities for enhanced global identity management and interoperability”
  • ITU-T X.1252 “Baseline identity management terms and definitions”
  • ITU-T X.1275 “Guidelines on protection of personally identifiable information in the application of RFID technology”
  • ITU-T X.1403 “Security considerations for using distributed ledger technology data in identity management”
  • ITU-T X.1451 “Risk identification to optimize authentication”
  • ITU-T X.1363 “Technical framework of personally identifiable information (PII) handling system in IoT environment”
  • ITU-T X.1770 “Technical guidelines for secure multi-party computation” (under approval as of Sept 2021)

More info: http://itu.int/ITU-T/go/tsg17

oneM2M

Standardize secure links between connected devices, gateways, communications networks and cloud infrastructure. The oneM2M SDS – System Design and Security working group is also responsible for security and privacy. 
Potential required enhancements to oneM2M specifications, to support regulations like GDPR or PIPA, are investigated and defined in the current oneM2M work item: WI-0095 - oneM2M System Enhancements to Support Data Protection Regulations.
All oneM2M Specifications are openly accessible under Specifications (onem2m.org).

(C.2) Other activities related to standardisation

Kantara

User-Managed Access (UMA)
UMA is an OAuth-based protocol designed to ensure the privacy of websites by giving web users a unified control point for authorising access to online personal data, content, and services, no matter where they are hosted.
http://kantarainitiative.org/confluence/display/uma/Home  

Consent & Information Sharing Workgroup (CIS)
People's capacity to manage their privacy is increased if they are able to aggregate and manage consent & information sharing relationships with   consent receipts. Standardised consent receipts also provide the opportunity for organisations to advertise trust. The core receipt specification addresses general, or regulatory, consent requirements. More elaborate consent receipts can become a vehicle for trust networks, federations, trust marks, privacy icons, assurances, certifications and self-asserted community and industry reputations.
https://kantarainitiative.org/confluence/display/infosharing/Home 

(C.3) additional information

Management of controls over the access to and ownership of data should be considered essential for effective implementation of privacy measurements.

Report abusive content Share