Representation of the Conference at a recent meeting of an International Organisation

Transcription

1 Representation of the Conference at a recent meeting of an International Organisation The Conference was represented by France at the OECD SPDE 38 th Meeting in Paris on June Meeting report attached. Executive Committee Secretariat 2 July 2015

2 OECD Working Party on Security and Privacy in the Digital Economy 38 th Meeting report Paris June 2015 Date: 26 June 2015 Author: Laurent LIM This meeting report briefly presents the main discussed points during the latest meeting of the OECD s Working party on Security and Privacy in the Digital Economy (SPDE). The International Conference of the Data Protection and Privacy Commissioners was represented during this meeting by the CNIL (Laurent LIM, Legal officer with the European and international affairs department). Tuesday 23 June 2015 Item 4. OECD Ministerial meeting on The Digital Economy: Innovation, Growth, and Social Prosperity, Mexico, June 2016 On June 2016 in Cancun, Mexico, the OECD will hold a Ministerial meeting on The Digital Economy: Innovation, Growth, and Social Prosperity around four main themes, each supported by two panel sessions. The SPDE Secretariat provided a brief update on progress made on the overall preparations for the Ministerial. The SPDE will have primary responsibility for the organisation of Panel 3.2 on Digital security and privacy risk management. There will also be a number of additional panels with a privacy and/or security dimension to which the SPDE is expected to contribute, notably: Panel 1.1 on Economic and Social Benefits of an Open Internet, and Panel 2.2 on the Internet of Things. The outputs from the Ministerial will include a Ministerial declaration that will set out a shared vision of the public policy objectives to be achieved in taking full advantage of the digital economy; may endorse work recently carried out, such as the revised Recommendation on digital security risk management, and provide direction for future work, including by SPDE. Further contributions of the delegations will be expected.

3 Item 4a. Progress report on the preparations for Ministerial Session 3: Trust in a Data- Driven Economy The CCP Secretariat presented the objectives of Session 3 and the topics covered in the Ministerial Panel 3.1 Consumer Trust and Market Growth- which are complementary to those addressed in the SPDE session. Item 4b. Ministerial Panel 3.2: Managing Digital Risk Experts presented preliminary results of work aimed at understanding challenges and opportunities in the implementation of privacy and security risk management, in fulfilment of the Programme of Work and as a contribution to Panel 3.2. The following two papers were presented: Developing a risk-based approach to privacy Carman Baggaley (Canada) This paper (presented as still ongoing work) builds upon the existing literature about risk-management and tries to see how these techniques can be transposed and used into the field of data protection and privacy. Comments underlined the fact that as this kind of approach might be interesting concerning data controllers obligations, it might find a limit when dealing with data subjects rights. Digital (security and privacy) risk management in SMEs David Wright (Trilateral, UK) This Paper underlines the importance of SMEs in the growth. It presents a brief literature review, concludes to the lack of data and evidence as regards privacy and security risks faced by SMEs. The project therefore aims to conduct empirical research on these subjects. The expected completion of the revised Security Recommendation by the end of 2015 was also discussed. Item 4c. Input to Ministerial Panel 2.2: The Internet of Things Two presentations were given. The internet of things: seizing the benefits and addressing the challenges - Rudolf Van der Berg (OECD) The presentation supported document DSTI/ICCP/CISP (2015)3 which goal is to support Panel 2.2 at the 2016 Ministerial. The draft was presented to both CISP and SPDE the same day. Delegates were asked to comment and further develop this document, with the aim to finalise at the Working Parties and CDEP in December Delegates were also invited to comment on DSTI/ICCP (2015)3, which contains a short description of Panel 2.2.

4 HP 2014 IoT research study - Ian Brown A 2014 IoT research study was presented, along with its goals: Significantly reduce security vulnerabilities in IoT systems, which let attackers access private data, infiltrate systems, and cause physical harm in cases such as medical devices and connected vehicles and take into account broader privacy/data protection issues. Potential measures, Art. 29 Working party's opinions on purpose limitation and legitimate interest were also described. Delegates comments (BIAC) underlined some concerns related to the characterization of RFID, the re-characterization of Big Data and Cloud as subsets of IoT. The RFID PIA conducted by the EU COM, which was harm-based, was mentioned. The EU delegation underlined the need of trust and the fact that the papers are very thin on Privacy concerns, said that protection of personal data and Privacy are absolutely fundamental to promote IoT and referred to the WP29 s opinion 2014 on the IoT which contain several recommendations. Item 4d. Input to Ministerial panel 1.1 on Economic and Social Benefits of an Open Internet The Secretariat and Mr C. Kuner presented work in support of Ministerial Panel 1.1. and delegates were asked for input on this item in relation to privacy and security. Oral presentation: Trends in Global Data Flow governance Chris Kuner The topic of this report is the regulation of cross-border data flows, which is a very complex topic. The document was presented as just a draft. The 4 sections of the report were briefly described: 1. Introduction There is an explosion of data flows with a change in volume and type of data, to the point that it seems difficult to use the term data transfers as meaning conscious transmitting. Transfers of data can have huge social benefits (democracy, humanitarian help actions). On the other hand, there are many issues linked to governmental access to data and surveillance of citizens. 20 years after Internet opened to commercial use, it is important to have a look at the current landscape to think of how to frame the data flows. 2. Development of data flow governance The late 70 s saw a surge in data transfer regulation, and the main reason was information sovereignty in the Internet age. Then globalization of society happened, which led some to concepts such as data nationalism or data balkanization. There are increasing conflicts between different types of legal regimes for transfers. All these regulations reflect ambiguity as regards globalization: we want the benefits but we still want control over personal data and transparency. There is also a fundamental rights aspect. 3. Regulatory approaches to global data flows Convention 108 COE was the first international tool. Then we saw legal pluralism: a multiplicity of distinct, diverse legal systems: data flows are influenced by a lot of

5 different factors (LEA, private sector, contractual practice). It might be illusionary to think we can find an overarching solution to data transfers regimes 4. Finding a way forward Different regimes might still exist. There is however a need for a coherent framework, because for the moment, there is a lot of overlapping and difficulties. We need clear criteria and objectives for policies, with the aim to minimizing the interference but maximize the protection. One of the most effective ways could be transborders application of accountability obligation. Determining effectiveness of data protection: lack of empirical research to determine what is the exact risk to transfer data crossborders. Economic and legal research should be done on this. Basic principles such as proportionality should be applied. Awareness and transparency are lacking: we need much more openness. Increasing democratic legitimacy. In many cases the level is not very sophisticated. Better regulatory cooperation is also needed to avoid unnecessary international tensions and resources. There is a need to explore greater interoperability (GPEN, G29-APEC referential). Item 4e. Roundtable discussion with experts: Orientations on future SPDE work and contribution to the Ministerial Declaration The SPDE Secretariat presented orientations on future work and contribution to the ministerial declaration, underling key SPDE items and expected deliverables SPDE PWB Suggested possible elements for inclusion in the Draft Ministerial Declaration are: To explore the changes needed in the governance of public and private organisations to foster good practice in digital security and privacy risk management, exploring the synergies and commonalities at play and options for greater policy coherence. On the quantification of digital risk and facilitating the sharing of insights on risk management To deliver guidance on implementation of privacy management programmes across sectors of the economy (e.g. health, transportation, energy etc.) Address the emerging security and privacy challenges in IoT On the relationship between innovation and digital security risk management On the public policies / best practices to empower SMEs and individuals, On critical information infrastructure protection. The WP is invited to comment on possible future SPDE work and the contributions to the Ministerial Declaration.

6 Item 5. Recommendation on Digital Security Risk Management for Economic and Social Prosperity and Follow-on Work The Working Party was updated on the timelines and process for adoption of the Recommendation [DSTI /ICCP /REG (2014)2 /REV7], and declassification of the companion document [DSTI/ICCP/REG (2014)7/REV3] by the Council. A plan for a Communication Strategy and options for follow-on work was also introduced. Item 5a. Communication and Outreach Strategy The Secretariat presented a plan for a Communication and Outreach Strategy. Item 5b. Cyber security Insurance The Secretariat presented a short list of options for follow-on work arising from the Digital Security Risk management review. Experts (UK government, Swiss RE, AXA, Airbus and OECD) were invited to contribute views on recent developments and possible future SPDE work on Digital Risk Insurance. These presentations outlined that cyber security insurance is still in its infancy, but is a growing market (only 2% of big companies have cyber insurance policy). There are however obstacles to development of this market that should be underestimated (psychological: to declare that you have suffered a cyber attack is, in itself, an issue, cost issue, partners qualification issue). Wednesday 24 June 2015 Item 6. Draft Council recommendation on Privacy-protective approaches for the use of personal health data. The Secretariat reported on the background to this project, the creation of an informal advisory group, the scope of the work and progress to date. Delegates were invited to provide their views on the issues to be addressed and on the proposals on the scope of the Recommendation. Presentation was given by Jennifer Stoddart, co-chair of the advisory Group. The presentation underlined that sharing and secondary use of health data poses great challenges and unanswered questions and challenges as it comes to privacy, such as debate on the definition of consent. The results of previous study uncovered significant cross-country differences. There has been a change of approach in the

7 medical world with big data applied to health data. The aim would be to encourage countries to share health data over a secure network. The SPDE bureau already discussed the scope of the recommendation on decided to: Focus on areas where there is widely recognized, obvious and substantial public interest in health research, health care and health system improvements. Acknowledge continuum of health data use The advisory group has been established to begin its work in July. Deadline for nominations has been extended to 15 July. It is supervised by OECD s CDP and Health committees; Prof. Mark Tailor (university of Sheffield) is participating. David Smith (UK DPA) has represented the SPDE in this group so far. As a first thing, the advisory group will have to do a final review of the terms of reference. Many delegations commented on this issue. The Secretariat concluded with recalling that additional comments to the paper and to candidates for this group are open until July 15. Item 7. Measurement agenda and collaboration with MADE The Secretariat reviewed findings of recent work by SPDE on improving the evidence base for information security and privacy policy, notably the report on Improving the Evidence Base for Information Security and Privacy Policies (OECD 2012) and on improving the international comparability of statistics produced by Computer Security Incident Response Teams (CSIRTs). The MADE Chair and Secretariat were invited to discuss options for collaboration. Item 8. OECD Roundtable on digital identity Presentations were given of gov.uk.verify - ID verification online by Robin Walker (UK Government) and of la Regulation EU 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC by Neil Clowes. An agenda for the Roundtable discussion on developments in the management of digital identity will be circulated closer to the meeting. Item 9. Other Business The group was updated on the following topics: a) Report on new and ongoing OECD work relevant to the SPDE

8 b) Cyber security Updates c) Privacy Law Enforcement Co-operation (GPEN) Item 9.a. Dates of next meetings Rooms have tentatively been reserved for: 39th Meeting: 1-2 December th Meeting: provisionally set for November 2016.