Brussels, Thursday January 27:
CEN/ISSS - the Brussels-based European standardisation organisation, is organising the first Privacy Open Seminar in Brussels on March 23-24. The seminar will be free of charge (limit is 160, on a first-registered, first invited basis) and open to anyone with an interest in data privacy. The final agenda and registration form are available to view on the CEN/ISSS website (http://www.cenorm.be). ICX has been appointed to chair the
Organising Committee of the event.

With the European Harmonisation Directive on Data Privacy being implemented throughout the EU and EEA (18 countries in all) on 1 March 2000, European employers and other organisations holding personal information on citizens face a difficult year, getting their data records and control procedures in order, if they are to avoid possible prosecution and other legal action by unhappy (ex)-employees about how their personal details are stored and
used.

The Directive applies to all European organisations holding personal data about employees, customers, members etc.

To make sure the Privacy Open Seminar has a good business focus, CEN/ISSS has invited ICX to chair the Organising Committee for the event.

The results of the Privacy Open Seminar will be collated and, depending on the views exchanged, a decision will then be taken on whether CEN/ISSS wishes to write a workplan to bring together experts to write a European Data Privacy Standard.

Nick Mansfield, ICX Chairman, comments: "We are delighted to be asked by CEN/ISSS to help in raising awareness of privacy issues in Europe. I am sure most organisations, whether large or small, have no or little idea what the European Harmonisation Directive will mean to them. We see this very much as a case of co-regulation, bringing business, regulators and citizens together, to ensure that further developments meet the requirements of all those affected by the issues surrounding privacy of personal data.

"For the past 10 months, ICX has been working to producing a generic Privacy Code of Conduct. Seventeen ICX members from across Europe have given their time and knowledge free of charge to produce the Code of Conduct. The main Code has been reviewed by several European Data Registrars and Commissioners and they have been very supportive and helped us in the review process.

"The ICX Privacy Code of Conduct team of lawyers and editors is now revising the second part of the Code, which deals with Applicable Laws, in all 18 EU and EEA countries. Part three of the Code will be a Manager's Handbook, a practical guide for business manager's on how to comply with the new law and implement best practice procedures in their companies. The Manager's Handbook will be published early in March"

Further information
http://www.cenorm.be

US Federal Trade Commission appoints 40-strong Privacy and Security commision.

New York, Wednesday January 26:
The US Federal Trade Commission has named the members of its Advisory Committee on Online Access and Security and announced that the Advisory Committee's first meeting will be held February 4.

The Committee will provide advice and recommendations to the Commission regarding the costs and benefits, to both consumers and businesses, of implementing the fair information practices of access and security online. Providing consumers access to the information collected from and about them and providing security for that information are two of four core fair information practice principles described in the Commission's 1998 report, Privacy Online: A Report to Congress. The other two principles are "notice," and "choice."

The Commission also regards "enforcement" as an essential component of effective self-regulatory programs. In a follow-up report to Congress last year, the Commission noted that access and security are important privacy safeguards, but that they may raise a number of implementation issues.

In a Federal Register Notice published last Friday, the FTC announced that the first meeting of the Advisory Committee, which will be open to the press and public, will be held Friday, February 4, 2000, at FTC headquarters in Washington, D.C. The meeting will explore the issues of what constitutes "reasonable access" to data collected from and about consumers and what exemplifies "adequate security" for that information.

Subsequent Advisory Committee meetings will be held February 25, March 31, and April 28, at FTC headquarters. Those, too, will be open to the public and press. The Advisory Committee will present a written report to the Commission describing options for the implementation of access and security online, and the costs and benefits of each option, no later than May 15, 2000, and will conclude its work no later than May 31, 2000. The Commission encourages the public to submit comments for the Advisory Committee's consideration during the period in which the Committee is performing its work.

"The roster of distinguished members of this Advisory Committee represents a broad cross-section of e-commerce experts, online businesses, security specialists, and consumer and privacy advocates" said Robert Pitofsky, Chairman of the FTC. "The Commission is gratified that the members have agreed to serve on the Advisory Committee as we address the challenges of assuring consumer privacy online."

In selecting the members of the Advisory Committee, the Commission considered over 180 nominations received from a broad array of interested parties. According to the Committee's charter, members will consider, among other things, whether the extent of access provided by websites should vary with the sensitivity of the personal information collected and/or the purpose for which such information is collected; whether the difficulty and costs of retrieving consumers' data should be considered, whether consumers should be provided access to enhancements to personal information (for example, inferences about their preferences or purchasing habits); appropriate and feasible methods for verifying the identity of individuals seeking access; whether a reasonable fee may be assessed for access, and if so, what a reasonable fee would be; and whether limits could be placed on the frequency of requests for access, and if so, what those limits should be. The Advisory Committee will also consider how to define appropriate standards for evaluating the measures taken by websites to protect the security of personal information; what might constitute reasonable steps to ensure the accuracy of this information; and what measures should be undertaken to protect this information from unauthorised use or disclosure.

Further information:
Copies of the Federal Register notice are available from the FTC's web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580

Italian Data Commisisoner representative view
Why privacy matters

Notes by Mr. Luigi Montouri from the Office of the Italian Data Protecetion Authority (based on attendance at ICX Privacy Code of Conduct workshop in Den Haag on 15.12.99)

The word privacy has become a familiar term even in non-English speaking countries. Indeed, it is mentioned every day in radio and TV programmes; it can be read in newspaper articles; there are actually a number of books dealing with privacy. A peculiar feature of this word is that it is often used jointly with many others: health, the Internet, banking, insurance, police archives, historical research, journalism, videosurveillance, TLCs, marketing, e-commerce, etc..

In short, privacy is related to a wide range of activities; above all, it
is a constant feature in our social, professional and private life.

Starting from the 1981 Strasbourg Convention - which marked a major turning point in Europe as regards the protection of fundamental rights -, there have been for the past few years a number of initiatives leading to a common stance on privacy in all EU countries.

Indeed, one might argue this is one of the most peculiar features of Europe as compared with the rest of the world. Other countries are looking with great interest and attention to the activity in progress in EU Member States, where EC Directive 95/46 is being transposed. And it is not simply a matter of legiferating, but rather of developing codes of conduct, contract models and other specific instruments. The activity of I.C.X. is an evident exemple.

Thus, privacy was initially regarded as a world-wide enforceable value, and has subsequently become a right to be safeguarded and protected.

I believe that the establishment of this right was bound to lead to
opposition - as has always been the case with major social changes and developments -, such opposition being often the result of misunderstandings as to the actual meaning of privacy.

I believe that Professor Rodota, the President of the Italian Data
Protection Commission, pointed to one of the core issues when he said, in the speech delivered on the occasion of submitting the Commission's Annual Report to Parliament, in 1997, that "the protection of personal data rests nowadays on two pillars: confidentiality and control. Silence becomes the former, whereas transparency befits the latter". Indeed, the initial concept of privacy is no longer appropriate: privacy cannot work alone. The "right to be left alone", that is to say, the right to be protected against another's indiscreet attention, has long been superseded. Today, it is fundamental to ensure that each of us can keep under control one's own information - above all, the way in which others
can use such information.

Thus, the privacy concept is taking on a new meaning exactly at a time when information exchange is reaching unprecedented levels.

The exchange of information does not simply concern "business": in fact, it also applies to a person's social life, it being necessary every day to exchange data and information in order to cope with multifarious requirements.

Privacy is not aimed at shrouding our life in silence, nor should it be seen as something implying the dramatic severance of the link between an individual and the rest of society.

We believe that privacy is something different, something definitely
superior in its nature. Privacy is the tool we need to build up the social link I have just mentioned, by retaining the power of controlling the entities who are in the possession of personal information. Only in this way will it be possible for a person to fully re-establish his/her own sovereignty, by deciding who should use his/her personal data as well as how and for what purposes these data can be processed.

There is currently no alternative to control, as we are faced with types of data processing which would have been unimaginable up to a few years ago. Only think that in modern society it may be difficult to fully realize one's own identity within a system for the collection of information which is grounded on the processing of such information with a view to breaking it down, disseminating data, categorizing things.

Our data end up with being collected by a wide range of public and private entities which keep them for a number of different purposes - so that a person's identity is broken down into many different data banks. This will tend to facilitate the circulation of automated personality profiles, which entails the risk of affecting a person's image by eliminating fundamental traits of his/her personality.

A given person's data can be found in a specific data bank where (s)he is only regarded from the viewpoint of his/her habits, tastes, interests, and maybe in another data bank including information on his/her creditworthiness, and in yet another one in which medical status or criminal records are described.

Within this framework, it is absolutely necessary for citizens to be aware of their new rights and to be taught how to use them. These rights are grounded on control and allow a person to be informed on the use of his/her data, supplement the relevant information, object to its processing, have the information cancelled under specific circumstances and have it kept for a limited period - up to the prohibition of taking judicial/administrative decisions based solely on the automated processing of personal data. These tools will enable a person to be considered as a whole, rather than as a composite puzzle of different elements.

This is privacy, too.

Luigi Montuori
4.1.2000

How to obtain a copy of the Privacy Code of Conduct:
The ICX Privacy Code of Conduct is being constantly updated and we are now working on revising the 18 Applicable Laws (15 EU countries and 3 EEA countries). If you have an interest and would like to join the Work Group, please send an e-mail to: freddie.dawkins@icx.org

If you would like a copy of the ICX Privacy Code of Conduct, you must be a member of ICX. To become a member click here.