Preeminent Trusted Global
ISSA
Information Security Community
A Simple Guide to European
Union Data Privacy
By Karen Öqvist
How can data privacy requirements in the European Union be
a driver for data privacy initiatives worldwide? What does it mean to have a data privacy
directive for EU member states, and how does this really work in practice?
T
here are no privacy directives worldwide that really
match that of the European Union. The Data Protec-
tion Directive1 facilitates harmonization of member
states’ laws in providing consistent levels of protections for
citizens, and ensuring the free flow of personal data within
the European Union. The directive sets a baseline, a common
level of privacy expectations that not only reinforces current
data protection law for member states but also establishes a
range of rights for the data subject (you and me).
This article provides a high-level insight on best practices for
data privacy using the EU Data Protection Directive as an ex-
ample, offering a graphical view, i.e., a collection, storage and
removal model, as a means to demonstrate in a simplistic way
the EU directive in practice, and discussing briefly implica-
tions both within the EU and globally
Let us start by questioning what we mean by data privacy, and
how needs for data privacy differ from information security:
• It is not just about the intellectual property or infor-
mation belonging to an organization. That is covered
by information security requirements.
• The information needing protection (personal data)
is about you (the data-subject): who you are, what you
like, your health, your lifestyle; basically it is whatever
you share that is linked to your identity. All informa-
tion linked to your identity is called personally iden-
tifiable information (PII).
1 European Commission (1995) EU Directive on Data Privacy (95/46/EC) – http://
ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm (accessed 18 November
2009).
©2009 Information Systems Security Association • www.issa.org • editor@issa.org • All rights reserved
ISSA Journal | December 2009
Connect
• Data privacy is not just about “personal data need-
ing protection”; it is about protecting your rights and
freedom as an individual, i.e., your right to privacy.
With this in mind, your personal data is collected and stored
by government authorities and private enterprises, (for the
purpose of this article I refer to these entities as data holding
authorities). It is the data holding authority that is interested
enough in you to be motivated to collect your personal data,
and in the case of the European Union, is required to adhere
to data privacy legislation of the member state where it is resi-
dent.
For the purpose of this article and for simplicity, the lifecycle
of personal information that you share has been divided into
three distinct phases: collection, storage (and processing),
and removal of personal data. The key actors for all three
phases are the data subject and the data holding authority.
Before we dive in it is important to understand that a key
concept in a working data privacy model is enforceability:
data subjects have rights established in explicit rules.2 For
example, in the EU this is made possible by the installation
for each member state a commissioner who is responsible for
data privacy. The commissioner’s toolbox is privacy legisla-
tion, i.e., legislation that is at a minimum implemented to a
level of privacy as prescribed in the EU directive.
2 Karen Lawrence Öqvist, Virtual Shadows: Your Privacy in the Information Society,
(BCS, Publishing: 2009), p. 112-117.
17
A Simple Guide to European Union Data Privacy | Karen Öqvist
Data Subject Consent
Rights Choice
Personal Data Collection Storage/Processing
Data Holding Authority Responsibilities…
Assign data controller
Inform commissioner
Inform data subject
Opt-In / Opt-Out
Personal data collection
The first step is the collection of personal data. Any organiza-
tion wishing to collect and process the personal information
of data subjects is required to adhere to the following:
• Must inform the data commissioner, and agree to
abide by the rules that ensure that the privacy rights
of the data subject are respected
• Must have assigned a data controller that is respon-
sible for ensuring that the personal information of the
data subjects is collected, stored, and removed as per
the data privacy principles laid out by the data com-
missioner relating to data quality
• Must not collect personal information without the
consent of the data subject
• Must inform the data subject that data collection will
happen
• Must inform the data subject that that personal infor-
mation is being collected for whatever reason
• Must ensure that the data subject has the choice to
opt-out of the collection of personal information and/
or that which is shared with third parties
Data subjects residing in member states of the European
Union are very familiar with the practice of opt-in/opt-out.
One example in Sweden is the collection of blood spots of
all new-borns for purposes of testing for a genetic disease
Phenyle–Ketone–Uria (PKU) and later for storage in a blood
bank for research. At this point the parents have a choice to
opt-out of the blood being used for research purposes, but
they often do not as it is easier to just leave it as it is. In fact,
the best practice is that the data subject should be requested
to opt-in as the default, rather than having to remember to
tick a specific box at the end of the form in order to opt-out.
Nonetheless, what is important when talking about data pri-
vacy best practices is that the data subject has a choice.
©2009 Information Systems Security Association • www.issa.org • editor@issa.org • All rights reserved
18
ISSA Journal | December 2009
Transparency Personal Data
Objection Removal
Removal
Not transferable Delete
Current / Up-to-date non-relevant data
Accurate Sanitize
sensitive data
Personal data storage/processing
This is the information security part: the assigned controller
“must implement appropriate technical and organizational
measures to protect personal data against accidental or un-
lawful destruction or accidental loss, alteration, unauthor-
ized disclosure or access.” In other words the data holding au-
thority must have the security mechanisms in place to ensure
the confidentiality, integrity, and availability of data stored
and transmitted by the data holding authority. In addition
the requirement on the processing and storage of personal
data states that the data shall:
• Be processed fairly and lawfully
• Be kept accurate
• Be kept up-to-date
• Not be transferred to a country or territory outside
the country of origin. The exception being that the
country has an adequate level of protections pertain-
ing to the rights and freedoms of the data subject.
Likewise, for all data stored by the data holding authority:
• The data subject has the right for access to his per-
sonal information, i.e., transparency on the processing
of his personal data. What this means is that the in-
dividual can request if his personal data is being pro-
cessed, and if so, which data, and to whom the data is
being disclosed. So long as the request is reasonable,
the data holding authority must comply with the re-
quest of the data subject.
• The data subject can question the integrity of the data
collected. For example, if the data holding authority
has not updated their records, and the data subject
has hard evidence that the personal information held
is wrong, the data holding authority must comply
with the request to correct the error.
• The data subject has the right to object to information
being stored if the data is being used for activities that
A Simple Guide to European Union Data Privacy | Karen Öqvist
are outside of the scope of what it was collected for,
e.g., for marketing activities.
Personal data removal
Finally, the data must be removed once the original purpose
of collection is no longer relevant. Furthermore, the data sub-
ject has the right to ask for the removal of personal data.
This data could be sanitized for the purpose of historical,
statistical, or scientific purposes, i.e., with the removal of
any links to the data subject’s identity. Anonymous data is
not within the scope of data privacy directives such as those
found in the European Union.
Where this works in practice
The expectation for the right on privacy of personal data is
recognized at the highest levels in the European Union. Every
European Union country has a data protection commissioner
or agency that enforces the rules. In the UK, for example, these
rules are codified as law in the Data Protection Act (DPA),3
which places pressure on governments and organizations to
have the necessary data privacy controls implemented. Other
EU member states have their own DPA variants.
It is expected that the countries with which EU member states
do business must provide a similar level of oversight concern-
ing data privacy. The consequences have been an impact on
the free flow of personal data from the European Union to
those countries with different data protection levels.
United States of America
The U.S. “Safe Habor Agreement” has been defined to over-
come any deficiencies in the U.S. approach to information
privacy, which is mainly self-regulated with minimal federal
legislation. The Safe Harbor provides United States compa-
nies the option to voluntarily self-certify to adhere to a set of
privacy principles.
3 Information Commissioner’s Office (1998) The Data Protection Act – http://www.
ico.gov.uk/what_we_cover/data_protection.aspx (accessed 24 November 2009).
©2009 Information Systems Security Association • www.issa.org • editor@issa.org • All rights reserved
ISSA Journal | December 2009
Asia-Pacific Economic Cooperation
The Asia-Pacific Economic Cooperation (APEC) is actively
engaged in developing the Asia-Pacific privacy standard.4 The
idea of the standard is to provide a practical policy approach
to enable accountability in the flow of data while preventing
impediments to trade. It provides technical assistance to those
APEC economies that have not addressed privacy from a reg-
ulatory or policy perspective.
Latin America
Ibero-American Data Protection has been motivated by the
need to implement harmonized measures for the protection of
personal data that would enable the free flow of information,
thus facilitating trade. Very few Latin American countries
have privacy legislation in this area.
Conclusion
If you want to know more about the European Union data pri-
vacy principles, you need to visit the website for the EU Data
Protection Directive.5 Here you will find the directive along
with exceptions, and links to how it is implemented by each
individual member state.
About the Author
Karen Öqvist has over 20 years experience
in IT and information security and today
works internationally as a senior security
architect for HP. She has a Masters Degree
in Information Security and is a published
author on the subject of information secu-
rity, identity, and privacy. She is a frequent speaker and hosts
a blog at www.virtualshadows.com. She may be reached at kar-
en@virtualshadows.com.
4 APEC (2005) What is the APEC Privacy Framework? http://74.125.77.132/
search?q=cache%3AX0w_Vw2O_DQJ%3Awww.apec.org%2Fapec%2Fnews___
media%2F2004_media_releases%2F201104_apecminsendorseprivacyfrmwk.
MedialibDownload.v1.html%3Furl%3D%2Fetc%2Fmedialib%2Fapec_media_library
%2Fdownloads%2Fministerial%2Fannual%2F2004.Par.0015.File.v1.1+apec+privacy
+framework&hl=en (accessed 24 November 2009).
5 http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm.
19