Privacy & Information Security Law Blog

On September 23 and 24, 2013, a declaration and eight resolutions were adopted by the closed session of the 35th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. This blog post provides an overview of the declaration and the most significant resolutions.

Warsaw Declaration on the “Appification of Society”

The declaration (Warsaw Declaration on the ‘Appification’ of Society) discusses the challenges posed by the increased use of mobile applications and expresses the clear commitment of data protection commissioners to ensure that app users are offered a better privacy experience. In particular, the declaration emphasizes that “apps should be developed on the basis of surprise minimisation: no hidden features, nor unverifiable background data collection.”

In addition, the declaration makes clear that app developers aren’t the only parties responsible for privacy; providers of operating systems also bear responsibility for their platforms. The declaration indicates that the data protection commissioners intend to focus on improving privacy and data protection in this area and that they will revisit the subject during the 36th International Conference next year.

Resolution on Profiling

The first major resolution (Resolution on Profiling) makes six recommendations for all parties that engage in profiling:

• clearly determine the need and the practical use of a specific profiling operation and ensure appropriate safeguards before beginning;
• limit assumptions and data collection to that which is necessary for the intended lawful purpose, and ensure that the data is sufficiently up-to-date and accurate, where appropriate;
• ensure that the profiles and the underlying algorithms are subject to continuous validation;
• inform individuals about profiling operations to the maximum extent possible;
• ensure that individuals are informed about their data protection rights, and that human intervention is provided where appropriate (particularly with respect to decisions that have significant legal effects on individuals or that affect benefits or status); and
• ensure that all profiling operations are subject to appropriate oversight.

Resolution on International Enforcement Coordination

The second major resolution (Resolution on International Enforcement Coordination) recognizes that the Global Privacy Enforcement Network (“GPEN”) is still the only global network devoted solely to enforcement cooperation and encourages authorities to join GPEN and help make it more effective. The aim of the resolution is to build on previous efforts, including the work of GPEN and the work of the International Enforcement Coordination Working Group, which was created at the 33rd International Conference. To this end, the resolution mandates that the International Enforcement Coordination Working Group (1) work with other networks to develop a common approach to cross-border case handling and enforcement coordination, and (2) set forth the approach in a multilateral framework document to be adopted at next year’s Conference. The resolution further supports the development of a secure information platform that would allow privacy enforcement authorities to share confidential information.

Resolution on Anchoring Data Protection and the Protection of Privacy in International Law

The third major resolution (Resolution on Anchoring Data Protection and the Protection of Privacy in International Law) recognizes the pressing need for a binding international agreement on data protection and urges national governments to advocate the adoption of an additional protocol to Article 17 of the International Covenant on Civil and Political Rights (“ICCPR”) to create globally-applicable data protection standards. The resolution recommends adopting this additional protocol in accordance with the standards that have already been developed and endorsed by the International Conference and the provisions in General Comment No. 16 to the ICCPR.

Resolution on Web Tracking and Privacy

Another major resolution is the Resolution on Web Tracking and Privacy, which was adopted by all of the data protection commissioners except the Slovenian and French Commissioners (who abstained from voting). This resolution urges all stakeholders to follow ten recommendations, including:

• observe the principle of purpose limitation;
• refrain from the use of invisible tracking elements for purposes other than security or fraud detection or network management;
• ensure adequate transparency about all types of web tracking practices to enable informed consumer choices;
• conduct a privacy impact assessment at the start of new projects;
• use techniques that reduce the privacy impact, such as anonymization and pseudonymization; and
• promote technical standards for better user control (e.g., an effective Do-Not-Track standard).

Mauritius’ Data Protection Authority announced that it will host the next International Conference on September 22, 2014.