The Internet makes it possible to access huge amounts of information stored in tens of thousands of different locations. It provides great opportunities for businesses and users, but also poses serious risks, as some of this data is extremely sensitive. This is true for a variety of services ranging from confidential medical and financial records, including personably identifiable data and less sensitive data including search history, phone calls and location-specific data which in isolation or in aggregate may be more valuable or sensitive.
With growing popularity of online services such as social networks, search engines, e-commerce platforms and cloud computing, secure and trustworthy digital environment is more important today than it has ever been. Companies offering services on the Internet should take all necessary steps to ensure that sensitive data is stored and transferred securely. This is particularly important for companies who have made it their business to offer and facilitate access to information stored on the “world wide web”.
ICOMP closely monitors the regulatory developments in the field of online security and welcomes recently published EU’s strategy for An Open, Safe and Secure Cyberspace along with proposed directive on network and information security (NIS). This proposal requires that a wide range of businesses – including e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services and app stores will have to ensure that the networks and information systems under their control – meet minimum security standards, to be laid down by the EU.
ICOMP believes that regulatory measures in the field of online security should strike the right balance between the objective of facilitating access and the need to ensure security of sensitive data. By ensuring open and safe Internet for European businesses and citizens, they should contribute to economic growth, competition in the online marketplace and innovation.
PRINCIPLES FOR EFFECTIVE PRIVACY PROTECTION
- Data minimisation: only those data should be collected that are necessary for the service requested; this principle applies both to data expressly requested from the user and for all other data collected by the provider of the service.
- Proportionality: the “value” of the data to the person whose data are being collected should not exceed the advantage that he or she gains by using the service or “app”. This principle applies in addition to the principle of data minimisation.
- Proactive not Reactive: Privacy invasive events must be prevented and anticipated before they happen.
- Privacy by Default: No action should be required on the part of the individual to protect their privacy — it should be built into the system, by default.
- Privacy Embedded into Design: Privacy should be embedded into the design and architecture of IT systems and business practices, not bolted on as an add-on.
- Full Functionality: All legitimate interests and objectives should be accommodated in a positive-sum “win-win” manner.
- End-to-End Security – Lifecycle Protection: Ensures a secure lifecycle management of information, end-to-end.
- Visibility and Transparency: The privacy component parts and operations should remain visible and transparent to users and providers alike.
- Respect for User Privacy: Keep the interests of the individual uppermost by offering strong privacy defaults, such as appropriate notice and opt-out options, and empowering user-friendly options.