During the October 14, 2014 closed session of the 36th International Conference of Data Protection and Privacy Commissioners (the “Conference”) held in Balaclava, Mauritius, the host, the Data Protection Office of Mauritius, and member authorities of the Conference issued the “Mauritius Declaration on the Internet of Things,” and four new resolutions – a “Resolution on Accreditation” of new members, a “Resolution on Big Data,” a “Resolution on enforcement cooperation,” and a “Resolution on Privacy in the digital age.” Brief summaries of each of these documents are below.
The closed session featured a discussion on the benefits and risks of the Internet of Things among four experts from academia and the private sector and the Conference member authorities. Key observations contained in the Declaration issued by the host and the Conference’s Executive Committee included:
- The Internet of Things further magnifies the risks already inherent in big data.
- Data derived from Internet of Things devices should be considered personal data.
- Although Internet of Things business models are still evolving, it appears clear that key financial incentives do not pertain solely to Internet of Things devices themselves, but also to the new services related to the Internet of Things.
- To maintain trust in these connected systems, data protection should be the joint responsibility of all stakeholders and should be based on actionable transparency.
- Privacy by design is essential in the Internet of Things.
- The Internet of Things poses significant security challenges that can be controlled either by “local processing” (processing on the device) or end-to-end encryption.
- The Conference member authorities will monitor Internet of Things developments and compliance and will bring enforcement actions where necessary, either unilaterally or through international cooperation.
This resolution lists newly admitted privacy authorities from Bremen (Germany), Ghana and Senegal, as well as organizations that received observer status to the Conference, including organizations from Bermuda, Japan, Mexico, Singapore and the U.S.
According to this resolution, big data may prove beneficial to society, but also poses risks to privacy and civil rights. Big data challenges the key privacy principles of purpose limitation and data minimization. These principles currently are more important than ever, as they are the foundation for safeguards against extensive profiling. Conference members called on big data users to take a number of actions, including the following:
- Respect the principle of purpose specification.
- Limit data collection to the level necessary for the purpose.
- Where appropriate, obtain valid consent for using personal data for analysis and profiling.
- Be transparent about data collection and use.
- Provide access and control tools to individuals.
- Carry out privacy impact assessments.
- Employ privacy by design.
- Make appropriate use of anonymization.
- Decisions based on big data must be fair, transparent and accountable. Algorithms require continuous assessment. Profiling results must be reviewed regularly to verify that they are responsible, fair and ethical as well as compatible with, and proportionate to, the purpose of the profiles. Avoid injustices resulting from fully automated decisions and undertake manual assessments of decisions that affect individuals.
This resolution recalls the numerous initiatives undertaken so far by the Conference and other organizations, such as the Asia-Pacific Economic Cooperation, the Organization for Economic Cooperation and Development and the Global Privacy Enforcement Network (“GPEN”), to further cross-border enforcement cooperation among privacy and data protection authorities and calls on member authorities to continue these efforts by:
- Accepting the “Global Cross-Border Enforcement Cooperation Arrangement,” a cooperation framework developed by Conference members.
- Continuing to hold annual meetings specifically for the purpose of discussing international enforcement cooperation.
- Improving coordination between the Conference’s Executive Committee and other enforcement cooperation networks such as GPEN.
- Supporting the development of a secure international information-sharing platform for privacy enforcement authorities and facilitating coordinated international enforcement actions.
This resolution is a reaction to the ongoing revelations about government mass electronic surveillance and is intended to support the UN High Commissioner’s report on “The right to privacy in the digital age.” Among other things, it affirms that the Conference, through its Executive Committee, intends to participate in the multi-stakeholder dialogue that is proposed in the High Commissioner’s report to address the challenges related to the right to privacy in the context of modern communications technology. It also calls on Conference members to (1) advocate that electronic surveillance programs comply with certain specified international standards and (2) seek relevant enforcement powers.