The 35th International Conference of Data Protection and Privacy Commissioners was held in Warsaw in late September, bringing together data protection commissioners, experts and civil society and academia representatives from across the world.
The Conference is the most important international meeting devoted to data protection and privacy. It consists of an Open Session accessible to all privacy professionals, a Closed Session only accessible to data protection and privacy authorities, as well as several side meetings organised by international and non-governmental organisations.
The declaration and resolutions are summarised below.
Warsaw declaration on the "appification" of society
The Conference recognised the challenges associated with the rapidly evolving mobile application market, including the need to ensure that users are offered a better privacy experience. The Declaration sets out:
- that users are to receive clear and intelligible information, including within an app, about data collections taking place before the actual collection starts
- that developers are to make a clear decision on what information is necessary for the performance of the app and ensure no additional personal data is collected without informed user consent
- that platform providers are to bear responsibility for their platforms.
Resolution on profiling
Having considered the risks associated with the collection of personal information into large databases and its subsequent use, it was resolved that all parties follow six recommendations, including:
- to clearly determine the need and the practical use of a specific profiling operation and to ensure appropriate safeguards, before starting with profiling
- to ensure, in particular with respect to decisions that have significant legal effects on individuals, that individuals are informed about their right to access and correction, and that human intervention is provided where appropriate.
Resolution on international enforcement coordination
The conference concluded that increased coordination would increase the effectiveness of privacy enforcement authorities in cases involving the processing of personal information in multiple jurisdictions. It was therefore resolved to further encourage efforts to bring about more effective coordination of cross-border investigation and enforcement in appropriate cases.
Resolution on anchoring data protection and the protection of privacy in international law
Having observed that there is a pressing need for a binding international agreement on data protection that safeguards human rights by protecting privacy, personal data and the integrity of networks, it was resolved to call upon governments to advocate the adoption of globally applicable standards for data protection and the protection of privacy.
Resolution on openness of personal data practices
The conference recognised that effective communication of an organisation's policies and practices with respect to personal data is essential to allow individuals to make informed decisions about how their personal data is used and to take steps to protect their privacy and enforce their rights.
Governments and organisation are therefore urged to be more open about their data collection practices, including explaining the purposes for which the data are being collected. The authorities also urged that the usefulness of privacy seals, certification and trustmarks, as a way of informing users and enhancing choice, are considered.
Resolution on digital education for all
The Conference acknowledged that digital technology is now part of our everyday life and that it is fully integrated in every field of our existence. Member authorities are therefore urged to adopt a common programme on digital education, with the overarching aim being the promotion of digital literacy.
Resolution on web tracking and privacy
The conference recognised that tracking offers some consumer benefits, such as network management, security, fraud prevention, and may facilitate the development of new products and services. Nevertheless, the conference also noted that tracking poses serious privacy risks for citizens in an information society, threatening to erode the core privacy principles of transparency, purpose limitation and individual control. As a consequence, the conference calls on all stakeholders to follow 10 recommendations, including:
- providing notice and control over the use of tracking elements, including device and browser fingerprinting
- refraining from the use of invisible tracking elements for purposes other than security / fraud detection or network management
- conducting a privacy impact assessment at the start of new projects.