The European Commission DG Justice, Freedom and Security commissioned London Economics, one of Europe’s leading specialist economics and policy consultancies, to undertake a study and report on the economic benefits of Privacy Enhancing Technologies (“PETs”) for organisations and institutions using and holding personal data in selected European member states.
But what are PETs? It is a term used for a set of computer tools, applications and mechanisms, including procedures and management systems, which aim to protect the privacy of personal data by eliminating, anonymising or minimising personal data in order to prevent unnecessary or unwanted processing of personal data. Features can include, for example, allowing an individual to choose the degree of anonymity, to inspect, correct and delete any of their personal data, to track the use of their personal data and may also include a consent mechanism prior to providing personal data to online service providers. The report emphasises that, “data minimisation and consent mechanisms are an important part of PETs, and PETs often combine these elements with data protection tools into an integrated privacy system”.
The report highlights that “the rights [set out in Article 8 of the Charter of Fundamental Rights of the European Union which deals with an individual’s rights to the protection of personal data] form the basis of the legal framework in which PETs are deployed” and should have at their core the objective of transparency, proportionality and data minimisation.
The report explains how it is difficult to quantify the wider economic benefits of a data controller using PETs to protect an individual’s personal data, and how the evidence has shown that the benefits can only be assessed on a case-by-case basis. If anything, the study found little evidence to show that the demand by individuals for greater privacy is driving PETs deployment, and suggests that this is in part due to “the uncertainties surrounding the risk of disclosure of personal data, a lack of knowledge about PETs, and behavioural biases that prevent individuals from acting in accordance with their stated preference for greater privacy”.
The fact of the matter is, as the report makes very clear, that data controllers can derive a variety of benefits from holding and using personal data (including the personalisation of goods and services, data mining, etc.) and to the extent that PETs limit the ability of data controllers to use personal data, this will clearly act as a disincentive in the exploitation of PETs. The report highlights that, “data controllers often favour mere data protection to protect themselves against the adverse consequences of data loss over data minimisation or consent mechanisms which can impede the use of personal data”. Evidence considered in the study suggests that there is a role for the public sector in helping data controllers realise the benefits of PETs, such as “official endorsements of PETs, including through pioneering deployment and official certification schemes, and direct support for the development of PETs, through subsidies to researchers (e.g. the European Framework Programmes)”.
As the heat in data privacy issues continues to rise, with increased powers of regulatory authorities, tougher sanctions being imposed and a greater emphasis in Europe’s legislation on security management, it is clear that privacy by design will be the most effective method of compliance.