On October 26, 2012, three resolutions were adopted by the closed session of the 34th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. Below we provide an overview of these resolutions.
Uruguay Declaration on Profiling
The most significant of the three resolutions, the “Uruguay Declaration on Profiling,” directs the privacy enforcement community to consider eight factors when dealing with profiling that involves analyzing data to identify trends, then using that trend analysis to make decisions. The resolution, which considers advanced analytics and big data to be a subset of profiling, is grounded in the EU Data Protection Directive (95/46/EC) principles. The introduction to the resolution acknowledges the benefits of profiling and balances those benefits against the potential risks to individuals. That said, the eight points identified in the resolution address only the processes and procedures to protect privacy; they do not require regulators to consider the benefits of analytics and profiling for individuals, society and organizations. The Centre for Information Policy Leadership’s analytics project is working on governance solutions intended to protect individual privacy and take into account the potentially substantial benefits associated with applications involving the predictive value of data.
Resolution on Cloud Computing
The second resolution (“Resolution on Cloud Computing”) recognizes the increasing importance of cloud computing and the fact that it creates privacy and security risks for individuals. The resolution, which urges cooperation among all stakeholders, makes six recommendations for data protection agencies, organizations providing cloud services, organizations that make use of those services and legislators.
Resolution on the Future of Privacy
The third resolution, entitled “Resolution on the Future of Privacy,” continues the conference trend of encouraging greater cooperation among data protection authorities around the world. This year’s resolution references the efforts made by Europe, the United States and APEC to adopt more rigorous approaches to data protection and the broader globalization of data processing. It suggests three action items that build on last year’s recommendations:
- Intensify cooperation;
- Share information and expertise; and
- Achieve greater interoperability between legal systems and privacy regimes.
Over the past year, there has been a dialogue between APEC and the European community and greater cooperation among the established data protection authorities. The Centre for Information Policy Leadership has contributed to the movement with the Global Accountability Project and work in APEC.
The International Conference now has a permanent governance structure led by Dutch Commissioner and Article 29 Working Party President Jacob Kohnstamm, thus increasing the importance of the resolutions adopted by the conference. Data protection and privacy executives should look closely at the resolutions on profiling and cloud to assess the potential impact on their data privacy programs.
The Polish Data Protection Authority recently announced that it will host the next International Conference on September 23-27, 2013, in Warsaw, Poland.