128
PRIVACY AND SURVEILLANCE 2013
net of infinite memory. In this “brave new data world” a robust, future-proof set
of rules is required, in order to ensure that individuals will enjoy (and retain) ef-
fective control over their personal information.
3. From PETs to Privacy by Design?
3.1 PETs and their limited efficiency
Information and communication technologies (ICTs) offer a wide range of tools
and mechanisms to protect personal data: Privacy Enhancing Technologies (or
PETs) have no universally agreed definition, but it is generally accepted that
these technologies aim to reduce the risk of contravening privacy principles and
legislation, they aim to minimize the amount of personal data being held by other
parties, and/or provide individuals with control over their personal information
that is being held. The European Commission defines PETs as “a coherent system
of ICT measures that protects privacy by eliminating or reducing personal data
or by preventing unnecessary and/or undesired processing of personal data, all
without losing the functionality of the information system”
8
.
Most PETs are composite technologies that employ security measures such as en-
cryption and access control mechanisms in conjunction with other mechanisms to
enhance overall privacy. Their development and application is based on the basic
principles for the protection of personal data and they entail various technologies
at different levels of maturity and with varying effectiveness. PETs allow individ-
uals control what personal information is processed, how it is processed and by
whom (e.g. privacy audits, data minimization tools and log files). They can also
provide users with the ability to hide their true identity (e.g. tools that offer anony-
mous or pseudonymous access to online services). Other PETs include encryption
tools, filters and blockers, digital track erasers, consent mechanisms, data mini-
mization tools, the Platform for Privacy Management (P3P
9
), privacy seals, digi-
tal identity management tools, privacy policies, access control schemes and tech-
nologies for privacy protection for RFID systems. There is a usual misconception
between security and privacy technologies. Many information security technolo-
gies are also applied for providing privacy (e.g. encryption tools, access control
schemes) but not all security measures are PETs. Moreover, several security con-
trols (e.g. monitoring tools) have privacy invasive applications.
The core principles for the protection of personal data, namely transparency,
proportionality and data minimization, as described in the European Union Data
8. COM(2007) 228 final.
9.
/.
