European Data Protection Supervisor (EDPS) Peter Hustinx has told the European Commission that the law should change, and be applied to three areas of technology development as a priority. These are social media, RFID and targeted advertising.
The EDPS has adopted an opinion and submitted it to the Commission, which is developing a 'digital agenda' to guide its government of emerging and existing technologies.
"Although the EU has a strong data protection regulatory framework, in many instances ICTs raise new concerns that are not accounted for within the existing framework. Further action is therefore necessary," said the office of the EDPS in a statement.
"To significantly minimise the risks and to secure users' willingness to rely on ICTs [information and communication technologies], it is crucial to integrate, at practical level, data protection and privacy from the very inception of new ICTs," said Hustinx. "This need for a 'Privacy by Design' approach should be reflected in the EU data protection legal framework at different levels of laws and policy making."
"Privacy by Design needs to be explicitly included as a general binding principle into the existing data protection legal framework," said the EDPS statement. "This would compel its implementation by data controllers and ICT designers and manufacturers while offering more legitimacy to enforcement authorities to require its effective application in practice."
"Privacy by Design should also be fully endorsed by the forthcoming European Digital Agenda and become a binding principle in future EU policies," it said.
Hustinx said that the change was vital if users were going to learn to trust emerging information services.
"The potential benefits of ICT can only be enjoyed in practice if they are able to generate trust," said Hustinx. "Such trust will only be secured if ICTs are reliable, secure, under individuals' control and if the protection of their personal data and privacy is guaranteed. To significantly minimise the risks and to secure users' willingness to rely on ICTs, it is crucial to integrate, at practical level, data protection and privacy from the very inception of new ICTs."
The EDPS advises EU bodies on data protection policy and oversees their own data protection practices.
Hustinx said that radio frequency identification (RFID) technology was an area in which more care was needed. He said that legislation should regulate RFID use in case self-regulation does not offer enough protection for users.
He also said that privacy by default settings should be mandated for social networks and the technology behind behavioural and targeted advertising.