The EU Commission is in the process of considering the visions of the EU Data Protection Directive (Directive 95/46/EC). To provide input to this process, a number of Danish trade and industry associations and the Danish Consumer Council organised a workshop in March 2011 for decision-makers and experts from organisations, institutions, research, industry and civil society to discuss future principles and recommendations on privacy.

The tangible results of this workshop are the Copenhagen Privacy Principles, which can be downloaded from here.

Even though the workshop did not reach – and did not intend to reach – consensus on actual recommendations for specific wording or provisions in the revised directive, the workshop produced agreement across sectors and interests on certain principles which should guide the EU Commission in its work.

An interesting and, in my opinion, useful approach to be found in the principles is the revised EU Data Protection Directive, which proposes making it mandatory to design IT systems in a way that promotes protection of privacy. The principles point to tools such as a Privacy Impact Assessment (PIA) and a Privacy-by-Design template which specifically refers to the use of Privacy Enhancing Technologies.

The main principles can be summarised as follows:

•    Public sector should act as a driver
•    Public and private service providers handling personal information should be held responsible and accountable
•    Citizens’ right to privacy should be protected
•    Data protection authorities must be strengthened
•    Greater awareness among political decision-makers is necessary
•    Awareness campaigns should be implemented

Work on defining general principles normally has an unfortunate, albeit natural, tendency to state the obvious and the uncontroversial, as this is the only way to reach a consensus among different and often conflicting interests. In the case of the Copenhagen Privacy Principles, it seems that these can actually provide some practical and useful guidance for the EU Commission, in particular because they point to a new and relatively specific factor in securing privacy: encouraging developers of IT systems to take Privacy Enhancing Technologies into consideration from the start.