(adopted at the 20th Meeting of the International Working Group on Data Protection in Telecommunications in Berlin 19 November 1996 based on the discussions at the 19th meeting of the Group in Budapest 15 and 16 April 1996)
"Budapest - Berlin Memorandum"
There can be no doubt that the legal and technical protection of Internet users' privacy is at present insufficient.
Ten guiding principles are set out in this document to improve privacy protection on the Net:
1. Service providers should inform each user of the Net unequivocally about the risks to his privacy. He will then have to balance these risks against the expected benefits.
2. In many instances the decision to enter the Internet and how to use it is subject to legal conditions under national data protection law. This means e.g. that personal data may only be collected in a transparent way. Patients' data and other sensitive personal data should only be communicated via the Internet or be stored on computers linked to the Net if they are encrypted. Arrest warrants issued by the police should not be published on the Internet.
3. Initiatives to arrive at closer international cooperation, even an international convention governing data protection in the context of transborder networks and services are to be supported.
4. An international oversight mechanism should be established which could build on the existing structures such as the Internet Society and other bodies. Responsibility for privacy protection will have to be institutionalized to a certain extent.
5. National and international law should state unequivocally that the process of communicating (e.g. via electronic mail) is also protected by the secrecy of telecommunications and correspondence.
6. Furthermore it is necessary to develop technical means to improve the user´s privacy on the Net. It is mandatory to develop design principles for information and communications technology and multimedia hard- and software which will enable the individual user to control and give him feedback with regard to his personal data. In general users should have the opportunity to access the Internet without having to reveal their identity where personal data are not needed to provide a certain service.
7. Technical means should also be used for the purpose of protecting
confidentiality. In particular the use of secure encryption methods
must become and remain a legitimate option for any user of the
Internet.
8. The Working Group would endorse a study of the feasibility
to set up a new procedure of certification issuing "quality
stamps" for providers and products as to their privacy-friendliness.
This could lead to an improved transparency for users of the Information
Superhighway.
9. Anonymity is an essential additional asset for privacy protection
on the Internet. Restrictions on the principle of anonymity should
be strictly limited to what is necessary in a democratic society
without questioning the principle as such.
10. Finally it will be decisive to find out how self-regulation by way of an expanded "Netiquette" and privacy-friendly technology might improve the implementation of national and international regulations on privacy protection. It will not suffice to rely on any one of these courses of action: they will have to be combined effectively to arrive at a Global Information Infrastructure that respects the human rights to privacy and to unobserved communications.
Today, the Internet is the world´s largest international computer network. There are "slip roads" to this "Information Superhighway" in more than 140 countries. The Internet consists of more than four millions of Internet sites ("hosts"); more than 40 millions of users from all over the world can use at least one of the different Internet services and have the facilities to communicate with each other via electronic mail. Users have access to an immense pool of information stored at different locations all over the world. The Internet can be regarded as the first level of the emerging Global Information Infrastructure (GII).The WorldWideWeb as the most modern Internet user interface is a basis for new interactive multimedia services. Internet protocols are increasingly being used for communications within large companies ("Intranets").
The participants in the Internet have different tasks, interests and opportunities:
Unlike in traditional processing of personal data where there is usually a single authority or enterprise responsible for protecting the privacy of their customers, there is no such overall responsibility on the Internet assigned to a certain entity. Furthermore there is no international oversight mechanism to enforce legal obligations as far as they exist. Therefore the user is forced to put trust into the security of the entire network, that is every single component of the network, no matter where located or managed by whom. The trustworthiness of the Net will become even more crucial with the advent of new software which induces the user not only to download programs from the Net, but also weakens his control over his personal data.
The fast growth of the Internet and its increasing use for commercial and private purposes give rise to serious privacy problems:
The participants in the Internet share an interest in the integrity and confidentiality of the information transmitted: Users are interested in reliable services and expect their privacy to be protected. In some cases they may be interested in using services without being identified. Users do not normally realize that they are entering a global market-place while surfing on the Net and that every single movement may be monitored.
On the other hand many providers are interested in the identification and authentication of users: They want personal data for charging, but they could also use these data for other purposes. The more the Internet is used for commercial purposes, the more interesting it will be for service providers and other bodies to get as much transaction-generated information about the customer's behaviour on the Net as possible, thus increasing the risk to the customer's privacy. Increasingly companies start to offer free access to the Net as a way of assuring that customers read their advertisements which become a major financing method for the whole Internet. Therefore they want to follow to want extent, by whom and how often their advertisements are being read.
With regard to certain risks mentioned the functions of the bodies which on an international, regional and national level manage the Net are important in particular when they develop the protocols and standards for the Internet, fix rules for the identification of servers connected and eventually for the identification of users.
Although several national governments and international organisations (for example the European Union) have launched programmes to faciliate and intensify the development of computer networks and services, only very little efforts have been taken to provide for sufficient data protection and privacy regulations in this respect. Some national Data Protection Authorities have already issued guidelines on the technical security of computer networks linked to the Internet and on privacy risks for the individual user of Internet services. Such guidelines have been laid down for example in France, in the U.K. (see the 11th Annual Report of the Data Protection Registrar, Appendix 6) and in Germany. The main topics can be summed up as follows:
There are also a number of international legal regulations and conventions that apply inter alia to the Internet:
- Recommendation with Guidelines on the protection of privacy and transborder flows of personal data adopted by the Council of the Organisation for Economic Cooperation and Development (OECD) on 23 September 1980
- Council of Europe Convention No. 108 for the protection of individuals with regard to automatic processing of personal data adopted on 28 January 1981
- Guidelines for the regulation of computerized personal data files adopted by the United Nations General Assembly on 14 December 1990
- European Council 90/387/EEC of 28 June 1990 on the establishment
of the internal market for telecommunications services through
the implementation of Open Network Provision (ONP) and ensuing
ONP Directives (defining data protection as "essential requirement")
- Directive 95/46/EC of the European Parliament and of the Council
of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement of
such data (EU-Data Protection-Directive)
- General Agreement on Trade and Services (GATS) (stating in Article XIV that Member States are not prevented by this worldwide agreement to adopt or enforce regulations relating to the protection of privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.
The EU-Directive as the first supra-national legal instrument does contain an important new definition of "controller" which is relevant in the Internet context. Article 2 lit. c) defines "controller" as the natural and legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Applying this definition to the use of the Internet for purposes of electronic mail the sender of an electronic message has to be considered to be the controller of this message when sending a file of personal data for he determines the purposes and means of the processing and transmission of those personal data. On the other hand the provider of a mailbox service himself determines the purposes and means of the processing of the personal data related to the operation of the mailbox service and therefore he as "controller" has at least a joint responsibility to follow the applicable rules of data protection.
More recently the European Commission has published two documents which might lead to Union legislation and will in that event have considerable consequences on data protection on the Internet:
Communication to the European Parliament, the Council, the Economic
and Social Committee
and the Committee of the Regions on illegal and harmful content
on the Internet (COM(96) 487 )
and
Green Paper on the protection of minors and human dignity in audiovisual
and information
services (COM(96) 483).
Although not legally binding either and adopted on a national rather than an international level the
- Principles for providing and using personal information
"Privacy and the National Information Infrastructure"
adopted by the Privacy Working Group
of the Information Policy Committee
within the United States Information Infrastructure Task Force (IITF) on 6 June 1995
should be mentioned in this context for they are bound to influence the international data flows. They have been discussed intensively and fruitfully with the International Working Group on Data Protection in Telecommunications at the Joint Meeting in Washington, D.C., on 28 April 1995.
In practice some important and effective rules are being imposed by the Net Community themselves by way of self-regulation (e.g. "Netiquette"). Such methods are not to be under-estimated as to the role they play and might play in future in protecting the individual user's privacy. At least they contribute to creating the necessary awareness among users that confidentiality on the Net as a basic standard is non-existent ("Never send or keep anything in your mailbox that you would mind seeing on the evening news.") The EU-Data Protection Directive in turn calls for codes of conduct (Article 27) which should be encouraged by Member States and the Commission.
There can be no doubt that the legal and technical protection of Internet users' privacy is at present insufficient.
On the one hand the right of every individual to use the Information
Superhighway without being observed and identified should be guaranteed.
On the other hand there have to be limits (crash-barriers) with
regard to the use of personal data (e.g. of third persons) on
the highway.
A solution to this basic dilemma will have to be found on the
following levels:
1. Service providers should inform each potential user of the Net unequivocally about the risks to his privacy. He will then have to balance these risks against the expected benefits.
2. As "elements of network infrastructure as well as participants each have physical locations, states have the ability to impose and enforce a certain degree of liability on networks and their participants" (Joel Reidenberg). In many instances the decision to enter the Internet and how to use it is subject to legal conditions under national data protection law.
Personal data may only be collected in a transparent way. Patients' data and other sensitive personal data should only be communicated via the Internet or be stored on computers linked to the Net if they are encrypted.
There is also a strong case to prohibit the use of the Internet for the publication of arrest warrants by the police (the U.S. Federal Bureau of Investigations has published a list of wanted suspects on the Net for some time and other national police authorities are following this example). The described deficiencies in the authentication procedure and the easy manipulation of pictures in Cyberspace seem to prevent the use of the Net for this purpose.
3. Several national governments are calling for international agreements on the Global Information Infrastructure. Initiatives to arrive at closer international cooperation, even an international convention governing data protection in the context of transborder networks and services are to be supported.
4. An international oversight mechanism should be established which could build on the existing structures such as the Internet Society and other bodies. Responsibility for privacy protection will have to be institutionalized to a certain extent.
5. National and international law should state unequivocally that the process of communicating (e.g. via electronic mail) is also protected by the secrecy of telecommunications and correspondence.
6. Furthermore it is necessary to develop technical means to improve the user´s privacy on the Net. It is mandatory to develop design principles for information and communications technology and multimedia hard- and software which will enable the individual user to control and give him feedback with regard to his personal data. In general users should have the opportunity to access the Internet without having to reveal their identity where personal data are not needed to provide a certain service. Concepts for such measures have already been developed and published. Examples are the "Identity Protector" concept included in "Privacy-enhancing technologies: The path to anonymity" by the Dutch Registratiekamer and The Information and Privacy Commissioner of Ontario/Canada (presented at the 17th International Conference on Data Protection in Copenhagen (1995) and the "User Agent-concept" as reported on at the joint Washington meeting of the Working Group with the Privacy Working Group of the IITF (April 1995).
7. Technical means should also be used for the purpose of protecting
confidentiality.
The use of secure encryption methods must become and remain a
legitimate option for any user of the Internet.
The Working Group supports new developments of the Internet Protocol
(e.g. IP v6) which offer means to improve confidentiality by encryption,
classification of messages and better authentication procedures.
The software manufacturers should implement the new Internet Protocol
security standard in their products and providers should support
the use of these products as quickly as possible.
8. The Working Group would endorse a study of the feasibility
to set up a new procedure of certification issuing "quality
stamps" for providers and products as to their privacy-friendliness.
This could lead to an improved transparency for users of the Information
Superhighway.
9. Anonymity is an essential additional asset for privacy protection
on the Internet. Restrictions on the principle of anonymity should
be strictly limited to what is necessary in a democratic society
without questioning the principle as such.
10. Finally it will be decisive to find out how self-regulation by way of an expanded "Netiquette" and privacy-friendly technology might improve the implementation of national and international regulations on privacy protection. It will not suffice to rely on any one of these courses of action: they will have to be combined effectively to arrive at a Global Information Infrastructure that respects the human rights to privacy and to unobserved communications.
The International Working Group on Data Protection in Telecommunications will monitor the developments in this field closely, take into account comments from the Net Community and develop further more detailed proposals.