Gen AI in Business - Global Trends Report 2024.pdf
Trustworthy infrastructure for personal data management
1. www.enisa.europa.eu
Please replace background with image
Trustworthy Infrastructure
for Personal Data Management
Udo Helmbrecht
Executive Director, ENISA
Digital Enlightenment Forum
Brussels, 19th September 2013
2. www.enisa.europa.eu
Virtual world and privacy
• Divergent approaches
– Personal data protection vs. data retention
• Difference of perception across countries/regions
– Privacy – human right in EU or consumer right in US
• A new currency: personal data
• Contradictory expectations and practice
– Privacy - fundamental human right in the EU
– Users concerned about privacy
• 93% of participants in ENISA study1
– Users wiling to disclose more personal data for discounts
• up to 87% of participants, in some cases, for 0.5 € discount in the
study
1 http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/monetising-privacy
3. www.enisa.europa.eu
Data protection
• Fundamental human right in the EU2
• Legislation reform
• Current context very complex
Data retention1
• Legislation not transposed in all 27 MS
• Different interpretation
• Current context very complex
• Questionable practice / deployment
Technology
• Scalability
• Advances in ICT
• Different technologies, lack of level playing field
• Cost of deployment for secure solutions
• Pan-European approach for information
security needed
• Different technologies
• Cost of deployment for secure solutions
• Scalability of the solutions
• PETs still under development
• Deployment costs
• Scalability of the solutions
• ‘Blanket’ interception
• Deep packet inspection
Complex interactions
1 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:
105:0054:0063:EN:PDF
2 http://www.europarl.europa.eu/charter/pdf/text_en.pdf
4. www.enisa.europa.eu
‘The right to be forgotten’ 1
between expectations and practice
• Included in the proposed regulation on “the
processing of personal data and on the free
movement of such data” published by the EC in Jan
2012.
• ENISA addressed the technical means of assisting
the enforcement of the right to be forgotten.
• A purely technical and comprehensive solution to
enforce the right in the open Internet is generally
not possible
• Technologies do exist that minimize the amount of
personal data collected and stored online
• Personal data is the new currency in the cyberspace!
1 http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/the-right-to-be-forgotten
5. www.enisa.europa.eu
Notification about security breaches
in the EU legislation
Article 13a of the
Framework Directive for
electronic communication
Article 4 of the e-Privacy
Directive
Article 15 of the Draft
Regulation on e-identities
Articles 30, 31 and 32 of the
Draft General Data
Protection Regulation
Framework Directive, E-Privacy Directive, e-ID Regulation, Data Protection Regulation
Commonalities and diifferences between notification articlesRelevant notification
articles
Source: EU Cyber Incident Reporting, ENISA 2012
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/Incidents-
reporting/cyber-incident-reporting-in-the-eu
6. www.enisa.europa.eu
Trust in the infrastructure
Gaps in supply chain
• Technical level
– For software – Trusted Computing
– No efficient methods to control HW components
• HW trojans, counterfeit elements, reverse engineering, side channel
attacks
• Physical analysis is complex, time consuming, costly
• Labelling/marking is subject to counterfeiting
• Risk analysis framework
– Product driven
– Based on financial risk
– No methods for dynamic real time systems
• Standardisation scheme
– Existing certification schemes not addressed for complex supply
chains
– Lack of efficient technical solutions does not allow for
implementation of controls
7. www.enisa.europa.eu
Towards secure infrastructure
for data processing
• The challenges extend beyond MS borders, hence…
– MSs and the EU need close collaboration with industry and
research
• A gap is observed between
– what is possible at technological level
– what is available at market place and proposed by policy makers
• Users are primarily interested in
– Convenience, ease of use
– Price (preferably free)
• Technical issues in implementation of data protection
mechanisms
– Right to be forgotten
– Minimal disclosure
– Portability of profiles
• The role of standardisation is still not clear
8. www.enisa.europa.eu
European Union Agency for Network and Information Security
Science and Technology Park of Crete
P.O. Box 1309
71001 Heraklion
Crete
Greece
Follow ENISA
http://www.enisa.europa.eu