Lors de cette conférence deux résolutions ont été adoptées:
- une sur l'infonuagique (ou cloud computing) dans laquelle les commissaires recommandent que :
"- Cloud computing should not lead to a lowering of privacy and data protection standards as compared with other forms of data processing;
- Data controllers carry out the necessary privacy impact and risk assessments (if necessary, by using trusted third parties) prior to embarking on CC projects;
- Cloud service providers ensure that they provide appropriate transparency, security, accountability and trust in CC solutions in particular regarding information on data breaches and contractual clauses that promote, where appropriate, data portability and data control by cloud users; cloud service providers, when they are acting as data controllers, make available to users, where appropriate, relevan information about potential privacy impacts and risks related to the use of their services.
- Further efforts be put into research, third party certification, standardisation, privacy by design technologies and other related schemes in order to achieve a desired level of trust in CC; to build privacy thoroughly and effectively into cloud computing adequate measures should be embedded into the architecture of IT systems and business processes at an early stage (privacy by design);
- Legislators assess the adequacy and interoperability of existing legal frameworks to facilitate cross-border transfer of data and consider additional necessary privacy safeguards in the era of CC, and
- Privacy and Data Protection Authorities continue to provide information to data controllers, cloud service providers and legislators on questions relating to privacy and data protection issues."
- une autre sur le futur de la vie privée, dans laquelle " [t]he 34th International Conference of Data Protection and Privacy Commissioners has decided that its members should:
1. intensify cooperation with each other in order to respond to cross-border data protection and privacy risks in a coordinated manner, by joining multilateral cooperation and enforcement networks;Lors de cette conférence, les commissaires ont également mis l'accent sur les enjeux liés au profilage comme l'illustre la déclaration de la conférence qui invite à prendre en considération les éléments suivants en ce domaine:
2. share information and expertise as much as possible to ensure that the authorities’ scarce resources can be used to the maximum possible;
3. use this window of opportunity to achieve greater interoperability between the various legal systems and privacy regimes."
"I. To create trust, public and private entities around the world need to ensure that they inform society to the maximum possible extent about their profiling operations. They should be more transparent about profiling, the way the profiles are assembled and the purposes for which the profiles are used. Providing better information should also ensure individuals have better control over their data.Pour plus de détails, voir:
II. Profiling operations need to be distinguished in three phases. First of all, it should be determined what is the need for the use of profiling. Secondly, the public or private entity in question should decide which assumptions and which data should form the basis for the profile. Finally, it should be decided in what way the profile can be applied in practice. It would be advisable if the various phases are subject to separate decisions and to regulatory oversight.
III. Both profiles and the underlying algorithms require continuous validation. This means controls should take place to verify if the results from profiling make sense and can reasonably be linked to the data provided at input. It also allows to further improve the profiles and underlying algorithms, thus improving results.
IV. Profiling operations should not take place without human intervention, especially now that the predictive power of profiling due to more effective algorithms increases. Injustice for individuals due to fully automated false positive or false negative results should be avoided.
V. The creation and application of profiles should preferably not be in the same hand. A balance needs to be found between the information used to create the profile and its practical application.
VI. Especially in the third phase, the practical application of the profile, provisions need to be established to allow the individual to challenge both the profile and the outcome.
VII. Profiling requires strong and independent privacy enforcement authorities with supervisory powers over both the public and the private sector. The authorities should ensure they have all the relevant and up to date knowledge regarding technological developments like profiling.
VIII. Governments have access to many large databases also containing data collected by private entities. Furthermore, they are able to create laws in order to define their own legal basis. Therefore, privacy enforcement authorities should be able to test and challenge government proposals, for example carrying out audits and be able to scrutinize in the pre-legislative phase."
- 34° INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS, Resolution on cloud computing, Punta del Este (Uruguay), October 26, 2012.
- 34° INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS, Resolution on the future of privacy, Punta del Este (Uruguay), October 26, 2012.
- 34° INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS, Uruguay Declaration on Profiling, Punta del Este (Uruguay), October 26, 2012.