Cybersecurity PPP: Privacy, Data Protection, Digital Identities
The use of modern telecommunications and on-line services involve users' personal information.. For example, using search engines exposes the query terms used, which can be both sensitive and identifying, as illustrated by the exposure of search terms; social networking services expect users to reveal their social connections, messages and preferences, that could lead to direct privacy violation if exposed. Browsing the web also leaves traces of where users have gone, their interests, and their actions - meta-data that can be used to profile individuals.
The implementation the draft General Data Protection Regulation (GDPR - currently in the law-making process) presents both technological as well as organisational challenges for organisations which have to implement novelties such as the right to data portability, the right to be forgotten, data protection impact assessments and the various implementations of the principle of accountability.
Many services on the Internet depend on the availability of secure digital identities which play a crucial role in safeguarding the data and privacy of citizens as well as protecting them and other actors such as private companies or public services form various online threats. At the same time, many European countries already have or are in the process of developing an electronic identity (eID) scheme. Most of these projects are built to be at a very high security level, which makes them very suitable for diverse eGovernment processes. But in turn they may lack usability for commercial applications.
Scope
Innovation Actions: Proposals may cover one of the strands identified below.
Privacy-enhancing Technologies (PET)
Novel designs and tools to provide users with the functionality they require without exposing any more information than necessary, and without losing control over their data, to any third parties. PET should be available in a broad spectrum of products and services, with usable, friendly and accessible safeguards options. PET should be developed having also cost effective solutions.
Comprehensive and consistent Privacy Risks Management Framework should be available, in order to allow people to understand their privacy exposure (i.e. helping people to understand what happens to their data when they go online, use social networks etc).
Open source and externally auditable solutions are encouraged in order to maximise uptake and increase the trustworthiness of proposed solutions.
General Data Protection Regulation in practice
Tools and methods to assist organisations to implement the GDPR taking into account the final provisions of GDPR and guidance from relevant authorities (Data Protection Authorities, Art 29 WP or its successor).
Proposals may also address the need to provide support (procedures, tools) for entities to understand how to operate without requiring unnecessary information (so as to promote privacy respecting practices), in particular when the issue is mainly related to the fact that organizations (businesses, service providers, and government agencies) often require too much information from their target customer/user.
Secure digital identities
With a view to reducing identity fraud while protecting the privacy of citizens, proposals should develop innovative, secure and privacy enhancing digital identity platforms beyond national eID systems.
Activities may leverage existing European electronic identification and authentication platforms with clearly defined interfaces based on the General Data Protection Regulation (GDPR).
Proposals may:
- Leverage evidence-based identities (using adequate correlation of multiple soft proofs of identity, as opposed to the usage of a central register);
- Provide a function for so called “qualified anonymity”, which means, that the online service does not have any information about the user but a pseudonym. The real identity of the user can only be revealed under specific conditions such as at the request of legal authorities;
- Consider cost-effective and user-friendly verification methods for mobile identity documents.
For all strands, proposals should identify and address the societal and ethical dimensions of the strand they choose to cover taking into consideration the possibly divergent perspectives of pertinent stakeholders.
Proposals have to address the specific needs of the end-user, private and public security end users alike. Proposals are encouraged to include public security end-users and/or private end users.
The Commission considers that proposals requesting a contribution from the EU between EUR 2 and 3 million would allow these areas to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.
The outcome of the proposals is expected to lead to development up to Technology Readiness Level (TRL) 6 to 7; please see part G of the General Annexes.
Expected Impact
- Support for Fundamental Rights in Digital Society.
- Increased Trust and Confidence in the Digital Single Market
- Increase in the use of privacy-by-design principles in ICT systems and services
Cross-cutting Priorities
- Socio-economic science and humanities
- Open Innovation