Register to become a member

Dutch Data Commissioner opened
first ICX Privacy Workshop

Speaking notes of Mr P.J. Hustinx
The Netherlands Data Commissioner

Mr. Chairman, Ladies & Gentlemen,

Many of you may have spent a lot of time lately to get your organisations ready for the next millennium. Now you are here - satisfied, confident or still a bit concerned - and it is quite possible that you have not given much time and thought to privacy in the next century.

Others may have spent considerable time also in developing and improving a policy for your organisation on how to deal with privacy, both in the real and the virtual world, the area some like to refer to as "cyberspace" because it seems to suggest "unlimited possibilities" and "no rules" to be concerned about.

All of you may find this meeting useful. It has been organised for the presentation of the ICX Privacy Code of Conduct, an initiative of Shell Services International and a number of other companies represented here.

As a European Data Protection Commissioner, responsible in the Netherlands for monitoring our national Data Protection Act, I also welcome this meeting - and the same will apply to a number of colleagues here - even if in the course of the day we would find that the Code of Conduct could be improved on certain points to fully meet our expectations. In that case, it would still be a valuable learning exercise. And learning is one of the basic principles and cornerstones of the new Information Society.

I think there are at least three answers to the question "Why Privacy Matters". Let me briefly describe them to you.

First answer - human right
The first answer is that privacy is - in this part of the world - regarded as a basic human right, enshrined in international conventions, national constitutions, tradition and culture. And that is why national parliaments and international organisations like the Council of Europe and the OECD, have developed legal safeguards for the protection of privacy in connection with the processing of personal data. In the European Union, this has led to the adoption in October 1995 of a Directive to harmonise national legislation in this field, and to provide "a level playing field" for all activities which increasingly relate to or depend on the processing of personal information. The Directive and the national legislation provide

The legal framework within which responsible companies do business and deliver their services. This is relevant for business within the EU and for data flows to third countries, since the Directive also deals with the existence or non-existence of adequate levels of protection in those third countries.

Second answer - personal concern
The second answer is that privacy matters to the persons concerned: employees, consumers, patients or other people whose data are collected, processed and used, with or without their knowledge and consent. That is data about us, you and me, in the many different roles we play in our lives, both at work and elsewhere. Recent research both in Europe and in the US indicates that people do care, even if they sometimes act otherwise, and continue to care about the protection of their personal information. The same research shows that this is particularly relevant for the development of electronic commerce and for the use of the Internet: how to secure "trust and confidence" of consumers is one of the key areas of attention, not only for privacy or data protection commissioners, but also for businesses specialising in e-commerce and related services. In other words: the great expectations of the Information Society, both in a social and in an economic sense, depend in part on the way in which these privacy issues are handled and solved.

Third answer - good business sense
The third answer is therefore that it makes sense - also good business sense - to deal with privacy as something that matters. That means to take it serious, to invest in it, to deal with it in a positive and pro-active way, to act as good corporate citizens, and to develop good ways of "privacy governance". I would like to see today's Code of Conduct as an example of that approach and I intend to judge it accordingly.

Around the world, there are various ways to approach the issues indicated here. However, in order to be effective, any privacy policy should in my view contain at least the following four elements.

Firstly, it is important to raise awareness and to inform the public or the persons concerned about the relevant issues and the ways to handle them, about their rights and obligations, and the technical tools available to protect the interests at stake. This should be a continuous effort, not only for data protection authorities, but for all organisations which decide to take this serious.
Secondly, it is important to have an appropriate legal framework. In this part of the world, this means a national law which is in line with the EU Directive on data protection. It is obvious however, that codes of conduct have to play an important role in bridging the gap between the general principles of the law and the specific characteristics of each industrial sector. This is also mentioned expressly in the EU Directive.
Thirdly, it is important to make the best possible use of information technology. ICT is not only a source of privacy problems, but also a source of solutions for these problems. That is why the development and implementation of 'Privacy Enhancing Technologies' (PET) should be stimulated as much as possible.

Fourthly, it is important to make sure that good intentions are put into practice and deliver the best possible results. That is why we need mechanisms to measure compliance and provide the necessary feedback. External audits and other means of verification should come in here as parts of a system for quality management and quality control. This should raise further awareness in organisations and, ideally, develop into a circular process of a more permanent nature.

Again, the key word here is 'learning'. I welcome this meeting as a positive signal, in line with that approach, and I wish you all sorts of success.

© copyright December 1999 Mr. P.J. Hustinx and International Commerce Exchange Ltd.

How to obtain a copy of the Privacy Code of Conduct:
The ICX Privacy Code of Conduct is being constantly updated and we are now working on revising the 18 Applicable Laws (15 EU countries and 3 EEA countries). If you have an interest and would like to join the Work Group, please send an e-mail to:



ICX News

ICX in the News

Newsletter Archive (members only)