Media & Resource Center  > White Papers & Guides

> Back to Made Simple Guides

GlobalPlatform | Privacy framework made simple

Why has 'privacy' remained a hot topic?

In today's connected world, people are voluntarily giving up more information about themselves than ever before. Through online forms, social media platforms, tax returns, dating websites, mobile phones and internet browsers (to name just a few) personal details are stored by organizations on their customers, employees and suppliers.

This information is vulnerable to misuse. For example, personal details can be sold on to other companies to be used for soliciting, track an individual's movements and, if it is not protected appropriately, susceptible to unauthorized third party access or malicious use.

As more private and sensitive data is stored and shared, privacy will become even more important to everyone concerned; governments, companies and consumers.  For most governments, loss of sensitive information could lead to citizen discontent; for companies this could result in financial losses; and for consumers the theft of information related to their private life.

While individual efforts to protect privacy are progressing at a national and market level, these regulatory documents seldom offer an accompanying implementation guide and an explanation of how to apply privacy to platform products.  In other words, there is no activity currently underway to develop one, global standardized framework that addresses how to implement privacy rules on a secure platform.

Why is GlobalPlatform involved in the privacy landscape?

There are currently countless regulations in place, many of which address the needs of an individual sector. In order to bring consistency and structure to this environment, criteria need to be established by an impartial organization which operates across multiple sectors to deliver a single set of rules – a privacy framework – that can act as a guide for those deploying privacy-enhanced technology.

GlobalPlatform is a cross-industry body that understands the complexity brought about by market convergence. The organization is engaged with a range of players across multiple industries and is therefore in a position to capture and incorporate the privacy needs of each market into one reference document.

The introduction of multiple applications on the same device has implications on privacy as different applications have different privacy and security needs. For instance, applications stored on a mobile device may share access to the Secure Element (SE), but have different data access rights. This is a complex situation as strict rules need to be implemented to ensure different privacy policies can coexist without the whole platform reverting to the privacy level of the application that requires the least protection. This is important as information leaked by one application could be used by a third party to compromise others. The challenge is to keep the information stored on the device secure and increase control on data that is sent to or used by a third party or service provider, for example, without it being accessed intentionally or unintentionally by an unauthorized party.

As secure-chip solutions are designed to address specific market needs, it is difficult to put a value on ‘privacy' and request all market participants to meet a predefined privacy specification. By creating the framework, GlobalPlatform will instead provide a common set of criteria for all parties to work from, that will evolve over time to guarantee that a privacy-enhanced platform meets the requirements set out by its environment.

To date, what work efforts has GlobalPlatform completed in the privacy space?

The GlobalPlatform Government Task Force (now known as the Identity Task Force) has published a Privacy Framework Requirements document, which provides an overview of how GlobalPlatform Specifications will address the issue of privacy in relation to the management of applications and data on secure chip technology. The framework aims to assist governments during their Privacy Impact Assessment Process (PIA) as well as enterprises conducting privacy-related activities.

The Privacy Framework has been created to provide implementers with the tools and knowledge of ‘how’ regulatory privacy guidelines can be applied using GlobalPlatform’s Card Specifications. Using commonly referenced industry definitions, the framework defines a selection of privacy attributes – with precise properties and terminology – to create a unique, global framework that enables applications with different privacy requirements to reside on the same platform. The framework is applicable to any privacy enhanced technology (PET).

What are the next steps?

The GlobalPlatform Identity Task Force continues to identify and address the identity use cases that can be supported by GlobalPlatform technologies, including and specifically encompassing privacy.

If you would like any further information on the privacy framework or on how to get involved, please contact