Title: CONFIDENTIALITY AND SECURITY

The security obligations require that appropriate technical and organisational measures are taken both at the time of the design of the system and at the time of the processing of the personal data itself (article 17 D95/46 EU).

Also, an appropriate level of confidentiality and security must be implemented, taking into account the state of the art and the costs of the implementation of the measures in relation to the risks represented by the processing and the nature of the data to be protected (see article 16 & 17). AmI environments require interconnectivity and interoperability through different networks and different controllers, located in different countries. It will be difficult to find out who is responsible in case of a technical or organisational failure. It is very difficult to trace back at what point data are stolen of illegally disseminated to third parties, and so far it is in fact rather difficult to even know at all that there has been a security or confidentiality breach. The provisions may again seem vague or abstract, as they refer to circumstances that will vary depending on the context and can only be defined on a case-by-case basis. The reference to the state of the art in combination with the costs of implementation could make this type of protection dependent on the accepted standards in the relevant sector.