conference cyber law bali
DESCRIPTION
TRANSCRIPT
Leiden University. The university to discover.
International Cyber Law Seminar15 & 16 January 2013, Kuta, Bali
The EU and the Netherlands
Dr. Marten [email protected]
Leiden University. The university to discover.
Agenda- Data protection- e-Authentication
Leiden University. The university to discover.
General overviewIssue Pointers
Privacy & data protection Data Protection ActTelecommunications Act
Intellectual property rights Copyright ActNeighbouring Rights ActPatent Act 1995Database Act
Benelux Treaty on IPR (trademarks)“Chip Act”Trade Name Act
e-Contract Civil code
Advertising & consumer protection Civil code
Cybercrime & evidence Code on criminal procedure
Taxation Normal sales tax (VAT) applies online
E-Government & public services Administrative code
Unfair competition Competition Act
Insurance Civil codeFinancial Supervision Act
e-Payment system EU SEPA-directive & regulations, EU e-Money Directive
Archives & corporate documents Civil codeArchive Act
Leiden University. The university to discover.
Data protection- 1995
- European Directive 1995/46/EC• Legal framework for EU Member States
- 25 January 2012- Proposal for a General Data
Protection Regulation (GPDR)- Proposal for a Directive (criminal
data) Directive Regulation
Obliges Member States to implement into national legislation
Directly enforceable in all Member states
Leiden University. The university to discover.
Helicopter view of the Directive (I)- Personal data- Controller, subject, processor- “Processing”- Processing only allowed for the “purpose”- Exhaustive list of reasons for processing:
- Consent- Performance of contract- Legal obligation- Vital interest of the subject- Public interest- Legitimate interests of the controller
Leiden University. The university to discover.
- Sensitive data- Race, ethnicity, political opinion,
religious & philosophical beliefs, trade union membership, health, sex life
- Rights of the subject- Information, access, right to object
- Data processing agreement- Contract between controller & processor
Helicopter view of the Directive (II)
Leiden University. The university to discover.
- Transfer to third countries (outside EU/EEA)- Only allowed if:
• Adequate level of protection• Consent of the subject• Transfer if necessary for execution of contract between
subject and controller• Necessary for vital interests of subject• (…)
- And/or(?):• EU model clauses (decision 2010/87/EU)
• Binding corporate rules (BCR) (authorization by regulator)
• US Safe Harbor (decision 2000/520/EU)
Helicopter view of the Directive (III)
Leiden University. The university to discover.
Transfer to third country
Leiden University. The university to discover.
Transfer under the General Data Protection Regulation
- Transfer is allowed, if:- Adequacy decision
• Country, territory, processing sector, international organization
- Appropriate safeguards• BCR• Model clauses
- Derogation applies• Consent, contract performance, ….
Leiden University. The university to discover.
In practice- IT administrator in Bangalore
- Transfer to third country?- “(…) transfer of personal data which are
undergoing processing or are intended for processing after transfer (…)”?
Leiden University. The university to discover.
In practice
- Patriot Act- FISA order/NSL can imply illegal transfer to third country
• Leaked draft of the regulation:– “(…) no decision of an administrative authority of a
third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.”
Leiden University. The university to discover.
Other- “Right to be forgotten and to
erasure”- Right of data portability- Security breach notification
- Within 24 hours to supervisory authority- After that, without undue delay to
subject- Fines
- Maximums of 0,5%, 1% and 2% of annual worldwide turnover
Leiden University. The university to discover.
e-Authentication- Legal framework- DigiD- e-Identity (“eHerkenning”)
Leiden University. The university to discover.
Legal framework- Directive 1999/93/EC on a
Community framework for electronic signatures- New proposal: EU Regulation on
electronic identification and trust services for electronic transactions (COM(2012)238)
Leiden University. The university to discover.
Legal frameworkType of signature Abbreviation
Electronic signature ES
Advanced electronic signature AES
Advanced electronic signature,based on a qualified certificate
AES + QC
Advanced electronic signature,based on a qualified certificate,created with a secure-signature-creation-device
AES + QC + SSCD“qualified electronic signature”
- Certificate• Links a public key to a person
- SSCD• Software/hardware used to create an electronic signature
Public/private keysEncryption
Certificate Service ProviderCertificate Policy (CP)
Certificate Practice Statement (CPS)
Leiden University. The university to discover.
Legal effect of the electronic signature
- Focus on handwritten signature
- Qualified electronic signature- Has equivalent legal effect of
handwritten signature- Is admissible as evidence
- Non-qualified electronic signature- “will not be denied legal effect”
Leiden University. The university to discover.
Functions of the handwritten signature vs public key encryption
Handwritten signature Public key encryption
Identity signatory Identification
Intention of the signatory Authentication
Confidentiality
Integrity
Non-repudiation
(…)
Leiden University. The university to discover.
Broader scope of the Regulation- Not just e-signature, but:
- Trust services in general• Electronic signature• Electronic seal• Electronic time stamps• Electronic documents• Electronic delivery services• Website authentication• Electronic certificates
Leiden University. The university to discover.
A generic authentication service
User Service provider
Authentication service provider
Leiden University. The university to discover.
Authentication means
- Something you know (knowledge)- Something you have (possession)- Something you are (inherence)
• Single factor authentication
• Two factor authentication
• Multi factor authentication
Leiden University. The university to discover.
DigiD- Authentication system
- Provided to Dutch citizens- Electronic communication with government- Mandatory for tax filings- Verification against Database Persons (GBA)- Security levels
• Basic– Single factor
• Middle– Two factor
• High– PKI chipcard
Leiden University. The university to discover.
DigiD- Issue process
1. Request account on website2. Activation code sent to address
as registered in Database Persons (snailmail)
- Hereafter, DigiD can be used to log in
- National identification number (BSN)- Use of BSN is strictly regulated
Leiden University. The university to discover.
DigiD fraud- Request DigiD account for your neighbour- Steal the activation code from his mailbox- Use his DigiD to apply for social security
payment- Fill in your own bank account for the
payment
- … not exactly the perfect crime
Leiden University. The university to discover.
e-Identity (eHerkenning)- Business to Government- Public/private cooperation
- Competitive/cooperative domain- Two-sided market
- One digital key- Five security levels
- See also STORK
1. Registration phaseIdentification procedureIssue process
2. Authentication phaseType and robustness tokenSecurity of authentication
mechanism
Leiden University. The university to discover.
e-Identity (eHerkenning)Company &
UserService provider
BrokerToken issuer
Authentication service
Mandate register
Scheme
Leiden University. The university to discover.
Contractual relations
Participant
Governing body
Company Service provider
Participation agreement
Service agreement
Service agreement
Leiden University. The university to discover.
e-Identity and the Regulation- Cross-border acceptance of online
identification- Within EU- If the scheme is notified- Member State has to
• Accept liability• Ensure availability
– At any time, free of charge
What about public/private cooperation?- Third country providers: treaty
Leiden University. The university to discover.
Questions