conference cyber law bali

Leiden University. The university to discover.

International Cyber Law Seminar15 & 16 January 2013, Kuta, Bali

The EU and the Netherlands

Dr. Marten [email protected]


Agenda- Data protection- e-Authentication


General overviewIssue Pointers

Privacy & data protection Data Protection ActTelecommunications Act

Intellectual property rights Copyright ActNeighbouring Rights ActPatent Act 1995Database Act

Benelux Treaty on IPR (trademarks)“Chip Act”Trade Name Act

e-Contract Civil code

Advertising & consumer protection Civil code

Cybercrime & evidence Code on criminal procedure

Taxation Normal sales tax (VAT) applies online

E-Government & public services Administrative code

Unfair competition Competition Act

Insurance Civil codeFinancial Supervision Act

e-Payment system EU SEPA-directive & regulations, EU e-Money Directive

Archives & corporate documents Civil codeArchive Act


Data protection- 1995

- European Directive 1995/46/EC• Legal framework for EU Member States

- 25 January 2012- Proposal for a General Data

Protection Regulation (GPDR)- Proposal for a Directive (criminal

data) Directive Regulation

Obliges Member States to implement into national legislation

Directly enforceable in all Member states


Helicopter view of the Directive (I)- Personal data- Controller, subject, processor- “Processing”- Processing only allowed for the “purpose”- Exhaustive list of reasons for processing:

- Consent- Performance of contract- Legal obligation- Vital interest of the subject- Public interest- Legitimate interests of the controller


- Sensitive data- Race, ethnicity, political opinion,

religious & philosophical beliefs, trade union membership, health, sex life

- Rights of the subject- Information, access, right to object

- Data processing agreement- Contract between controller & processor

Helicopter view of the Directive (II)


- Transfer to third countries (outside EU/EEA)- Only allowed if:

• Adequate level of protection• Consent of the subject• Transfer if necessary for execution of contract between

subject and controller• Necessary for vital interests of subject• (…)

- And/or(?):• EU model clauses (decision 2010/87/EU)

• Binding corporate rules (BCR) (authorization by regulator)

• US Safe Harbor (decision 2000/520/EU)

Helicopter view of the Directive (III)


Transfer to third country


Transfer under the General Data Protection Regulation

- Transfer is allowed, if:- Adequacy decision

• Country, territory, processing sector, international organization

- Appropriate safeguards• BCR• Model clauses

- Derogation applies• Consent, contract performance, ….


In practice- IT administrator in Bangalore

- Transfer to third country?- “(…) transfer of personal data which are

undergoing processing or are intended for processing after transfer (…)”?


In practice

- Patriot Act- FISA order/NSL can imply illegal transfer to third country

• Leaked draft of the regulation:– “(…) no decision of an administrative authority of a

third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.”


Other- “Right to be forgotten and to

erasure”- Right of data portability- Security breach notification

- Within 24 hours to supervisory authority- After that, without undue delay to

subject- Fines

- Maximums of 0,5%, 1% and 2% of annual worldwide turnover


e-Authentication- Legal framework- DigiD- e-Identity (“eHerkenning”)


Legal framework- Directive 1999/93/EC on a

Community framework for electronic signatures- New proposal: EU Regulation on

electronic identification and trust services for electronic transactions (COM(2012)238)


Legal frameworkType of signature Abbreviation

Electronic signature ES

Advanced electronic signature AES

Advanced electronic signature,based on a qualified certificate

AES + QC

Advanced electronic signature,based on a qualified certificate,created with a secure-signature-creation-device

AES + QC + SSCD“qualified electronic signature”

- Certificate• Links a public key to a person

- SSCD• Software/hardware used to create an electronic signature

Public/private keysEncryption

Certificate Service ProviderCertificate Policy (CP)

Certificate Practice Statement (CPS)


Legal effect of the electronic signature

- Focus on handwritten signature

- Qualified electronic signature- Has equivalent legal effect of

handwritten signature- Is admissible as evidence

- Non-qualified electronic signature- “will not be denied legal effect”


Functions of the handwritten signature vs public key encryption

Handwritten signature Public key encryption

Identity signatory Identification

Intention of the signatory Authentication

Confidentiality

Integrity

Non-repudiation

(…)


Broader scope of the Regulation- Not just e-signature, but:

- Trust services in general• Electronic signature• Electronic seal• Electronic time stamps• Electronic documents• Electronic delivery services• Website authentication• Electronic certificates


A generic authentication service

User Service provider

Authentication service provider


Authentication means

- Something you know (knowledge)- Something you have (possession)- Something you are (inherence)

• Single factor authentication

• Two factor authentication

• Multi factor authentication


DigiD- Authentication system

- Provided to Dutch citizens- Electronic communication with government- Mandatory for tax filings- Verification against Database Persons (GBA)- Security levels

• Basic– Single factor

• Middle– Two factor

• High– PKI chipcard


DigiD- Issue process

1. Request account on website2. Activation code sent to address

as registered in Database Persons (snailmail)

- Hereafter, DigiD can be used to log in

- National identification number (BSN)- Use of BSN is strictly regulated


DigiD fraud- Request DigiD account for your neighbour- Steal the activation code from his mailbox- Use his DigiD to apply for social security

payment- Fill in your own bank account for the

payment

- … not exactly the perfect crime


e-Identity (eHerkenning)- Business to Government- Public/private cooperation

- Competitive/cooperative domain- Two-sided market

- One digital key- Five security levels

- See also STORK

1. Registration phaseIdentification procedureIssue process

2. Authentication phaseType and robustness tokenSecurity of authentication

mechanism


e-Identity (eHerkenning)Company &

UserService provider

BrokerToken issuer

Authentication service

Mandate register

Scheme


Contractual relations

Participant

Governing body

Company Service provider

Participation agreement

Service agreement

Service agreement


e-Identity and the Regulation- Cross-border acceptance of online

identification- Within EU- If the scheme is notified- Member State has to

• Accept liability• Ensure availability

– At any time, free of charge

What about public/private cooperation?- Third country providers: treaty


Questions

conference cyber law bali

Documents