Conference Cyber law Bali

The EU and the Netherlands

Dr. Marten Voulon
marten@voulon.nl

International Cyber Law Seminar
15 & 16 January 2013, Kuta, Bali

Leiden University. The university to discover.

Agenda
- Data protection
- e-Authentication


General overview
Issue Pointers

Privacy & data protection Data Protection Act
Telecommunications Act
Intellectual property rights Copyright Act Benelux Treaty on IPR
Neighbouring Rights Act (trademarks)
Patent Act 1995 “Chip Act”
Database Act Trade Name Act
e-Contract Civil code

Advertising & consumer protection Civil code

Cybercrime & evidence Code on criminal procedure

Taxation Normal sales tax (VAT) applies online

E-Government & public services Administrative code

Unfair competition Competition Act

Insurance Civil code
Financial Supervision Act
e-Payment system EU SEPA-directive & regulations, EU e-Money Directive

Archives & corporate documents Civil code
Archive Act


Data protection
- 1995
- European Directive 1995/46/EC
• Legal framework for EU Member States
- 25 January 2012
- Proposal for a General Data Protection
Regulation (GPDR)
- Proposal for a Directive (criminal data)
Directive Regulation
Obliges Member States to implement Directly enforceable in all Member
into national legislation states


Helicopter view of the Directive (I)
- Personal data
- Controller, subject, processor
- “Processing”
- Processing only allowed for the “purpose”
- Exhaustive list of reasons for processing:
- Consent
- Performance of contract
- Legal obligation
- Vital interest of the subject
- Public interest
- Legitimate interests of the controller

Helicopter view of the Directive (II)
- Sensitive data
- Race, ethnicity, political opinion,
religious & philosophical beliefs, trade
union membership, health, sex life
- Rights of the subject
- Information, access, right to object
- Data processing agreement
- Contract between controller & processor


Helicopter view of the Directive (III)
- Transfer to third countries (outside EU/EEA)
- Only allowed if:
• Adequate level of protection
• Consent of the subject
• Transfer if necessary for execution of contract between
subject and controller
• Necessary for vital interests of subject
• (…)
- And/or(?):
• EU model clauses (decision 2010/87/EU)
• Binding corporate rules (BCR) (authorization by regulator)
• US Safe Harbor (decision 2000/520/EU)


Transfer to third country


Transfer under the General Data
Protection Regulation

- Transfer is allowed, if:
- Adequacy decision
• Country, territory, processing sector, international
organization
- Appropriate safeguards
• BCR
• Model clauses
- Derogation applies
• Consent, contract performance, ….


In practice
- IT administrator in Bangalore
- Transfer to third country?
- “(…) transfer of personal data which are undergoing
processing or are intended for processing after transfer
(…)”?


In practice
- Patriot Act
- FISA order/NSL can imply illegal
transfer to third country
• Leaked draft of the regulation:
– “(…) no decision of an administrative authority
of a third country requiring a controller or
processor to disclose personal data shall be
recognized or be enforceable in any manner,
without prejudice to a mutual assistance treaty
or an international agreement in force between
the requesting third country and the Union or a
Member State.”

Other
- “Right to be forgotten and to erasure”
- Right of data portability
- Security breach notification
- Within 24 hours to supervisory authority
- After that, without undue delay to subject
- Fines
- Maximums of 0,5%, 1% and 2% of annual
worldwide turnover


e-Authentication
- Legal framework
- DigiD
- e-Identity (“eHerkenning”)


Legal framework
- Directive 1999/93/EC on a Community
framework for electronic signatures
- New proposal: EU Regulation on electronic
identification and trust services for electronic
transactions (COM(2012)238)


Legal framework
Type of signature Abbreviation
Electronic signature ES
Advanced electronic signature AES
Advanced electronic signature, AES + QC
based on a qualified certificate
Advanced electronic signature, AES + QC + SSCD
based on a qualified certificate, “qualified electronic
created with a secure-signature-creation-device signature”

Public/private keys
- Certificate Encryption
• Links a public key to a personProvider
Certificate Service
Certificate Policy (CP)
- SSCD Certificate Practice Statement (CPS)
• Software/hardware used to create an electronic signature


Legal effect of the electronic signature

- Focus on handwritten signature

- Qualified electronic signature
- Has equivalent legal effect of
handwritten signature
- Is admissible as evidence
- Non-qualified electronic signature
- “will not be denied legal effect”


Functions of the handwritten signature
vs public key encryption

Handwritten signature Public key encryption
Identity signatory Identification
Intention of the signatory Authentication
Confidentiality
Integrity
Non-repudiation
(…)


Broader scope of the Regulation
- Not just e-signature, but:
- Trust services in general
• Electronic signature
• Electronic seal
• Electronic time stamps
• Electronic documents
• Electronic delivery services
• Website authentication
• Electronic certificates


A generic authentication service
User Service provider

Authentication service
provider


Authentication means
- Something you know (knowledge)
- Something you have (possession)
- Something you are (inherence)

• Single factor authentication
• Two factor authentication
• Multi factor authentication


DigiD
- Authentication system
- Provided to Dutch citizens
- Electronic communication with government
- Mandatory for tax filings
- Verification against Database Persons (GBA)
- Security levels
• Basic
– Single factor
• Middle
– Two factor
• High
– PKI chipcard


DigiD
- Issue process
1. Request account on website
2. Activation code sent to address as
registered in Database Persons
(snailmail)
- Hereafter, DigiD can be used to log in
- National identification number (BSN)
- Use of BSN is strictly regulated


DigiD fraud
- Request DigiD account for your neighbour
- Steal the activation code from his mailbox
- Use his DigiD to apply for social security
payment
- Fill in your own bank account for the
payment
- … not exactly the perfect crime


e-Identity (eHerkenning)
- Business to Government
- Public/private cooperation
- Competitive/cooperative domain
- Two-sided market
- One digital key 1. Registration phase
Identification procedure
- Five security levels Issue process
2. Authentication phase
- See also STORK Type and robustness token
Security of authentication mechanism


e-Identity (eHerkenning)
Company & User Service provider

Scheme
Mandate
register

Token Authentication Broker
issuer service


Contractual relations
Governing body

Participation agreement

Service agreement Service agreement

Company Participant Service provider


e-Identity and the Regulation
- Cross-border acceptance of online
identification
- Within EU
- If the scheme is notified
- Member State has to
• Accept liability
• Ensure availability
– At any time, free of charge
What about public/private cooperation?
- Third country providers: treaty

Questions


Conference Cyber law Bali

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (19)

Semelhante a Conference Cyber law Bali

Semelhante a Conference Cyber law Bali (20)

Conference Cyber law Bali