1. The EU and the Netherlands
Dr. Marten Voulon
marten@voulon.nl
International Cyber Law Seminar
15 & 16 January 2013, Kuta, Bali
Leiden University. The university to discover.
3. General overview
Issue Pointers
Privacy & data protection Data Protection Act
Telecommunications Act
Intellectual property rights Copyright Act Benelux Treaty on IPR
Neighbouring Rights Act (trademarks)
Patent Act 1995 “Chip Act”
Database Act Trade Name Act
e-Contract Civil code
Advertising & consumer protection Civil code
Cybercrime & evidence Code on criminal procedure
Taxation Normal sales tax (VAT) applies online
E-Government & public services Administrative code
Unfair competition Competition Act
Insurance Civil code
Financial Supervision Act
e-Payment system EU SEPA-directive & regulations, EU e-Money Directive
Archives & corporate documents Civil code
Archive Act
Leiden University. The university to discover.
4. Data protection
- 1995
- European Directive 1995/46/EC
• Legal framework for EU Member States
- 25 January 2012
- Proposal for a General Data Protection
Regulation (GPDR)
- Proposal for a Directive (criminal data)
Directive Regulation
Obliges Member States to implement Directly enforceable in all Member
into national legislation states
Leiden University. The university to discover.
5. Helicopter view of the Directive (I)
- Personal data
- Controller, subject, processor
- “Processing”
- Processing only allowed for the “purpose”
- Exhaustive list of reasons for processing:
- Consent
- Performance of contract
- Legal obligation
- Vital interest of the subject
- Public interest
- Legitimate interests of the controller
Leiden University. The university to discover.
6. Helicopter view of the Directive (II)
- Sensitive data
- Race, ethnicity, political opinion,
religious & philosophical beliefs, trade
union membership, health, sex life
- Rights of the subject
- Information, access, right to object
- Data processing agreement
- Contract between controller & processor
Leiden University. The university to discover.
7. Helicopter view of the Directive (III)
- Transfer to third countries (outside EU/EEA)
- Only allowed if:
• Adequate level of protection
• Consent of the subject
• Transfer if necessary for execution of contract between
subject and controller
• Necessary for vital interests of subject
• (…)
- And/or(?):
• EU model clauses (decision 2010/87/EU)
• Binding corporate rules (BCR) (authorization by regulator)
• US Safe Harbor (decision 2000/520/EU)
Leiden University. The university to discover.
8. Transfer to third country
Leiden University. The university to discover.
9. Transfer under the General Data
Protection Regulation
- Transfer is allowed, if:
- Adequacy decision
• Country, territory, processing sector, international
organization
- Appropriate safeguards
• BCR
• Model clauses
- Derogation applies
• Consent, contract performance, ….
Leiden University. The university to discover.
10. In practice
- IT administrator in Bangalore
- Transfer to third country?
- “(…) transfer of personal data which are undergoing
processing or are intended for processing after transfer
(…)”?
Leiden University. The university to discover.
11. In practice
- Patriot Act
- FISA order/NSL can imply illegal
transfer to third country
• Leaked draft of the regulation:
– “(…) no decision of an administrative authority
of a third country requiring a controller or
processor to disclose personal data shall be
recognized or be enforceable in any manner,
without prejudice to a mutual assistance treaty
or an international agreement in force between
the requesting third country and the Union or a
Member State.”
Leiden University. The university to discover.
12. Other
- “Right to be forgotten and to erasure”
- Right of data portability
- Security breach notification
- Within 24 hours to supervisory authority
- After that, without undue delay to subject
- Fines
- Maximums of 0,5%, 1% and 2% of annual
worldwide turnover
Leiden University. The university to discover.
14. Legal framework
- Directive 1999/93/EC on a Community
framework for electronic signatures
- New proposal: EU Regulation on electronic
identification and trust services for electronic
transactions (COM(2012)238)
Leiden University. The university to discover.
15. Legal framework
Type of signature Abbreviation
Electronic signature ES
Advanced electronic signature AES
Advanced electronic signature, AES + QC
based on a qualified certificate
Advanced electronic signature, AES + QC + SSCD
based on a qualified certificate, “qualified electronic
created with a secure-signature-creation-device signature”
Public/private keys
- Certificate Encryption
• Links a public key to a personProvider
Certificate Service
Certificate Policy (CP)
- SSCD Certificate Practice Statement (CPS)
• Software/hardware used to create an electronic signature
Leiden University. The university to discover.
16. Legal effect of the electronic signature
- Focus on handwritten signature
- Qualified electronic signature
- Has equivalent legal effect of
handwritten signature
- Is admissible as evidence
- Non-qualified electronic signature
- “will not be denied legal effect”
Leiden University. The university to discover.
17. Functions of the handwritten signature
vs public key encryption
Handwritten signature Public key encryption
Identity signatory Identification
Intention of the signatory Authentication
Confidentiality
Integrity
Non-repudiation
(…)
Leiden University. The university to discover.
18. Broader scope of the Regulation
- Not just e-signature, but:
- Trust services in general
• Electronic signature
• Electronic seal
• Electronic time stamps
• Electronic documents
• Electronic delivery services
• Website authentication
• Electronic certificates
Leiden University. The university to discover.
19. A generic authentication service
User Service provider
Authentication service
provider
Leiden University. The university to discover.
20. Authentication means
- Something you know (knowledge)
- Something you have (possession)
- Something you are (inherence)
• Single factor authentication
• Two factor authentication
• Multi factor authentication
Leiden University. The university to discover.
21. DigiD
- Authentication system
- Provided to Dutch citizens
- Electronic communication with government
- Mandatory for tax filings
- Verification against Database Persons (GBA)
- Security levels
• Basic
– Single factor
• Middle
– Two factor
• High
– PKI chipcard
Leiden University. The university to discover.
22. DigiD
- Issue process
1. Request account on website
2. Activation code sent to address as
registered in Database Persons
(snailmail)
- Hereafter, DigiD can be used to log in
- National identification number (BSN)
- Use of BSN is strictly regulated
Leiden University. The university to discover.
23. DigiD fraud
- Request DigiD account for your neighbour
- Steal the activation code from his mailbox
- Use his DigiD to apply for social security
payment
- Fill in your own bank account for the
payment
- … not exactly the perfect crime
Leiden University. The university to discover.
24. e-Identity (eHerkenning)
- Business to Government
- Public/private cooperation
- Competitive/cooperative domain
- Two-sided market
- One digital key 1. Registration phase
Identification procedure
- Five security levels Issue process
2. Authentication phase
- See also STORK Type and robustness token
Security of authentication mechanism
Leiden University. The university to discover.
25. e-Identity (eHerkenning)
Company & User Service provider
Scheme
Mandate
register
Token Authentication Broker
issuer service
Leiden University. The university to discover.
26. Contractual relations
Governing body
Participation agreement
Service agreement Service agreement
Company Participant Service provider
Leiden University. The university to discover.
27. e-Identity and the Regulation
- Cross-border acceptance of online
identification
- Within EU
- If the scheme is notified
- Member State has to
• Accept liability
• Ensure availability
– At any time, free of charge
What about public/private cooperation?
- Third country providers: treaty
Leiden University. The university to discover.
28. Questions
Leiden University. The university to discover.