Discover the world at Leiden University
Dr. Marten Voulon (marten@voulon.nl) March 18th 2014
Developments in cyber law
& r...
Discover the world at Leiden University
Agenda
• Latest developments in cyber law
• New data protection legislation
• Regu...
Discover the world at Leiden University
The European Union
• 28 member states
• Treaty of Lisbon
• 1 December 2009
• Treat...
Discover the world at Leiden University
Overview of EU legislation (I)
Subject Regulation
Privacy & data protection • Dire...
Discover the world at Leiden University
Overview of EU legislation (II)
Subject Regulation
Payment • Directive 2007/64 (pa...
Discover the world at Leiden University
Data protection
• 1995
• European Directive 1995/46/EC
• Legal framework for EU Me...
Discover the world at Leiden University
Basics of EU data protection law (I)
• Personal data
• Controller, subject, proces...
Discover the world at Leiden University
Basics of EU data protection law (II)
• Sensitive data
• Race, ethnicity, politica...
Discover the world at Leiden University
Basics of EU data protection law (III)
• Transfer to third countries (outside EU/E...
Discover the world at Leiden University
Changes to data protection law (I)
• Transparency, governance, accountability:
• T...
Discover the world at Leiden University
Changes to data protection law (II)
• More rights for the data subject
• Right to ...
Discover the world at Leiden University
Security breach notifications
Legal basis Breach Term To whom
Directive 2002/59 Pa...
Discover the world at Leiden University
Legal framework e-
authentication
Moving from the directive to the new regulation
...
Discover the world at Leiden University
DigiD
• Authentication system
• Provided to Dutch citizens
• Electronic communicat...
Discover the world at Leiden University
eRecognition/„eHerkenning‟
• Business to Government
• Public/private cooperation
•...
Discover the world at Leiden University
The 1999 Directive
• Advanced electronic signature
• Based on qualified certificat...
Discover the world at Leiden University
The new regulation
Electronic
identification
• Member states
must “recognize
and a...
Discover the world at Leiden University
Electronic identification
• Background
• EU Services Directive
• Promote cross-bor...
Discover the world at Leiden University
Electronic identification
• Definitions of the regulation
• Electronic identificat...
Discover the world at Leiden University
Electronic identification
• Public sector bodies are obliged to recognize
electron...
Discover the world at Leiden University
Conditions for notification
• Electronic identification schemes are eligible, if:
...
Discover the world at Leiden University
Assurance levels (I)
• National eID schemes must specify assurance levels
• Low
• ...
Discover the world at Leiden University
Assurance levels (II)
User Relying party
Trust service provider
1. Registration
2....
Discover the world at Leiden University
Assurance levels (III)
EU STORK project:
QAA
Level
Description
1 No or minimal
ass...
Discover the world at Leiden University
Interoperability
• National eID schemes must be interoperable
• EU shall establish...
Discover the world at Leiden University
Trust services (I)
• Trust service provider (TSP)
• Provider of services related t...
Discover the world at Leiden University
Trust services (II)
• Qualified TSP
• Two-yearly audit
• Requirements for issuing ...
Discover the world at Leiden University
Trust services (III)
• Electronic signature
• Electronic data attached to or logic...
Discover the world at Leiden University
Trust services (IV)
• Electronic seal
• Electronic data attached to or logically a...
Discover the world at Leiden University
Trust services (V)
• Electronic time stamp
• Electronic data binding other electro...
Discover the world at Leiden University
Trust services (VI)
• Electronic registered delivery service
• Makes it possible t...
Discover the world at Leiden University
Trust services (VII)
• Legal effect of the registered electronic delivery
service
...
Discover the world at Leiden University
Trust services (VIII)
• Website authentication
• Requirements for qualified websit...
Discover the world at Leiden University
Trust services (IX)
• Electronic document
• Any content stored in electronic form,...
Discover the world at Leiden University
Trust services (X)
• TSP‟s outside EU
• Their trust services must be recognized as...
Discover the world at Leiden University
Questions?
Upcoming SlideShare
Loading in …5
×

2014 Update EU Cyber Law & Authentication Legislation

723 views

Published on

Update EU Cyber Law, Data Protection & Authentication Legislation

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
723
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

2014 Update EU Cyber Law & Authentication Legislation

  1. 1. Discover the world at Leiden University Dr. Marten Voulon (marten@voulon.nl) March 18th 2014 Developments in cyber law & regulation of national authentication systems European Union & the Netherlands
  2. 2. Discover the world at Leiden University Agenda • Latest developments in cyber law • New data protection legislation • Regulation of authentication systems • New legal framework on: • electronic identification; and • trust services
  3. 3. Discover the world at Leiden University The European Union • 28 member states • Treaty of Lisbon • 1 December 2009 • Treaty on the EU • Treaty on the functioning of the EU
  4. 4. Discover the world at Leiden University Overview of EU legislation (I) Subject Regulation Privacy & data protection • Directive 1995/46 (general data protection) • Directive 2002/59 (e-privacy) • Regulation COM (2012)11 (draft) Intellectual property rights • Directive 2001/29 (copyright) • Directive 2009/24 (software) • Directive 2008/95 (trademarks) • Regulation 207/2009 (community trade mark) • Directive 1987/5 (semiconductors) • Regulation 1257/2012 (patents) eContracting • Directive 2000/31 (e-commerce) • Directive 2002/65 (distance selling of financial services) • Directive 2011/83 (consumer rights) Online authentication • Directive 1999/93 (electronic signatures) • Regulation COM 2012(138) (electronic identification & trust services) (draft)
  5. 5. Discover the world at Leiden University Overview of EU legislation (II) Subject Regulation Payment • Directive 2007/64 (payment services, SEPA) • Regulation 924/2009 (cross-border payments) • Regulation 260/2012 (credit transfers & direct debits) Electronic communication • Directive 2002/21 (electronic communication) • Directive 2002/19 (access & interconnection) • Directive 2002/20 (authorization) • Directive 2002/22 (universal service) “directive” “regulation” Needs to be implemented through national legislation Directly enforceable in EU member states
  6. 6. Discover the world at Leiden University Data protection • 1995 • European Directive 1995/46/EC • Legal framework for EU Member States • 2012: new draft legislation • Proposal for a General Data Protection Regulation (GPDR) • Proposal for a Directive (criminal data) • 4.373 amendments by EU parliament • Effective in 2016 or later?
  7. 7. Discover the world at Leiden University Basics of EU data protection law (I) • Personal data • Controller, subject, processor • “Processing” • Processing only allowed for the “purpose” • Exhaustive list of reasons for processing: • Consent • Performance of contract • Legal obligation • Vital interest of the subject • Public interest • Legitimate interests of the controller
  8. 8. Discover the world at Leiden University Basics of EU data protection law (II) • Sensitive data • Race, ethnicity, political opinion, religious & philosophical beliefs, trade union membership, health, sex life • Rights of the subject • Information, access, right to object • Data processing agreement • Contract between controller & processor
  9. 9. Discover the world at Leiden University Basics of EU data protection law (III) • Transfer to third countries (outside EU/EEA) • Only allowed if: • Adequate level of protection • Consent of the subject • Transfer is necessary for execution of contract between subject and controller • Necessary for vital interests of subject • (…) • Or: • EU model clauses (decision 2010/87/EU) • Binding corporate rules (BCR) (authorization by regulator) • US Safe Harbor (decision 2000/520/EU)
  10. 10. Discover the world at Leiden University Changes to data protection law (I) • Transparency, governance, accountability: • Transparent, accessible policy needs to be in place • Processes need to be documented • Higher penalties; three categories • Max. € 250.000,- or 0,5 % of annual world-wide turnover • Max. € 500.000,- or 1 % of annual world-wide turnover • Max. € 1.000.000,- or 2 % of annual world-wide turnover • Mandatory data protection officer • Consent for data processing needs to be more explicit
  11. 11. Discover the world at Leiden University Changes to data protection law (II) • More rights for the data subject • Right to be forgotten • Processing personal data of children subject to parental consent • Data portability • Transfer outside EU/EEA • Adequacy decision by European Commission • Patriot Act • FISA order/NSL can imply illegal transfer to third country • Leaked draft of the GDPR: • Assisting foreign agencies only allowed in case of mutual legal assistance treaty (MLAT)
  12. 12. Discover the world at Leiden University Security breach notifications Legal basis Breach Term To whom Directive 2002/59 Particular risk of a breach of security of the network - Subscriber GDPR Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed Without undue delay and, where feasible, not later than 24 hours after having become aware of it Regulator GDPR Without undue delay if the breach is likely to adversely effect the protection of personal data or privacy of the subject Data subject Draft eID Regulation Breach of security or loss of integrity, significant impact Without undue delay and, where feasible, not later than 24 hours after having become aware of it Regulator Draft directive on network and information security Any circumstance or event having an actual adverse effect on security, if significant impact - Regulator
  13. 13. Discover the world at Leiden University Legal framework e- authentication Moving from the directive to the new regulation Directive 1999/93 on electronic signatures Regulation on electronic identification and trust services Final draft: February 27th 2014 Expected entry into force: July 1st 2016
  14. 14. Discover the world at Leiden University DigiD • Authentication system • Provided to Dutch citizens • Electronic communication with government • Mandatory for tax filings • Verification against Database Persons (GBA) • Security levels • Basic • Single factor (username & password • Middle • Two factor (username, password & SMS-code) • High • PKI chipcard
  15. 15. Discover the world at Leiden University eRecognition/„eHerkenning‟ • Business to Government • Public/private cooperation • Competitive/cooperative domain • Two-sided market • Five assurance levels
  16. 16. Discover the world at Leiden University The 1999 Directive • Advanced electronic signature • Based on qualified certificate • Using secure device Same effect as handwritten signature However, Signing ≠identification/authentication
  17. 17. Discover the world at Leiden University The new regulation Electronic identification • Member states must “recognize and accept” electronic identification • Prerequisite: proper notification of an electronic identification scheme Trust services • Electronic signature • Electronic seal • Electronic time stamp • Electronic registered delivery service • Electronic certificate • Website authentication
  18. 18. Discover the world at Leiden University Electronic identification • Background • EU Services Directive • Promote cross-border provision of services in internal market • Service provider should be able to deal with all formalities in another member state through an electronic point of single contact (PSC) • PSC‟s require identification/authentication, signatures • Practical situations • Company wants to provide services in another member state • Student wants to enroll in university in another member state • Company wants to electronically compete in public tender in another member state
  19. 19. Discover the world at Leiden University Electronic identification • Definitions of the regulation • Electronic identification • The process of using electronic person identification data, uniquely representing a person • Authentication • Electronic process allowing for the confirmation of electronic identification (…) • Electronic identification means • Material or immaterial unit containing person identification data • Used for authentication for services online • Limitation to eGovernment deleted in final draft • Electronic identification scheme • System for electronic identification under which electronic identification means are issued to persons
  20. 20. Discover the world at Leiden University Electronic identification • Public sector bodies are obliged to recognize electronic identification means and authentication for cross-border online services, if: • The means are issues under an electronic identification scheme, which is included in the European Commission‟s list • The assurance level of the means is equal to, or higher than the level required by the public body • And the assurance level is „substantial‟ or „high‟
  21. 21. Discover the world at Leiden University Conditions for notification • Electronic identification schemes are eligible, if: • The electronic identification means are issued by, on behalf or independently of the Member State • The scheme meets the requirements of at least one assurance level • The Member State ensures the person identification data are linked to the person • The issuing party ensures the electronic identification means are linked to the person
  22. 22. Discover the world at Leiden University Assurance levels (I) • National eID schemes must specify assurance levels • Low • Limited confidence as to asserted identity • Controls to decrease risk of misuse or alteration of identity • Substantial • Substantial confidence as to asserted identity • Controls to decrease substantially the risk of misuse or alteration of identity • High • Higher confidence as to asserted identity • Controls to prevent misuse or alteration of identity
  23. 23. Discover the world at Leiden University Assurance levels (II) User Relying party Trust service provider 1. Registration 2. Issuing 3. Authentication 4. Validation
  24. 24. Discover the world at Leiden University Assurance levels (III) EU STORK project: QAA Level Description 1 No or minimal assurance 2 Low assurance 3 Substantial assurance 4 High assurance • Depending on: • Registration phase • Identification procedure • Identity issuing process • Quality of the issuing entity • Electronic authentication phase • Type and robustness of the identity credential • Security of authentication mechanism
  25. 25. Discover the world at Leiden University Interoperability • National eID schemes must be interoperable • EU shall establish an interoperability framework • Consisting of: • Reference to minimum technical requirements related to assurance levels • Mapping of the national schemes to the assurance levels • Reference to minimum technical requirements for interoperability • (…)
  26. 26. Discover the world at Leiden University Trust services (I) • Trust service provider (TSP) • Provider of services related to • Electronic signatures • Electronic seals • Electronic time stamp • Electronic registered delivery service • Website authentication • Qualified/non-qualified • If qualified then „stronger‟ legal effect • New obligations as to security requirements • Applies to all TSP‟s (qualified and non-qualified)
  27. 27. Discover the world at Leiden University Trust services (II) • Qualified TSP • Two-yearly audit • Requirements for issuing qualified certificates • Identity of the user should be verified: • By physical presence, or • Remotely, using electronic identification means which where issued after verifying the identity through physical appearance, while meeting assurance levels „substantial‟ or „high‟ • By other methods providing equivalent assurance • Revocation • Revocation of qualified certificates must take place within 24 hours
  28. 28. Discover the world at Leiden University Trust services (III) • Electronic signature • Electronic data attached to or logically associated with other electronic data used by the signatory to sign • (was: “which serve as a method of authentication”) • Similar approach as the directive • Equivalent legal effect of a handwritten signature (for qualified e-sig) • Shall not be denied legal effect or admissibility as evidence • Reference formats for use for public services
  29. 29. Discover the world at Leiden University Trust services (IV) • Electronic seal • Electronic data attached to or logically associated with other electronic data to ensure the origin and integrity of the associated data • Similar to electronic signature • Legal effect: • Legal presumption of ensuring origin and integrity (for qualified e-Seal) • Shall not be denied legal effect or admissibility as evidence • Recognized and accepted in all Member States (for qualified e-Seal) • Reference formats for use for public services
  30. 30. Discover the world at Leiden University Trust services (V) • Electronic time stamp • Electronic data binding other electronic data to a particular time, establishing evidence that these data existed at that time • Qualified electronic time stamp • Binds date & time to data in such a manner to reasonably preclude the possibility of the data being changed undetectably • Based on accurate time source linked to Coordinated Universal Time • Signed/sealed by the qTSP using advanced e-sig or e-seal, or equivalent • Legal effect • Presumption of ensuring the accuracy of the date and time it indicates and the integrity of the data to which the date and time are bound (qualified) • Shall not be denied legal effect or admissibility as evidence
  31. 31. Discover the world at Leiden University Trust services (VI) • Electronic registered delivery service • Makes it possible to transmit data between third parties by electronic means • Provides evidence relating to the handling of the transmitted data • Including proof of sending and receiving the data • Which protects transmitted data against the risk of loss, theft, damage or any unauthorized alterations • A qualified electronic delivery service (a.o.) • Ensures with high level of confidence the identity of the sender • Ensures identification of the addressee • Secured by advanced e-sig or e-seal • Protected by qualified electronic time stamp
  32. 32. Discover the world at Leiden University Trust services (VII) • Legal effect of the registered electronic delivery service • For qualified electronic delivery services: • „presumption of‟ (correctness of): • The integrity of the data • Sending by the identified sender and receiving by the identified addressee of the data • The accuracy of the date and time of sending and receiving • Admissible as evidence regarding integrity & certainty of date & time
  33. 33. Discover the world at Leiden University Trust services (VIII) • Website authentication • Requirements for qualified website authentication certificates • Remember: for qualified certificates, identity needs to be verified by physical presence • Legal effect?
  34. 34. Discover the world at Leiden University Trust services (IX) • Electronic document • Any content stored in electronic form, in particular text or sound or audiovisual recording • Legal effect • Shall not be denied as evidence solely on the grounds that it is in electronic form • Trust service?
  35. 35. Discover the world at Leiden University Trust services (X) • TSP‟s outside EU • Their trust services must be recognized as equivalent to qualified trust services, if recognized under a treaty
  36. 36. Discover the world at Leiden University Questions?

×