Conference Cyber law Bali

301 views

Published on

  • Be the first to comment

  • Be the first to like this

Conference Cyber law Bali

  1. 1. The EU and the Netherlands Dr. Marten Voulon marten@voulon.nlInternational Cyber Law Seminar15 & 16 January 2013, Kuta, Bali Leiden University. The university to discover.
  2. 2. Agenda- Data protection- e-Authentication Leiden University. The university to discover.
  3. 3. General overviewIssue PointersPrivacy & data protection Data Protection Act Telecommunications ActIntellectual property rights Copyright Act Benelux Treaty on IPR Neighbouring Rights Act (trademarks) Patent Act 1995 “Chip Act” Database Act Trade Name Acte-Contract Civil codeAdvertising & consumer protection Civil codeCybercrime & evidence Code on criminal procedureTaxation Normal sales tax (VAT) applies onlineE-Government & public services Administrative codeUnfair competition Competition ActInsurance Civil code Financial Supervision Acte-Payment system EU SEPA-directive & regulations, EU e-Money DirectiveArchives & corporate documents Civil code Archive Act Leiden University. The university to discover.
  4. 4. Data protection- 1995 - European Directive 1995/46/EC • Legal framework for EU Member States- 25 January 2012 - Proposal for a General Data Protection Regulation (GPDR) - Proposal for a Directive (criminal data)Directive RegulationObliges Member States to implement Directly enforceable in all Memberinto national legislation states Leiden University. The university to discover.
  5. 5. Helicopter view of the Directive (I)- Personal data- Controller, subject, processor- “Processing”- Processing only allowed for the “purpose”- Exhaustive list of reasons for processing: - Consent - Performance of contract - Legal obligation - Vital interest of the subject - Public interest - Legitimate interests of the controller Leiden University. The university to discover.
  6. 6. Helicopter view of the Directive (II)- Sensitive data - Race, ethnicity, political opinion, religious & philosophical beliefs, trade union membership, health, sex life- Rights of the subject - Information, access, right to object- Data processing agreement - Contract between controller & processor Leiden University. The university to discover.
  7. 7. Helicopter view of the Directive (III)- Transfer to third countries (outside EU/EEA) - Only allowed if: • Adequate level of protection • Consent of the subject • Transfer if necessary for execution of contract between subject and controller • Necessary for vital interests of subject • (…) - And/or(?): • EU model clauses (decision 2010/87/EU) • Binding corporate rules (BCR) (authorization by regulator) • US Safe Harbor (decision 2000/520/EU) Leiden University. The university to discover.
  8. 8. Transfer to third country Leiden University. The university to discover.
  9. 9. Transfer under the General DataProtection Regulation- Transfer is allowed, if: - Adequacy decision • Country, territory, processing sector, international organization - Appropriate safeguards • BCR • Model clauses - Derogation applies • Consent, contract performance, …. Leiden University. The university to discover.
  10. 10. In practice- IT administrator in Bangalore - Transfer to third country? - “(…) transfer of personal data which are undergoing processing or are intended for processing after transfer (…)”? Leiden University. The university to discover.
  11. 11. In practice- Patriot Act - FISA order/NSL can imply illegal transfer to third country • Leaked draft of the regulation: – “(…) no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.” Leiden University. The university to discover.
  12. 12. Other- “Right to be forgotten and to erasure”- Right of data portability- Security breach notification - Within 24 hours to supervisory authority - After that, without undue delay to subject- Fines - Maximums of 0,5%, 1% and 2% of annual worldwide turnover Leiden University. The university to discover.
  13. 13. e-Authentication- Legal framework- DigiD- e-Identity (“eHerkenning”) Leiden University. The university to discover.
  14. 14. Legal framework- Directive 1999/93/EC on a Community framework for electronic signatures - New proposal: EU Regulation on electronic identification and trust services for electronic transactions (COM(2012)238) Leiden University. The university to discover.
  15. 15. Legal frameworkType of signature AbbreviationElectronic signature ESAdvanced electronic signature AESAdvanced electronic signature, AES + QCbased on a qualified certificateAdvanced electronic signature, AES + QC + SSCDbased on a qualified certificate, “qualified electroniccreated with a secure-signature-creation-device signature” Public/private keys - Certificate Encryption • Links a public key to a personProvider Certificate Service Certificate Policy (CP) - SSCD Certificate Practice Statement (CPS) • Software/hardware used to create an electronic signature Leiden University. The university to discover.
  16. 16. Legal effect of the electronic signature- Focus on handwritten signature- Qualified electronic signature - Has equivalent legal effect of handwritten signature - Is admissible as evidence- Non-qualified electronic signature - “will not be denied legal effect” Leiden University. The university to discover.
  17. 17. Functions of the handwritten signaturevs public key encryptionHandwritten signature Public key encryptionIdentity signatory IdentificationIntention of the signatory Authentication Confidentiality Integrity Non-repudiation (…) Leiden University. The university to discover.
  18. 18. Broader scope of the Regulation- Not just e-signature, but: - Trust services in general • Electronic signature • Electronic seal • Electronic time stamps • Electronic documents • Electronic delivery services • Website authentication • Electronic certificates Leiden University. The university to discover.
  19. 19. A generic authentication service User Service provider Authentication service provider Leiden University. The university to discover.
  20. 20. Authentication means- Something you know (knowledge)- Something you have (possession)- Something you are (inherence) • Single factor authentication • Two factor authentication • Multi factor authentication Leiden University. The university to discover.
  21. 21. DigiD- Authentication system - Provided to Dutch citizens - Electronic communication with government - Mandatory for tax filings - Verification against Database Persons (GBA) - Security levels • Basic – Single factor • Middle – Two factor • High – PKI chipcard Leiden University. The university to discover.
  22. 22. DigiD- Issue process 1. Request account on website 2. Activation code sent to address as registered in Database Persons (snailmail)- Hereafter, DigiD can be used to log in- National identification number (BSN) - Use of BSN is strictly regulated Leiden University. The university to discover.
  23. 23. DigiD fraud- Request DigiD account for your neighbour- Steal the activation code from his mailbox- Use his DigiD to apply for social security payment- Fill in your own bank account for the payment- … not exactly the perfect crime Leiden University. The university to discover.
  24. 24. e-Identity (eHerkenning)- Business to Government- Public/private cooperation - Competitive/cooperative domain - Two-sided market- One digital key 1. Registration phase Identification procedure- Five security levels Issue process 2. Authentication phase - See also STORK Type and robustness token Security of authentication mechanism Leiden University. The university to discover.
  25. 25. e-Identity (eHerkenning)Company & User Service provider Scheme Mandate register Token Authentication Broker issuer service Leiden University. The university to discover.
  26. 26. Contractual relations Governing body Participation agreement Service agreement Service agreement Company Participant Service provider Leiden University. The university to discover.
  27. 27. e-Identity and the Regulation- Cross-border acceptance of online identification - Within EU - If the scheme is notified - Member State has to • Accept liability • Ensure availability – At any time, free of charge What about public/private cooperation?- Third country providers: treaty Leiden University. The university to discover.
  28. 28. Questions Leiden University. The university to discover.

×