2014 Update EU Cyber Law & Authentication Legislation
-
Upload
martenlinkedin -
Category
Technology
-
view
388 -
download
1
description
Transcript of 2014 Update EU Cyber Law & Authentication Legislation
Discover the world at Leiden University
Dr. Marten Voulon ([email protected]) March 18th 2014
Developments in cyber law& regulation of national authentication systems
European Union & the Netherlands
Discover the world at Leiden University
Agenda• Latest developments in cyber
law• New data protection legislation
• Regulation of authentication systems• New legal framework on:
• electronic identification; and• trust services
Discover the world at Leiden University
The European Union• 28 member
states• Treaty of
Lisbon• 1 December
2009• Treaty on the
EU• Treaty on the
functioning of the EU
Discover the world at Leiden University
Overview of EU legislation (I)Subject RegulationPrivacy & data protection
• Directive 1995/46 (general data protection)
• Directive 2002/59 (e-privacy)• Regulation COM (2012)11 (draft)
Intellectual property rights
• Directive 2001/29 (copyright)• Directive 2009/24 (software)• Directive 2008/95 (trademarks)• Regulation 207/2009 (community trade
mark)• Directive 1987/5 (semiconductors)• Regulation 1257/2012 (patents)
eContracting • Directive 2000/31 (e-commerce)• Directive 2002/65 (distance
selling offinancial services)
• Directive 2011/83 (consumer rights)
Online authentication • Directive 1999/93 (electronic signatures)
• Regulation COM 2012(138)(electronic identification
&trust services) (draft)
Discover the world at Leiden University
Overview of EU legislation (II)Subject RegulationPayment • Directive 2007/64 (payment services,
SEPA)• Regulation 924/2009 (cross-border
payments)• Regulation 260/2012 (credit transfers &
direct debits)Electronic communication
• Directive 2002/21 (electronic communication)
• Directive 2002/19 (access & interconnection)
• Directive 2002/20 (authorization)• Directive 2002/22 (universal service)“directive” “regulation”
Needs to be implemented through national legislation
Directly enforceable in EU member states
Discover the world at Leiden University
Data protection• 1995
• European Directive 1995/46/EC• Legal framework for EU Member
States• 2012: new draft legislation
• Proposal for a General Data Protection Regulation (GPDR)
• Proposal for a Directive (criminal data)
• 4.373 amendments by EU parliament• Effective in 2016 or later?
Discover the world at Leiden University
Basics of EU data protection law (I)• Personal data• Controller, subject, processor• “Processing”• Processing only allowed for the
“purpose”• Exhaustive list of reasons for
processing:• Consent• Performance of contract• Legal obligation• Vital interest of the subject• Public interest• Legitimate interests of the controller
Discover the world at Leiden University
Basics of EU data protection law (II)• Sensitive data
• Race, ethnicity, political opinion, religious & philosophical beliefs, trade union membership, health, sex life
• Rights of the subject• Information, access, right to object
• Data processing agreement• Contract between controller &
processor
Discover the world at Leiden University
Basics of EU data protection law (III)• Transfer to third countries (outside
EU/EEA)• Only allowed if:• Adequate level of protection• Consent of the subject• Transfer is necessary for execution of
contract between subject and controller• Necessary for vital interests of subject• (…)
• Or:• EU model clauses (decision
2010/87/EU)• Binding corporate rules (BCR)
(authorization by regulator)
• US Safe Harbor (decision 2000/520/EU)
Discover the world at Leiden University
Changes to data protection law (I)• Transparency, governance,
accountability:• Transparent, accessible policy needs to be in
place• Processes need to be documented
• Higher penalties; three categories• Max. € 250.000,- or 0,5 % of annual world-
wide turnover• Max. € 500.000,- or 1 % of annual world-wide
turnover• Max. € 1.000.000,- or 2 % of annual world-
wide turnover• Mandatory data protection officer• Consent for data processing needs to be
more explicit
Discover the world at Leiden University
Changes to data protection law (II)• More rights for the data subject
• Right to be forgotten• Processing personal data of children subject
to parental consent• Data portability
• Transfer outside EU/EEA• Adequacy decision by European
Commission• Patriot Act
• FISA order/NSL can imply illegal transfer to third country
• Leaked draft of the GDPR:• Assisting foreign agencies only allowed in case
of mutual legal assistance treaty (MLAT)
Discover the world at Leiden University
Security breach notificationsLegal basis
Breach Term To whom
Directive 2002/59
Particular risk of a breach of security of the network
- Subscriber
GDPR Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
Without undue delay and,where feasible, not later than 24 hours after having become aware of it
Regulator
GDPR Without undue delay if the breach is likely to adversely effect the protection of personal data or privacy of the subject
Data subject
Draft eID Regulation
Breach of security or loss of integrity, significant impact
Without undue delay and,where feasible, not later than 24 hours after having become aware of it
Regulator
Draft directive on network and information security
Any circumstance or event having an actual adverse effect on security, if significant impact
- Regulator
Discover the world at Leiden University
Legal framework e-authenticationMoving from the directive to the new regulation
Directive 1999/93 on electronic signatures
Regulation on electronic
identification and trust servicesFinal draft:
February 27th 2014Expected entry into
force:July 1st 2016
Discover the world at Leiden University
DigiD• Authentication system
• Provided to Dutch citizens• Electronic communication with
government• Mandatory for tax filings• Verification against Database Persons
(GBA)• Security levels
• Basic• Single factor (username & password
• Middle• Two factor (username, password & SMS-code)
• High• PKI chipcard
Discover the world at Leiden University
eRecognition/‘eHerkenning’• Business to Government• Public/private cooperation
• Competitive/cooperative domain• Two-sided market
• Five assurance levels
Discover the world at Leiden University
The 1999 Directive
• Advanced electronic signature
• Based on qualified certificate
• Using secure device
Same effect as handwritten signature
However,Signing
≠identification/authentication
Discover the world at Leiden University
The new regulationElectronic identification• Member states
must “recognize and accept” electronic identification
• Prerequisite: proper notification of an electronic identification scheme
Trustservices• Electronic
signature• Electronic seal• Electronic time
stamp• Electronic
registered delivery service
• Electronic certificate
• Website authentication
Discover the world at Leiden University
Electronic identification• Background
• EU Services Directive• Promote cross-border provision of services in internal
market• Service provider should be able to deal with all
formalities in another member state through an electronic point of single contact (PSC)
• PSC’s require identification/authentication, signatures
• Practical situations• Company wants to provide services in another
member state• Student wants to enroll in university in another
member state• Company wants to electronically compete in public
tender in another member state
Discover the world at Leiden University
Electronic identification• Definitions of the regulation
• Electronic identification• The process of using electronic person identification
data, uniquely representing a person• Authentication
• Electronic process allowing for the confirmation of electronic identification (…)
• Electronic identification means• Material or immaterial unit containing person
identification data• Used for authentication for services online
• Limitation to eGovernment deleted in final draft• Electronic identification scheme
• System for electronic identification under which electronic identification means are issued to persons
Discover the world at Leiden University
Electronic identification• Public sector bodies are obliged to
recognize electronic identification means and authentication for cross-border online services,if:• The means are issues under an
electronic identification scheme, which is included in the European Commission’s list
• The assurance level of the means is equal to, or higher than the level required by the public body• And the assurance level is ‘substantial’ or
‘high’
Discover the world at Leiden University
Conditions for notification• Electronic identification schemes are
eligible, if:• The electronic identification means are
issued by, on behalf or independently of the Member State
• The scheme meets the requirements of at least one assurance level
• The Member State ensures the person identification data are linked to the person
• The issuing party ensures the electronic identification means are linked to the person
Discover the world at Leiden University
Assurance levels (I)• National eID schemes must specify
assurance levels• Low
• Limited confidence as to asserted identity• Controls to decrease risk of misuse or
alteration of identity• Substantial
• Substantial confidence as to asserted identity• Controls to decrease substantially the risk
of misuse or alteration of identity• High
• Higher confidence as to asserted identity• Controls to prevent misuse or alteration of
identity
Discover the world at Leiden University
Assurance levels (II)User Relying party
Trust service provider
1. Registration2. Issuing
3. Authentication
4. Validation
Discover the world at Leiden University
Assurance levels (III)
EU STORK project:
QAA Level
Description
1 No or minimal assurance
2 Low assurance3 Substantial
assurance4 High assurance
• Depending on:• Registration phase• Identification
procedure• Identity issuing
process• Quality of the
issuing entity• Electronic
authentication phase• Type and
robustness of the identity credential
• Security of authentication mechanism
Discover the world at Leiden University
Interoperability• National eID schemes must be
interoperable• EU shall establish an interoperability
framework• Consisting of:
• Reference to minimum technical requirements related to assurance levels
• Mapping of the national schemes to the assurance levels
• Reference to minimum technical requirements for interoperability
• (…)
Discover the world at Leiden University
Trust services (I)• Trust service provider (TSP)
• Provider of services related to• Electronic signatures• Electronic seals• Electronic time stamp• Electronic registered delivery service• Website authentication
• Qualified/non-qualified• If qualified then ‘stronger’ legal
effect• New obligations as to security
requirements• Applies to all TSP’s (qualified and non-
qualified)
Discover the world at Leiden University
Trust services (II)• Qualified TSP
• Two-yearly audit• Requirements for issuing qualified
certificates• Identity of the user should be verified:• By physical presence, or• Remotely, using electronic identification
means which where issued after verifying the identity through physical appearance, while meeting assurance levels ‘substantial’ or ‘high’
• By other methods providing equivalent assurance
• Revocation• Revocation of qualified certificates must
take place within 24 hours
Discover the world at Leiden University
Trust services (III)• Electronic signature
• Electronic data attached to or logically associated with other electronic data used by the signatory to sign• (was: “which serve as a method of
authentication”)• Similar approach as the directive
• Equivalent legal effect of a handwritten signature (for qualified e-sig)
• Shall not be denied legal effect or admissibility as evidence
• Reference formats for use for public services
Discover the world at Leiden University
Trust services (IV)• Electronic seal
• Electronic data attached to or logically associated with other electronic data to ensure the origin and integrity of the associated data
• Similar to electronic signature• Legal effect:
• Legal presumption of ensuring origin and integrity (for qualified e-Seal)
• Shall not be denied legal effect or admissibility as evidence
• Recognized and accepted in all Member States (for qualified e-Seal)
• Reference formats for use for public services
Discover the world at Leiden University
Trust services (V)• Electronic time stamp
• Electronic data binding other electronic data to a particular time, establishing evidence that these data existed at that time
• Qualified electronic time stamp• Binds date & time to data in such a manner to
reasonably preclude the possibility of the data being changed undetectably
• Based on accurate time source linked to Coordinated Universal Time
• Signed/sealed by the qTSP using advanced e-sig or e-seal, or equivalent
• Legal effect• Presumption of ensuring the accuracy of the date
and time it indicates and the integrity of the data to which the date and time are bound (qualified)
• Shall not be denied legal effect or admissibility as evidence
Discover the world at Leiden University
Trust services (VI)• Electronic registered delivery service
• Makes it possible to transmit data between third parties by electronic means
• Provides evidence relating to the handling of the transmitted data
• Including proof of sending and receiving the data
• Which protects transmitted data against the risk of loss, theft, damage or any unauthorized alterations
• A qualified electronic delivery service (a.o.)• Ensures with high level of confidence the
identity of the sender• Ensures identification of the addressee• Secured by advanced e-sig or e-seal• Protected by qualified electronic time stamp
Discover the world at Leiden University
Trust services (VII)• Legal effect of the registered
electronic delivery service• For qualified electronic delivery
services:• ‘presumption of’ (correctness of):
• The integrity of the data• Sending by the identified sender and receiving
by the identified addressee of the data• The accuracy of the date and time of sending
and receiving• Admissible as evidence regarding
integrity & certainty of date & time
Discover the world at Leiden University
Trust services (VIII)• Website authentication
• Requirements for qualified website authentication certificates• Remember: for qualified certificates,
identity needs to be verified by physical presence
• Legal effect?
Discover the world at Leiden University
Trust services (IX)• Electronic document
• Any content stored in electronic form, in particular text or sound or audiovisual recording
• Legal effect• Shall not be denied as evidence solely
on the grounds that it is in electronic form
• Trust service?
Discover the world at Leiden University
Trust services (X)• TSP’s outside EU
• Their trust services must be recognized as equivalent to qualified trust services, if recognized under a treaty
Discover the world at Leiden University
Questions?