2014 Update EU Cyber Law & Authentication Legislation

Discover the world at Leiden University

Dr. Marten Voulon ([email protected]) March 18th 2014

Developments in cyber law& regulation of national authentication systems

European Union & the Netherlands


Agenda• Latest developments in cyber

law• New data protection legislation

• Regulation of authentication systems• New legal framework on:

• electronic identification; and• trust services


The European Union• 28 member

states• Treaty of

Lisbon• 1 December

2009• Treaty on the

EU• Treaty on the

functioning of the EU


Overview of EU legislation (I)Subject RegulationPrivacy & data protection

• Directive 1995/46 (general data protection)

• Directive 2002/59 (e-privacy)• Regulation COM (2012)11 (draft)

Intellectual property rights

• Directive 2001/29 (copyright)• Directive 2009/24 (software)• Directive 2008/95 (trademarks)• Regulation 207/2009 (community trade

mark)• Directive 1987/5 (semiconductors)• Regulation 1257/2012 (patents)

eContracting • Directive 2000/31 (e-commerce)• Directive 2002/65 (distance

selling offinancial services)

• Directive 2011/83 (consumer rights)

Online authentication • Directive 1999/93 (electronic signatures)

• Regulation COM 2012(138)(electronic identification

&trust services) (draft)


Overview of EU legislation (II)Subject RegulationPayment • Directive 2007/64 (payment services,

SEPA)• Regulation 924/2009 (cross-border

payments)• Regulation 260/2012 (credit transfers &

direct debits)Electronic communication

• Directive 2002/21 (electronic communication)

• Directive 2002/19 (access & interconnection)

• Directive 2002/20 (authorization)• Directive 2002/22 (universal service)“directive” “regulation”

Needs to be implemented through national legislation

Directly enforceable in EU member states


Data protection• 1995

• European Directive 1995/46/EC• Legal framework for EU Member

States• 2012: new draft legislation

• Proposal for a General Data Protection Regulation (GPDR)

• Proposal for a Directive (criminal data)

• 4.373 amendments by EU parliament• Effective in 2016 or later?


Basics of EU data protection law (I)• Personal data• Controller, subject, processor• “Processing”• Processing only allowed for the

“purpose”• Exhaustive list of reasons for

processing:• Consent• Performance of contract• Legal obligation• Vital interest of the subject• Public interest• Legitimate interests of the controller


Basics of EU data protection law (II)• Sensitive data

• Race, ethnicity, political opinion, religious & philosophical beliefs, trade union membership, health, sex life

• Rights of the subject• Information, access, right to object

• Data processing agreement• Contract between controller &

processor


Basics of EU data protection law (III)• Transfer to third countries (outside

EU/EEA)• Only allowed if:• Adequate level of protection• Consent of the subject• Transfer is necessary for execution of

contract between subject and controller• Necessary for vital interests of subject• (…)

• Or:• EU model clauses (decision

2010/87/EU)• Binding corporate rules (BCR)

(authorization by regulator)

• US Safe Harbor (decision 2000/520/EU)


Changes to data protection law (I)• Transparency, governance,

accountability:• Transparent, accessible policy needs to be in

place• Processes need to be documented

• Higher penalties; three categories• Max. € 250.000,- or 0,5 % of annual world-

wide turnover• Max. € 500.000,- or 1 % of annual world-wide

turnover• Max. € 1.000.000,- or 2 % of annual world-

wide turnover• Mandatory data protection officer• Consent for data processing needs to be

more explicit


Changes to data protection law (II)• More rights for the data subject

• Right to be forgotten• Processing personal data of children subject

to parental consent• Data portability

• Transfer outside EU/EEA• Adequacy decision by European

Commission• Patriot Act

• FISA order/NSL can imply illegal transfer to third country

• Leaked draft of the GDPR:• Assisting foreign agencies only allowed in case

of mutual legal assistance treaty (MLAT)


Security breach notificationsLegal basis

Breach Term To whom

Directive 2002/59

Particular risk of a breach of security of the network

- Subscriber

GDPR Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

Without undue delay and,where feasible, not later than 24 hours after having become aware of it

Regulator

GDPR Without undue delay if the breach is likely to adversely effect the protection of personal data or privacy of the subject

Data subject

Draft eID Regulation

Breach of security or loss of integrity, significant impact

Without undue delay and,where feasible, not later than 24 hours after having become aware of it

Regulator

Draft directive on network and information security

Any circumstance or event having an actual adverse effect on security, if significant impact

- Regulator


Legal framework e-authenticationMoving from the directive to the new regulation

Directive 1999/93 on electronic signatures

Regulation on electronic

identification and trust servicesFinal draft:

February 27th 2014Expected entry into

force:July 1st 2016


DigiD• Authentication system

• Provided to Dutch citizens• Electronic communication with

government• Mandatory for tax filings• Verification against Database Persons

(GBA)• Security levels

• Basic• Single factor (username & password

• Middle• Two factor (username, password & SMS-code)

• High• PKI chipcard


eRecognition/‘eHerkenning’• Business to Government• Public/private cooperation

• Competitive/cooperative domain• Two-sided market

• Five assurance levels


The 1999 Directive

• Advanced electronic signature

• Based on qualified certificate

• Using secure device

Same effect as handwritten signature

However,Signing

≠identification/authentication


The new regulationElectronic identification• Member states

must “recognize and accept” electronic identification

• Prerequisite: proper notification of an electronic identification scheme

Trustservices• Electronic

signature• Electronic seal• Electronic time

stamp• Electronic

registered delivery service

• Electronic certificate

• Website authentication


Electronic identification• Background

• EU Services Directive• Promote cross-border provision of services in internal

market• Service provider should be able to deal with all

formalities in another member state through an electronic point of single contact (PSC)

• PSC’s require identification/authentication, signatures

• Practical situations• Company wants to provide services in another

member state• Student wants to enroll in university in another

member state• Company wants to electronically compete in public

tender in another member state


Electronic identification• Definitions of the regulation

• Electronic identification• The process of using electronic person identification

data, uniquely representing a person• Authentication

• Electronic process allowing for the confirmation of electronic identification (…)

• Electronic identification means• Material or immaterial unit containing person

identification data• Used for authentication for services online

• Limitation to eGovernment deleted in final draft• Electronic identification scheme

• System for electronic identification under which electronic identification means are issued to persons


Electronic identification• Public sector bodies are obliged to

recognize electronic identification means and authentication for cross-border online services,if:• The means are issues under an

electronic identification scheme, which is included in the European Commission’s list

• The assurance level of the means is equal to, or higher than the level required by the public body• And the assurance level is ‘substantial’ or

‘high’


Conditions for notification• Electronic identification schemes are

eligible, if:• The electronic identification means are

issued by, on behalf or independently of the Member State

• The scheme meets the requirements of at least one assurance level

• The Member State ensures the person identification data are linked to the person

• The issuing party ensures the electronic identification means are linked to the person


Assurance levels (I)• National eID schemes must specify

assurance levels• Low

• Limited confidence as to asserted identity• Controls to decrease risk of misuse or

alteration of identity• Substantial

• Substantial confidence as to asserted identity• Controls to decrease substantially the risk

of misuse or alteration of identity• High

• Higher confidence as to asserted identity• Controls to prevent misuse or alteration of

identity


Assurance levels (II)User Relying party

Trust service provider

1. Registration2. Issuing

3. Authentication

4. Validation


Assurance levels (III)

EU STORK project:

QAA Level

Description

1 No or minimal assurance

2 Low assurance3 Substantial

assurance4 High assurance

• Depending on:• Registration phase• Identification

procedure• Identity issuing

process• Quality of the

issuing entity• Electronic

authentication phase• Type and

robustness of the identity credential

• Security of authentication mechanism


Interoperability• National eID schemes must be

interoperable• EU shall establish an interoperability

framework• Consisting of:

• Reference to minimum technical requirements related to assurance levels

• Mapping of the national schemes to the assurance levels

• Reference to minimum technical requirements for interoperability

• (…)


Trust services (I)• Trust service provider (TSP)

• Provider of services related to• Electronic signatures• Electronic seals• Electronic time stamp• Electronic registered delivery service• Website authentication

• Qualified/non-qualified• If qualified then ‘stronger’ legal

effect• New obligations as to security

requirements• Applies to all TSP’s (qualified and non-

qualified)


Trust services (II)• Qualified TSP

• Two-yearly audit• Requirements for issuing qualified

certificates• Identity of the user should be verified:• By physical presence, or• Remotely, using electronic identification

means which where issued after verifying the identity through physical appearance, while meeting assurance levels ‘substantial’ or ‘high’

• By other methods providing equivalent assurance

• Revocation• Revocation of qualified certificates must

take place within 24 hours


Trust services (III)• Electronic signature

• Electronic data attached to or logically associated with other electronic data used by the signatory to sign• (was: “which serve as a method of

authentication”)• Similar approach as the directive

• Equivalent legal effect of a handwritten signature (for qualified e-sig)

• Shall not be denied legal effect or admissibility as evidence

• Reference formats for use for public services


Trust services (IV)• Electronic seal

• Electronic data attached to or logically associated with other electronic data to ensure the origin and integrity of the associated data

• Similar to electronic signature• Legal effect:

• Legal presumption of ensuring origin and integrity (for qualified e-Seal)


• Recognized and accepted in all Member States (for qualified e-Seal)

• Reference formats for use for public services


Trust services (V)• Electronic time stamp

• Electronic data binding other electronic data to a particular time, establishing evidence that these data existed at that time

• Qualified electronic time stamp• Binds date & time to data in such a manner to

reasonably preclude the possibility of the data being changed undetectably

• Based on accurate time source linked to Coordinated Universal Time

• Signed/sealed by the qTSP using advanced e-sig or e-seal, or equivalent

• Legal effect• Presumption of ensuring the accuracy of the date

and time it indicates and the integrity of the data to which the date and time are bound (qualified)



Trust services (VI)• Electronic registered delivery service

• Makes it possible to transmit data between third parties by electronic means

• Provides evidence relating to the handling of the transmitted data

• Including proof of sending and receiving the data

• Which protects transmitted data against the risk of loss, theft, damage or any unauthorized alterations

• A qualified electronic delivery service (a.o.)• Ensures with high level of confidence the

identity of the sender• Ensures identification of the addressee• Secured by advanced e-sig or e-seal• Protected by qualified electronic time stamp


Trust services (VII)• Legal effect of the registered

electronic delivery service• For qualified electronic delivery

services:• ‘presumption of’ (correctness of):

• The integrity of the data• Sending by the identified sender and receiving

by the identified addressee of the data• The accuracy of the date and time of sending

and receiving• Admissible as evidence regarding

integrity & certainty of date & time


Trust services (VIII)• Website authentication

• Requirements for qualified website authentication certificates• Remember: for qualified certificates,

identity needs to be verified by physical presence

• Legal effect?


Trust services (IX)• Electronic document

• Any content stored in electronic form, in particular text or sound or audiovisual recording

• Legal effect• Shall not be denied as evidence solely

on the grounds that it is in electronic form

• Trust service?


Trust services (X)• TSP’s outside EU

• Their trust services must be recognized as equivalent to qualified trust services, if recognized under a treaty


Questions?

2014 Update EU Cyber Law & Authentication Legislation

Technology

Transcript of 2014 Update EU Cyber Law & Authentication Legislation