Attributes release working group european data protection directive
Download
1 / 8

Attributes Release Working Group European data protection directive - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Attributes Release Working Group European data protection directive. REFEDS meeting 22th Apr, 2012 [email protected] Introduction. Inform on our current progress Seeking use cases where SPs are outside of EU/EEA Summary of background and the problem space

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Attributes Release Working Group European data protection directive' - daryl


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Attributes release working group european data protection directive

Attributes Release Working GroupEuropean data protection directive

REFEDS meeting 22th Apr, 2012

[email protected]


Introduction
Introduction

  • Inform on our current progress

  • Seeking use cases where SPs are outside of EU/EEA

  • Summary of background and the problem space

  • Proposed solution, from a lawyerish perspective, Code of Conduct


European legal system
European legal system

  • European Union (EU) gives Directives

  • Member States (27) implement them to national legislation

    • With some national freedom, depending on the directive

      Data protection directive (95/46/EC)

  • The most significant European law regulating attribute release between an IdP and SP

  • Lawyer’s legal analysis for the eduGAIN project: https://www.terena.org/mail-archives/refeds/msg02327.html

  • For comparison of the DP directive and FERPA, see https://refeds.org/docs/FERPA-DPD%20v1-00.pdf


Definitions
Definitions

  • Personal data: ” any information relating to an identified or identifiable natural person”

    • Lawyer: assume any attribute (ePTID and even eduPersonAffiliation) counts as personal data

  • Processing of personal data: ”any operation or set of operations on personal data, such as collection, …, dissemination,… etc”

    • Both IdP and SP processes personal data

  • Data Controller: organisation which alone or jointly with others determines the purposes and means of the processing of personal data

    • IdP and SP (usually) are data controllers

    • Federation (and interfederation) may be joint data controller


Obligations to data controllers 1 3
Obligations to data controllers (1/3)

Security of processing

  • The controller must protect personal data properly

  • Level of security depends e.g. on the sensitivity of attributes

    • Sensitive=health, race, ethnic origin, religion, political opinions…

      => Federation policies, use of TLS and endpoint authentication…

      Purpose of processing

  • Must be defined beforehand

  • You must stick to that purpose

    => Purpose of processing in IdPs: ~to support research and education

    => SPs’ purpose of processing must not conflict with this


Obligations to data controllers 2 3
Obligations to data controllers (2/3)

Relevance of personal data

  • Personal data processed must be adequate, relevant and not excessive

  • SPs must request and IdPs must release only relevant attributes

  • => md:RequestedAttribute

    Inform the end user

  • when attributes are released for the first time

  • SP’s name and identity (=>mdui:Displayname, mdui:Logo)

  • SP’s purpose (=>mdui:Description)

  • Categories of attributes processed (=> uApprove or similar)

  • Any other information (mdui:PrivacyStatementURL)

  • Layered notice!


Criteria for making data processing legitimate 3 3
Criteria for making data processing legitimate (3/3)

  • User consents (freely given, informed, specific), or

  • Necessary for performance of a contract to which the user is a subject, or

  • Necessary for the controller’s legal obligation, or

  • Necessary for vital interests of the user, or

  • Necessary for a task carried out in public interest, or

  • Necessary for the legitimate interests of the data controller

  • Lawyer: Use (f): the SP has legitimate interests to provide service to the user

    • When the user expresses his willingness to use the service by clicking ”log in” link


Attribute release to sps outside eu
Attribute release to SPs outside EU

To release attributes out of EU + EEA(Norway, Iceland and Lichenstein)

  • The law in SP’s country quarantees adequate data protection

    • Switzerland, Argentina, some sectoral laws in Canada, …

  • The SP has voluntarily committed to good enough data protection

    • US Safe Harbour (not applicable to universities)

    • EU’s model Contractual Clauses

  • EU’s Contractual Clauses is a bilateral contract

  • Bilaterals scale poorly if there are thousands of IdPs and SPs

  • Lawer: translate Contractual Clauses into a multilateral agreement signed by IdPs (in EU) and SPs (in the US)


ad