1 / 8

Attributes Release Working Group European data protection directive

Attributes Release Working Group European data protection directive. REFEDS meeting 22th Apr, 2012 Mikael.Linden@csc.fi. Introduction. Inform on our current progress Seeking use cases where SPs are outside of EU/EEA Summary of background and the problem space

daryl
Download Presentation

Attributes Release Working Group European data protection directive

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attributes Release Working GroupEuropean data protection directive REFEDS meeting 22th Apr, 2012 Mikael.Linden@csc.fi

  2. Introduction • Inform on our current progress • Seeking use cases where SPs are outside of EU/EEA • Summary of background and the problem space • Proposed solution, from a lawyerish perspective, Code of Conduct

  3. European legal system • European Union (EU) gives Directives • Member States (27) implement them to national legislation • With some national freedom, depending on the directive Data protection directive (95/46/EC) • The most significant European law regulating attribute release between an IdP and SP • Lawyer’s legal analysis for the eduGAIN project: https://www.terena.org/mail-archives/refeds/msg02327.html • For comparison of the DP directive and FERPA, see https://refeds.org/docs/FERPA-DPD%20v1-00.pdf

  4. Definitions • Personal data: ” any information relating to an identified or identifiable natural person” • Lawyer: assume any attribute (ePTID and even eduPersonAffiliation) counts as personal data • Processing of personal data: ”any operation or set of operations on personal data, such as collection, …, dissemination,… etc” • Both IdP and SP processes personal data • Data Controller: organisation which alone or jointly with others determines the purposes and means of the processing of personal data • IdP and SP (usually) are data controllers • Federation (and interfederation) may be joint data controller

  5. Obligations to data controllers (1/3) Security of processing • The controller must protect personal data properly • Level of security depends e.g. on the sensitivity of attributes • Sensitive=health, race, ethnic origin, religion, political opinions… => Federation policies, use of TLS and endpoint authentication… Purpose of processing • Must be defined beforehand • You must stick to that purpose => Purpose of processing in IdPs: ~to support research and education => SPs’ purpose of processing must not conflict with this

  6. Obligations to data controllers (2/3) Relevance of personal data • Personal data processed must be adequate, relevant and not excessive • SPs must request and IdPs must release only relevant attributes • => md:RequestedAttribute Inform the end user • when attributes are released for the first time • SP’s name and identity (=>mdui:Displayname, mdui:Logo) • SP’s purpose (=>mdui:Description) • Categories of attributes processed (=> uApprove or similar) • Any other information (mdui:PrivacyStatementURL) • Layered notice!

  7. Criteria for making data processing legitimate (3/3) • User consents (freely given, informed, specific), or • Necessary for performance of a contract to which the user is a subject, or • Necessary for the controller’s legal obligation, or • Necessary for vital interests of the user, or • Necessary for a task carried out in public interest, or • Necessary for the legitimate interests of the data controller • Lawyer: Use (f): the SP has legitimate interests to provide service to the user • When the user expresses his willingness to use the service by clicking ”log in” link

  8. Attribute release to SPs outside EU To release attributes out of EU + EEA(Norway, Iceland and Lichenstein) • The law in SP’s country quarantees adequate data protection • Switzerland, Argentina, some sectoral laws in Canada, … • The SP has voluntarily committed to good enough data protection • US Safe Harbour (not applicable to universities) • EU’s model Contractual Clauses • EU’s Contractual Clauses is a bilateral contract • Bilaterals scale poorly if there are thousands of IdPs and SPs • Lawer: translate Contractual Clauses into a multilateral agreement signed by IdPs (in EU) and SPs (in the US)

More Related