2014 Update EU Cyber Law & Authentication Legislation
1. Discover the world at Leiden University
Dr. Marten Voulon (marten@voulon.nl) March 18th 2014
Developments in cyber law
& regulation of national
authentication systems
European Union & the Netherlands
2. Discover the world at Leiden University
Agenda
• Latest developments in cyber law
• New data protection legislation
• Regulation of authentication systems
• New legal framework on:
• electronic identification; and
• trust services
3. Discover the world at Leiden University
The European Union
• 28 member states
• Treaty of Lisbon
• 1 December 2009
• Treaty on the EU
• Treaty on the
functioning of the
EU
4. Discover the world at Leiden University
Overview of EU legislation (I)
Subject Regulation
Privacy & data protection • Directive 1995/46 (general data protection)
• Directive 2002/59 (e-privacy)
• Regulation COM (2012)11 (draft)
Intellectual property rights • Directive 2001/29 (copyright)
• Directive 2009/24 (software)
• Directive 2008/95 (trademarks)
• Regulation 207/2009 (community trade mark)
• Directive 1987/5 (semiconductors)
• Regulation 1257/2012 (patents)
eContracting • Directive 2000/31 (e-commerce)
• Directive 2002/65 (distance selling of
financial services)
• Directive 2011/83 (consumer rights)
Online authentication • Directive 1999/93 (electronic signatures)
• Regulation COM 2012(138)
(electronic identification &
trust services) (draft)
5. Discover the world at Leiden University
Overview of EU legislation (II)
Subject Regulation
Payment • Directive 2007/64 (payment services, SEPA)
• Regulation 924/2009 (cross-border payments)
• Regulation 260/2012 (credit transfers &
direct debits)
Electronic communication • Directive 2002/21 (electronic communication)
• Directive 2002/19 (access & interconnection)
• Directive 2002/20 (authorization)
• Directive 2002/22 (universal service)
“directive” “regulation”
Needs to be implemented through
national legislation
Directly enforceable in EU member states
6. Discover the world at Leiden University
Data protection
• 1995
• European Directive 1995/46/EC
• Legal framework for EU Member States
• 2012: new draft legislation
• Proposal for a General Data Protection
Regulation (GPDR)
• Proposal for a Directive (criminal data)
• 4.373 amendments by EU parliament
• Effective in 2016 or later?
7. Discover the world at Leiden University
Basics of EU data protection law (I)
• Personal data
• Controller, subject, processor
• “Processing”
• Processing only allowed for the “purpose”
• Exhaustive list of reasons for processing:
• Consent
• Performance of contract
• Legal obligation
• Vital interest of the subject
• Public interest
• Legitimate interests of the controller
8. Discover the world at Leiden University
Basics of EU data protection law (II)
• Sensitive data
• Race, ethnicity, political opinion, religious &
philosophical beliefs, trade union membership,
health, sex life
• Rights of the subject
• Information, access, right to object
• Data processing agreement
• Contract between controller & processor
9. Discover the world at Leiden University
Basics of EU data protection law (III)
• Transfer to third countries (outside EU/EEA)
• Only allowed if:
• Adequate level of protection
• Consent of the subject
• Transfer is necessary for execution of contract between
subject and controller
• Necessary for vital interests of subject
• (…)
• Or:
• EU model clauses (decision 2010/87/EU)
• Binding corporate rules (BCR) (authorization by
regulator)
• US Safe Harbor (decision 2000/520/EU)
10. Discover the world at Leiden University
Changes to data protection law (I)
• Transparency, governance, accountability:
• Transparent, accessible policy needs to be in place
• Processes need to be documented
• Higher penalties; three categories
• Max. € 250.000,- or 0,5 % of annual world-wide turnover
• Max. € 500.000,- or 1 % of annual world-wide turnover
• Max. € 1.000.000,- or 2 % of annual world-wide turnover
• Mandatory data protection officer
• Consent for data processing needs to be more explicit
11. Discover the world at Leiden University
Changes to data protection law (II)
• More rights for the data subject
• Right to be forgotten
• Processing personal data of children subject to parental
consent
• Data portability
• Transfer outside EU/EEA
• Adequacy decision by European Commission
• Patriot Act
• FISA order/NSL can imply illegal transfer to third
country
• Leaked draft of the GDPR:
• Assisting foreign agencies only allowed in case of mutual legal
assistance treaty (MLAT)
12. Discover the world at Leiden University
Security breach notifications
Legal basis Breach Term To whom
Directive 2002/59 Particular risk of a breach of
security of the network
- Subscriber
GDPR Breach of security leading to
the accidental or unlawful
destruction, loss, alteration,
unauthorized disclosure of, or
access to, personal data
transmitted, stored or otherwise
processed
Without undue delay and,
where feasible, not later than
24 hours after having become
aware of it
Regulator
GDPR Without undue delay if the
breach is likely to adversely
effect the protection of
personal data or privacy of the
subject
Data subject
Draft eID
Regulation
Breach of security or loss of
integrity, significant impact
Without undue delay and,
where feasible, not later than
24 hours after having become
aware of it
Regulator
Draft directive on
network and
information
security
Any circumstance or event
having an actual adverse effect
on security, if significant impact
- Regulator
13. Discover the world at Leiden University
Legal framework e-
authentication
Moving from the directive to the new regulation
Directive 1999/93
on electronic
signatures
Regulation on
electronic
identification and
trust services
Final draft:
February 27th 2014
Expected entry into force:
July 1st 2016
14. Discover the world at Leiden University
DigiD
• Authentication system
• Provided to Dutch citizens
• Electronic communication with government
• Mandatory for tax filings
• Verification against Database Persons (GBA)
• Security levels
• Basic
• Single factor (username & password
• Middle
• Two factor (username, password & SMS-code)
• High
• PKI chipcard
15. Discover the world at Leiden University
eRecognition/„eHerkenning‟
• Business to Government
• Public/private cooperation
• Competitive/cooperative domain
• Two-sided market
• Five assurance levels
16. Discover the world at Leiden University
The 1999 Directive
• Advanced electronic signature
• Based on qualified certificate
• Using secure device
Same effect as
handwritten
signature
However,
Signing ≠identification/authentication
17. Discover the world at Leiden University
The new regulation
Electronic
identification
• Member states
must “recognize
and accept”
electronic
identification
• Prerequisite:
proper
notification of an
electronic
identification
scheme
Trust
services
• Electronic signature
• Electronic seal
• Electronic time stamp
• Electronic registered
delivery service
• Electronic certificate
• Website
authentication
18. Discover the world at Leiden University
Electronic identification
• Background
• EU Services Directive
• Promote cross-border provision of services in internal market
• Service provider should be able to deal with all formalities in another
member state through an electronic point of single contact (PSC)
• PSC‟s require identification/authentication, signatures
• Practical situations
• Company wants to provide services in another member state
• Student wants to enroll in university in another member state
• Company wants to electronically compete in public tender in
another member state
19. Discover the world at Leiden University
Electronic identification
• Definitions of the regulation
• Electronic identification
• The process of using electronic person identification data, uniquely
representing a person
• Authentication
• Electronic process allowing for the confirmation of electronic
identification (…)
• Electronic identification means
• Material or immaterial unit containing person identification data
• Used for authentication for services online
• Limitation to eGovernment deleted in final draft
• Electronic identification scheme
• System for electronic identification under which electronic
identification means are issued to persons
20. Discover the world at Leiden University
Electronic identification
• Public sector bodies are obliged to recognize
electronic identification means and
authentication for cross-border online services,
if:
• The means are issues under an electronic
identification scheme, which is included in the
European Commission‟s list
• The assurance level of the means is equal to, or
higher than the level required by the public body
• And the assurance level is „substantial‟ or „high‟
21. Discover the world at Leiden University
Conditions for notification
• Electronic identification schemes are eligible, if:
• The electronic identification means are issued by, on
behalf or independently of the Member State
• The scheme meets the requirements of at least one
assurance level
• The Member State ensures the person
identification data are linked to the person
• The issuing party ensures the electronic identification
means are linked to the person
22. Discover the world at Leiden University
Assurance levels (I)
• National eID schemes must specify assurance levels
• Low
• Limited confidence as to asserted identity
• Controls to decrease risk of misuse or alteration of identity
• Substantial
• Substantial confidence as to asserted identity
• Controls to decrease substantially the risk of misuse or
alteration of identity
• High
• Higher confidence as to asserted identity
• Controls to prevent misuse or alteration of identity
23. Discover the world at Leiden University
Assurance levels (II)
User Relying party
Trust service provider
1. Registration
2. Issuing
3. Authentication
4. Validation
24. Discover the world at Leiden University
Assurance levels (III)
EU STORK project:
QAA
Level
Description
1 No or minimal
assurance
2 Low assurance
3 Substantial assurance
4 High assurance
• Depending on:
• Registration phase
• Identification procedure
• Identity issuing process
• Quality of the issuing
entity
• Electronic authentication
phase
• Type and robustness of
the identity credential
• Security of authentication
mechanism
25. Discover the world at Leiden University
Interoperability
• National eID schemes must be interoperable
• EU shall establish an interoperability framework
• Consisting of:
• Reference to minimum technical requirements related to
assurance levels
• Mapping of the national schemes to the assurance levels
• Reference to minimum technical requirements for
interoperability
• (…)
26. Discover the world at Leiden University
Trust services (I)
• Trust service provider (TSP)
• Provider of services related to
• Electronic signatures
• Electronic seals
• Electronic time stamp
• Electronic registered delivery service
• Website authentication
• Qualified/non-qualified
• If qualified then „stronger‟ legal effect
• New obligations as to security requirements
• Applies to all TSP‟s (qualified and non-qualified)
27. Discover the world at Leiden University
Trust services (II)
• Qualified TSP
• Two-yearly audit
• Requirements for issuing qualified certificates
• Identity of the user should be verified:
• By physical presence, or
• Remotely, using electronic identification means which
where issued after verifying the identity through physical
appearance, while meeting assurance levels „substantial‟
or „high‟
• By other methods providing equivalent assurance
• Revocation
• Revocation of qualified certificates must take place within
24 hours
28. Discover the world at Leiden University
Trust services (III)
• Electronic signature
• Electronic data attached to or logically associated
with other electronic data used by the signatory to
sign
• (was: “which serve as a method of authentication”)
• Similar approach as the directive
• Equivalent legal effect of a handwritten signature (for
qualified e-sig)
• Shall not be denied legal effect or admissibility as
evidence
• Reference formats for use for public services
29. Discover the world at Leiden University
Trust services (IV)
• Electronic seal
• Electronic data attached to or logically associated
with other electronic data to ensure the origin and
integrity of the associated data
• Similar to electronic signature
• Legal effect:
• Legal presumption of ensuring origin and integrity (for
qualified e-Seal)
• Shall not be denied legal effect or admissibility as
evidence
• Recognized and accepted in all Member States (for
qualified e-Seal)
• Reference formats for use for public services
30. Discover the world at Leiden University
Trust services (V)
• Electronic time stamp
• Electronic data binding other electronic data to a particular
time, establishing evidence that these data existed at that
time
• Qualified electronic time stamp
• Binds date & time to data in such a manner to reasonably preclude
the possibility of the data being changed undetectably
• Based on accurate time source linked to Coordinated Universal Time
• Signed/sealed by the qTSP using advanced e-sig or e-seal, or
equivalent
• Legal effect
• Presumption of ensuring the accuracy of the date and time it
indicates and the integrity of the data to which the date and time
are bound (qualified)
• Shall not be denied legal effect or admissibility as evidence
31. Discover the world at Leiden University
Trust services (VI)
• Electronic registered delivery service
• Makes it possible to transmit data between third parties by
electronic means
• Provides evidence relating to the handling of the transmitted
data
• Including proof of sending and receiving the data
• Which protects transmitted data against the risk of loss,
theft, damage or any unauthorized alterations
• A qualified electronic delivery service (a.o.)
• Ensures with high level of confidence the identity of the
sender
• Ensures identification of the addressee
• Secured by advanced e-sig or e-seal
• Protected by qualified electronic time stamp
32. Discover the world at Leiden University
Trust services (VII)
• Legal effect of the registered electronic delivery
service
• For qualified electronic delivery services:
• „presumption of‟ (correctness of):
• The integrity of the data
• Sending by the identified sender and receiving by the identified
addressee of the data
• The accuracy of the date and time of sending and receiving
• Admissible as evidence regarding integrity &
certainty of date & time
33. Discover the world at Leiden University
Trust services (VIII)
• Website authentication
• Requirements for qualified website authentication
certificates
• Remember: for qualified certificates, identity needs to be
verified by physical presence
• Legal effect?
34. Discover the world at Leiden University
Trust services (IX)
• Electronic document
• Any content stored in electronic form, in particular
text or sound or audiovisual recording
• Legal effect
• Shall not be denied as evidence solely on the
grounds that it is in electronic form
• Trust service?
35. Discover the world at Leiden University
Trust services (X)
• TSP‟s outside EU
• Their trust services must be recognized as
equivalent to qualified trust services, if recognized
under a treaty