Presentation is loading. Please wait.

Presentation is loading. Please wait.

Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012

Published byReina Mayor Modified over 9 years ago

Similar presentations

Presentation on theme: "Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012"— Presentation transcript:

1 Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012 Mikael.Linden@csc.fi

2 Innovation through participation Introduction Inform on our current progress Seeking use cases where SPs are outside of EU/EEA Summary of background and the problem space Proposed solution, from a lawyerish perspective, Code of Conduct

3 Innovation through participation European legal system European Union (EU) gives Directives Member States (27) implement them to national legislation With some national freedom, depending on the directive Data protection directive (95/46/EC) The most significant European law regulating attribute release between an IdP and SP Lawyer’s legal analysis for the eduGAIN project: https://www.terena.org/mail-archives/refeds/msg02327.html https://www.terena.org/mail-archives/refeds/msg02327.html For comparison of the DP directive and FERPA, see https://refeds.org/docs/FERPA-DPD%20v1-00.pdf https://refeds.org/docs/FERPA-DPD%20v1-00.pdf

4 Innovation through participation Definitions Personal data: ” any information relating to an identified or identifiable natural person” Lawyer: assume any attribute (ePTID and even eduPersonAffiliation) counts as personal data Processing of personal data: ”any operation or set of operations on personal data, such as collection, …, dissemination,… etc” Both IdP and SP processes personal data Data Controller: organisation which alone or jointly with others determines the purposes and means of the processing of personal data IdP and SP (usually) are data controllers Federation (and interfederation) may be joint data controller

5 Innovation through participation Obligations to data controllers (1/3) Security of processing The controller must protect personal data properly Level of security depends e.g. on the sensitivity of attributes Sensitive=health, race, ethnic origin, religion, political opinions… => Federation policies, use of TLS and endpoint authentication… Purpose of processing Must be defined beforehand You must stick to that purpose => Purpose of processing in IdPs: ~to support research and education => SPs’ purpose of processing must not conflict with this

6 Innovation through participation Obligations to data controllers (2/3) Relevance of personal data Personal data processed must be adequate, relevant and not excessive SPs must request and IdPs must release only relevant attributes => md:RequestedAttribute Inform the end user when attributes are released for the first time SP’s name and identity (=>mdui:Displayname, mdui:Logo) SP’s purpose (=>mdui:Description) Categories of attributes processed (=> uApprove or similar) Any other information (mdui:PrivacyStatementURL) Layered notice!

7 Innovation through participation Criteria for making data processing legitimate (3/3) a. User consents (freely given, informed, specific), or b. Necessary for performance of a contract to which the user is a subject, or c. Necessary for the controller’s legal obligation, or d. Necessary for vital interests of the user, or e. Necessary for a task carried out in public interest, or f. Necessary for the legitimate interests of the data controller Lawyer: Use (f): the SP has legitimate interests to provide service to the user When the user expresses his willingness to use the service by clicking ”log in” link

8 Innovation through participation Attribute release to SPs outside EU To release attributes out of EU + EEA(Norway, Iceland and Lichenstein) 1. The law in SP’s country quarantees adequate data protection - Switzerland, Argentina, some sectoral laws in Canada, … 2. The SP has voluntarily committed to good enough data protection - US Safe Harbour (not applicable to universities) - EU’s model Contractual Clauses EU’s Contractual Clauses is a bilateral contract Bilaterals scale poorly if there are thousands of IdPs and SPs Lawer: translate Contractual Clauses into a multilateral agreement signed by IdPs (in EU) and SPs (in the US)

9 Innovation through participation Towards a new European data protection framework On 25th Jan 2012, European commission published a proposal on the General Data Protection Regulation Repeals the Data protection directive Updates, no fundamental changes Applied to a non-EU controllers providing services to end users in EU If an SP consumes a European IdP’s metadata, it provides services to end users in EU?

Download ppt "Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012"

Similar presentations

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki 2.10.2013 Mikael Linden, CSC – IT Center for Science

Innovation through participation Data Protection Code of Conduct (DP CoC) REFEDS Helsinki Mikael Linden, CSC – IT Center for Science
Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) 21.6.2012 FIM for research collaboration workshop Mikael Linden,

Innovation through participation GÉANT Data Protection Code of Conduct (DP CoC) FIM for research collaboration workshop Mikael Linden,
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Protection of Personal Data, 11.02.2011. Historical context In 1982, Iceland signed the Council of Europe Convention nr. 108 from 1981 for the Protection.

Protection of Personal Data, Historical context In 1982, Iceland signed the Council of Europe Convention nr. 108 from 1981 for the Protection.
Not legally binding FP7 Rules for Participation and Grant agreement FP7 Helpdesk 

Not legally binding FP7 Rules for Participation and Grant agreement FP7 Helpdesk 
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection and Records Management

Data Protection and Records Management
Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna 17-18 Oct 2011

Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
Data Protection Overview

Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

Similar presentations

Ads by Google