Presentation on theme: "Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012"— Presentation transcript:
Innovation through participation Attributes Release Working Group European data protection directive REFEDS meeting 22th Apr, 2012
Innovation through participation Introduction Inform on our current progress Seeking use cases where SPs are outside of EU/EEA Summary of background and the problem space Proposed solution, from a lawyerish perspective, Code of Conduct
Innovation through participation European legal system European Union (EU) gives Directives Member States (27) implement them to national legislation With some national freedom, depending on the directive Data protection directive (95/46/EC) The most significant European law regulating attribute release between an IdP and SP Lawyer’s legal analysis for the eduGAIN project: https://www.terena.org/mail-archives/refeds/msg02327.html https://www.terena.org/mail-archives/refeds/msg02327.html For comparison of the DP directive and FERPA, see https://refeds.org/docs/FERPA-DPD%20v1-00.pdf https://refeds.org/docs/FERPA-DPD%20v1-00.pdf
Innovation through participation Definitions Personal data: ” any information relating to an identified or identifiable natural person” Lawyer: assume any attribute (ePTID and even eduPersonAffiliation) counts as personal data Processing of personal data: ”any operation or set of operations on personal data, such as collection, …, dissemination,… etc” Both IdP and SP processes personal data Data Controller: organisation which alone or jointly with others determines the purposes and means of the processing of personal data IdP and SP (usually) are data controllers Federation (and interfederation) may be joint data controller
Innovation through participation Obligations to data controllers (1/3) Security of processing The controller must protect personal data properly Level of security depends e.g. on the sensitivity of attributes Sensitive=health, race, ethnic origin, religion, political opinions… => Federation policies, use of TLS and endpoint authentication… Purpose of processing Must be defined beforehand You must stick to that purpose => Purpose of processing in IdPs: ~to support research and education => SPs’ purpose of processing must not conflict with this
Innovation through participation Obligations to data controllers (2/3) Relevance of personal data Personal data processed must be adequate, relevant and not excessive SPs must request and IdPs must release only relevant attributes => md:RequestedAttribute Inform the end user when attributes are released for the first time SP’s name and identity (=>mdui:Displayname, mdui:Logo) SP’s purpose (=>mdui:Description) Categories of attributes processed (=> uApprove or similar) Any other information (mdui:PrivacyStatementURL) Layered notice!
Innovation through participation Criteria for making data processing legitimate (3/3) a. User consents (freely given, informed, specific), or b. Necessary for performance of a contract to which the user is a subject, or c. Necessary for the controller’s legal obligation, or d. Necessary for vital interests of the user, or e. Necessary for a task carried out in public interest, or f. Necessary for the legitimate interests of the data controller Lawyer: Use (f): the SP has legitimate interests to provide service to the user When the user expresses his willingness to use the service by clicking ”log in” link
Innovation through participation Attribute release to SPs outside EU To release attributes out of EU + EEA(Norway, Iceland and Lichenstein) 1. The law in SP’s country quarantees adequate data protection - Switzerland, Argentina, some sectoral laws in Canada, … 2. The SP has voluntarily committed to good enough data protection - US Safe Harbour (not applicable to universities) - EU’s model Contractual Clauses EU’s Contractual Clauses is a bilateral contract Bilaterals scale poorly if there are thousands of IdPs and SPs Lawer: translate Contractual Clauses into a multilateral agreement signed by IdPs (in EU) and SPs (in the US)
Innovation through participation Towards a new European data protection framework On 25th Jan 2012, European commission published a proposal on the General Data Protection Regulation Repeals the Data protection directive Updates, no fundamental changes Applied to a non-EU controllers providing services to end users in EU If an SP consumes a European IdP’s metadata, it provides services to end users in EU?