PRIVACY & IDENTITY MANAGEMENT

(1)

Thomas Olsen, Tobias Mahler, et al.

PRIVACY & IDENTITY MANAGEMENT

DATA PROTECTION ISSUES IN RELATION TO NETWORKED ORGANISATIONS UTILIZING IDENTITY MANAGEMENT SYSTEMS

Senter for rettsinformatikk/Avdeling for forvaltningsinformatikk Postboks 6706 St Olavs plass

0130 Oslo

(2)

Senter for rettsinformatikk Postboks 6706 St. Olavs plass 0130 Oslo

Tlf. 22 85 01 01 www. jus.uio.no/iri/

ISBN 978-82-7226-105-3 ISSN 0806-1912

Utgitt i samarbeid med Unipub AS

Denne boken går inn i universitets- og høyskolerådets skriftserie Trykk: e-dit AiT AS

Omslagsdesign Kitty Ensby

Senter for rettsinformatikks utgivelser i skriftserien Complex er støttet av:

Advokatfi rmaet Selmer DA Wikborg Rein & Co Lovdata

(3)

Name Organisation

Thomas Olsen NRCCL [email protected] Tobias Mahler NRCCL [email protected]

Other contributors

Name Organisation

Clive Seddon Pinsent Masons [email protected] Vicky Cooper Pinsent Masons [email protected] Sarah Williams Pinsent Masons [email protected] Miguel Valdes Garrigues [email protected]

Sergio Morales Arias Garrigues [email protected]

The LEGAL-IST Consortium:

ESoCE – European Society of Concurrent Engineering (I)

Loughborough University, Civil and Building Engineering Department (U.K.) Centre of International and European Economic Law (Gr)

Alma Mater Studiorum - Universita di Bologna (I) FIDAL (F)

J & A Garrigues, S.L. (E)

Kunz, Schima, Wallentin & Partner Rechtsanwälte (A) Pinsent Masons (U.K.)

NRCCL – Norwegian Research Center for Computers and Law University of Oslo (N)

Georg-August-Universität Göttingen Stiftung Öffentlichen Rechts (D) CESPIM – Centro studi per l'innovazione d'impresa S.R.L. (I) VTT – Valtion Teknillinen Tutkimuskeskus (Fi)

CETIM – Center for Technology and Innovation Management GmbH (D) IBM – International Business Machines BELGIUM (B)

Platte Consult (D)

•

(4)

(5)

Abstract ...9

Foreword ...11

1 Executive summary ...13

1.1 Relation to other IST projects and benefi ts for the stakeholders ....14

1.2 Data protection law ...14

1.3 Networked organisations and data protection law ...16

1.4 Identity management and data protection law ...17

1.5 Recommendations for networked organisations...18

1.6 Recommendation for organisations setting up an identity management system (IMS) ...19

1.7 Recommendations for the EU Commission ...20

1.7.1 Recommendations regarding networked organisations ...20

1.7.2 Recommendations regarding IMS...21

1.8 Agreements between the parties to refl ect their status ...22

2 Introduction ...23

2.1 Available material, resources and projects on IMS ...23

2.2 Relevance and usability of study in IST ...26

2.3 Structure of this report ...27

3 General duties under data protection laws ...29

3.1 Application of the Data Protection Directive...30

3.1.1 Territorial application ...30

3.1.2 Key Defi nitions ...31

3.2 Roles and responsibilities ...32

3.2.1 Controller ...32

3.2.2 Processor ...32

3.2.3 Public electronic communications network provider ...33

3.2.4 Public electronic communications service provider ...33

3.2.5 Data subject, subscriber and user ...34

3.3 Criteria for lawful data processing ...34

3.3.1 Personal data ...34

3.3.2 Sensitive data ...36

3.3.3 Traffi c data ...36

3.3.4 Location data ...37

3.4 Information to be provided ...38

3.5 Data quality ...39

3.6 Data subject’s rights ...41

3.7 Notifi cation and entry in the register ...42

3.8 Security ...42

3.9 International movement of data ...43

(6)

3.9.2 Adequacy ...44

3.9.3 Derogations ...45

3.9.4 Contractual safeguards ...45

4 Networked organisations and data protection law ...47

4.1 Networked organisations ...47

4.1.1 Virtual communities of companies ...47

4.1.2 Virtual Organisation ...48

4.1.3 The Virtual Enterprise ...49

4.1.4 Professional Virtual Communities ...49

4.1.5 Aims of networked organisations ...50

4.2 Who is/are the data controller(s)? ...50

4.2.1 Criteria for determining who is controller ...50

4.2.2 Controller models ...52

4.2.3 Establishing the type of multiple data controller relationship ...53

4.2.4 Single Controller ...55

4.2.5 Collaborating single controllers ...55

4.2.6 Partly joint controllers ...57

4.2.7 Full scope joint data controllers...59

4.2.8 Vertical and horizontal relationship between data controllers ...60

4.2.9 Implications of being joint data controllers ...60

4.2.10 Contractual issues ...62

4.3 International networked organisations ...62

4.3.1 Data controller(s) established in one EEA Member State ...63

4.3.2 Data controller(s) established in two or more EEA Member States ...64

4.3.3 Data controller(s) established outside the EEA area ...65

5 Identity management systems (”IMS”) ...67

5.1 Introduction ...67

5.1.1 Key processes in identity management ...68

5.1.2 Types of data involved in identity management ...70

5.2 Models for identity management...71

5.2.1 Own-device or proxy-based identity management ...71

5.2.2 Single-organisation single sign-on ...73

5.2.3 Multi-organisation single sign-on (e.g. Microsoft .NET Passport) ...74

5.2.4 Federated identity management (e.g. Liberty Alliance) ...75

5.3 Other identity management systems and applications ...76

5.4 Evaluation of existing IMS ...77

5.5 Research on privacy-enhancing identity management ...79

6 Centralised and federated IMS ...83

6.1 Centralised multi-organisation single sign-on ...83

6.1.1 Microsoft.Net Passport ...84

6.1.2 Structure and registration procedure of the service ...84

6.1.1 Data processed and disclosed ...85

6.2 Federated identity management...86

(7)

6.2.2 Legal framework for federated identity management ...91

6.2.3 Liberty Alliance’s approach to privacy ...92

7 Data protection issues related to networked organisations utilizing IMS ...95

7.1 Data protection risks ...95

7.2 Government built IMS ...96

7.3 Roles and responsibilities ...99

7.3.1 .Net Passport ...100

7.3.1 Liberty Alliance Circles of Trust (CoT) ...101

7.4 Criteria for lawful processing ...102

7.4.1 .Net Passport ...103

7.4.2 Liberty Alliance ...104

7.5 Information to be provided ...105

7.5.1 Information about identity management services ...106

7.5.2 Information requirements in national laws ...107

7.5.3 Towards more uniform information requirements ...107

7.6 Proportionality and quality of the data ...109

7.7 Data subject’s rights ...110

7.8 Information security ...110

7.9 International movement of data ...111

8 Conclusions and recommendations ...113

8.1 Recommendations for networked organisations...113

8.2 Recommendation for organisations setting up an identity management system (IMS) ...114

8.3 Recommendations for the EU Commission ...115

8.3.1 Recommendations regarding networked organisations ...115

8.3.2 Recommendations regarding IMS...116

9 References ...119

10 Appendix A: Case studies ...125

11 Appendix B: Example of identity federation user experience ...133

12 Appendix C: Example of single sign-on user experience ...137

13 Appendix D: Identity federation and single sign-on based on “opaque handles” ...139

14 Appendix E: Acronyms and abbreviations ...143

Tidligere utgitt i Complex-serien ...145

(8)

(9)

Today, we are expected to remember a different user name and password for almost every organisation or domain we want to access on the Internet.

Identity management seeks to solve this problem by making digital identities transferable across organisational boundaries. The basic idea is that the participating organisations will set up a collaboration (or circle of trust) which involves both identity providers and other service providers. However, there is a risk that identity management may reduce the users’ level of privacy: Can the collaborating organisations collect personal information and create a profi le which includes the user’s interaction with all collaborators? Who is responsible for the processing of personal data if many organisations collaborate?

How can the user make informed decisions and consent to the processing of his data? This report seeks to address these issues from the perspective of European data protection law.

Thomas Olsen and Tobias Mahler are research fellows at the Norwegian Research Center for Computers and Law (NRCCL). This report was written in collaboration with the law fi rms Pinsent Masons (UK) and Garrigues (Spain) in the framework of the Legal-IST project (www. legal-ist.org). The project, funded by the European Commission under the 6th framework programme, aimed to support the research in the Information Society Technologies (IST) priority by studying the legal implications of current research initiatives.

(10)

(11)

This report was written in the framework of the Legal-IST project, which was funded by the European Commission under the IST priority of the 6^th framework programme. The project aims to support the research in the IST priority from a legal point of view, by studying the legal implications of current research initiatives. A number of on-going European research projects deal with identity management. Moreover, many research projects seek to develop technology to support collaboration between organisations. Hence, the present report aims at discussing the implications of data protection law on the use of identity management systems by multiple organisations. The intended audience includes both non-lawyers and law professionals with a particular interest in identity management systems.

This book represents an abbreviated version of the Legal-IST report on privacy and identity management, which is available at the project’s web site (www.legal-ist.org). The report was completed in November 2005 and refl ects the authors’ understanding of the matter as of that date. In the meantime, both the technology and the law have evolved further. For example, Microsoft has discontinued the use of the name .Net Passport, which now is referred to as Windows Live ID. We anticipate that the evolution of identity management systems will continue and that new systems, like Microsoft’s CardSpace, will have an impact on the protection of the users’ personal data. Nevertheless, we are confi dent that the principal fi ndings of this report continue to be relevant.

Some of the recent changes in law and technology have been addressed in an article that expands on our contribution to this report: Olsen, Thomas and Mahler Tobias, Identity management and data protection law: Risk, responsibility and compliance in ‘Circles of Trust’, Computer Law & Security Report, Volume 23, Issue 4 and 5, 2007.

The nature of this research has required the authors of this report – all lawyers – to address and understand technological and organisational issues and business models which are subject to discussion in other disciplines. We are therefore more than grateful for the inter-disciplinary focus and partici- pation in the Legal-IST project. We would like to thank all co-authors and all partners in the project for their useful contributions and comments to this research. Moreover, we would like to thank our colleagues at the NRCCL for inspiration and support while writing this report.

Oslo, August 2007

Thomas Olsen Tobias Mahler

(12)

(13)

The study covers three aspects, which are of core importance to the Information Society Technologies domain, namely the protection of privacy, the uptake of new technologies and the new business models that are facilitated through these technologies.

Privacy is a fundamental right, recognised not only on the European level.

Privacy is also recognised – on the basis of various international surveys – as a precondition for enhancing trust and thus growth of e-commerce activities.

Privacy is also recognised by EU Ministers as a precondition for e-government services. On the one hand, privacy is becoming a part of the European social and legal culture, but on the other, new electronic products, services and methods may affect privacy. Privacy concerns may even inhibit the uptake of certain technologies, as the failure of Microsoft’s intended general use of the .Net Passport identity management system shows. Identity management can be understood¹ as an integrated system of business processes, policies and technologies that enable organizations to facilitate and control their users’ access to critical online applications and resources — while protecting confi dential personal and business information from unauthorized users. It represents a cate- gory of interrelated solutions that are employed to administer user authentication, access rights, access restrictions, account profi les, passwords, and other attributes supportive of users’ roles/profi les on one or more applications or systems. Single sign-on and federated identity management represent the most business-driven solutions for letting customers have access to multiple web sites and resources after a single authentication procedure. Federated identity management consists both of a technology that facilitates the communication of identifi cation data and of a network of collaborating organisations, which allows the creation of new collaborative business models.

Identity management systems (IMS) and particularly privacy-enhancing IMS present an important research focus for many European research projects and for international collaborations. The technologies that currently are under development and the way these will be implemented will probably have a major impact on the way we will communicate and collaborate through the Internet in the future. It is therefore important that researchers and those implementing the technologies are aware of the legal framework.

Due to the focus on privacy and data protection, the study does not address other relevant legal issues that may arise in relation to IMS systems. For

1 See e.g. http://en.wikipedia.org/wiki/Identity_management.

(14)

example, there may be liability issues, which fall outside the scope of this report. Moreover, the legal framework for digital signatures and PKI (Public Key Infrastructure) is relevant, but can not be addressed here. Particular legal issues may also arise from the use of technologies such as RFID and biometrics.

1.1 Relation to other IST projects and benefi ts for the stakeholders

The study’s focus on organisational collaboration is complementary to other research projects in the IST domain, particularly the integrated projects PRIME and GUIDE. GUIDE is conducting research and technological development with the aim of creating architecture for secure and interoperable e-government electronic identity services and transactions for Europe. PRIME is focusing on the design and development of practical, federated IMS that effectively and reliably enforce privacy. Compared to these projects, the Legal-IST study focuses more on identity management in the context of collaborating controllers and on compliance with data protection law using readily available IMS.

This double focus on data protection aspects of organisational collaboration as well as on data protection aspects of identity management technologies is the essentially new contribution made by this Legal-IST study.

The aim of the study is to assist networked organisations and identity management networks:

by facilitating an understanding of general privacy and data protection issues;

by highlighting how the responsibility for compliance with data protection law can be administrated in a network;

by analysing the data protection issues in relation to example IMS solutions; and

by providing example contract clauses that can be taken as a point of departure for more specifi c clauses in a particular network.

1.2 Data protection law

Data protection laws include a number of requirements for collaboration between members of a network of organisations and businesses. The study reviews the general duties under European data protection law and highlights how these duties apply to networked organisations. A major part of the study is a detailed analysis of data protection issues in to the context of collaborating

•

(15)

data controllers. Another major part of the study is on the specifi c legal issues of collaboration through the means of IMS.

Data Protection

in ICT Networks

General Data Protection

Data Export to Third Countries

Civil Protection

of Privacy Specific Problems

Identity management Cookies Data Mining and Warehousing

Privacy and Data Protection Law

Data Protection

in ICT Networks

General Data Protection

Data Export to Third Countries

Civil Protection

of Privacy Specific Problems

Identity management Cookies Data Mining and Warehousing

Figure 1. Privacy and data protection – structure amended from Legal-IST D01, fi gure 14.

The study addresses a number of sub-areas identifi ed in the Legal-IST report

“Legal research state-of-the-art”, (D01), in particular issues related to data protection in ICT networks and international data fl ow including data export to third countries. Identity management can be envisaged as a specifi c problem related to these areas.

The point of departure in the study has been to analyse such data controllers’ duties under EU data protection law. Since the Data Protection Directive (95/46/EC) and the E-communications Directive (2002/58/EC) provide for harmonisation of the data protection laws in the EU and European Economic Area (EEA)², our analysis of these instruments refl ects the legal situation in the EU/EEA Member States. National laws in the UK, Spain and Norway have been analysed on specifi c issues where the Directives do not provide much guid- ance or are unclear, e.g. on the legal aspects of jointly controlling the processing of personal data. The analysis of these national laws shows that there are some divergences with regard to how the directives have been implemented.

Controllers should therefore always consider the relevant national law and practice, and if necessary seek legal advice regarding their specifi c needs.

1.3 Networked organisations and data protection law

The term ”networked organisation” is not a fi rmly established concept. The term is used in parts of the literature to cover a variety of collaborations between dif-

2 The EEA consists of the EU Member States including the EFTA Member States Norway, Iceland and Lichtenstein.

(16)

ferent organisations.³ The term is meant to cover different forms of collaboration between organisations, including, Virtual Communities of Companies, Virtual Organisations, Virtual Enterprises and Professional Virtual Communities.

From an organisational perspective there are different degrees of collaboration between organisations. A very limited collaboration may consist in the mere occasional exchange of information; a more advanced collaboration may involve the sharing of some responsibilities in selected aspects; a full collaboration would entail the sharing of all responsibilities. As soon as such collaborations involve the processing of personal data, collaborators must be aware of their responsibilities in relation to their use of personal data.

Different degrees of collaboration need to be refl ected in the roles that are available under European data protection law. Some collaborators in a networked organisation may be restricted to the processing of personal data on behalf of others (data processors). Other collaborators may qualify as responsible data controllers. Networked organisations processing personal data can therefore also be understood as networks of data controllers and data processors. Our main focus is directed at the data controllers, since they determine the purposes and means of the data processing and bear the main responsibility for compliance with data protection law.

According to Article 2(d) of the EC Data Protection Directive, the processing of personal data can be carried out either alone or jointly. This allows for different forms of collaboration, which are illustrated in fi gure 2.

Degree of collaboration

Alone Jointly

Controller

Data processor(s) Partly joint controllers

Full scope joint controllers Collaborating

single controllers Single

controller

Figure 2. Collaboration between data controllers.

3 Camarinha-Matos, L and Afsarmanesh, H Collaborative networked oganizations: a research agenda for emerging business models (Springer New York 2004), p. 10.

(17)

1.4 Identity management and data protection law

The focus of identity management is on how to rationalise pre-registration, authentication and authorisation procedures. Before the creation of the Internet, most organisations carried out identity management themselves.

However, with the Internet came also the opportunity to have some of these processes performed by third parties. Many companies have seen the opportunity to rationalise by having common procedures and infrastructures. Even more important, however, is the opportunity companies have seen in providing customers easy access across company web sites. Single sign-on and federated identity management represent the most business-driven solutions for letting customers have access to multiple web sites and resources after a single authentication procedure.

Key benefi ts associated with federated identity management are:⁴

Convenience to users as they can more seamlessly move between services using a single username/password pair;

Cost savings for organisations arising from a shared scheme based on stan- dardised, interoperable architecture;

Possibilities for organisations to focus on their distinctive competencies by outsourcing authentication and identity management to professional identity providers;

The possibilities of new business models,

organisations that already have signifi cant customer bases can pass them on to other sites an gain referral and commission fees;

organisations and service providers may more easily get in contact with customers interested in their services;

Support for sites to customise and personalise their services based on profi les associated with user accounts;

Governments may simplify the access to services and applications both government to government, government to citizens, but also government to business.

The study introduces basic concepts, functions and models for identity management. The current status of identity management is shown both through an evaluation of available IMS and via perspectives taken by ongoing R&D projects focusing on privacy-enhancing identity management. The study discusses the two most prominent examples of identity management systems, Microsoft .Net Passport and the Liberty Alliance Project with regard to compliance with data protection law. The study also provides contractual templates that can be

4 See Roger Clarke, “Identity management”, pp. 12-17. See also Liberty Alliance, “Business Benefi ts of Federated Identity” and “Benefi ts of Federated Identity to Government”.

•

• – –

•

(18)

taken as a point of departure for more specifi c clauses in a particular network using IMS.

As emphasized e.g. by the Article 29 Working Group, it is important for the parties involved in an identity management network to set up clear contractual agreements that refl ect roles and responsibilities. The report aims to assist collaborators by:

facilitating an understanding of general data protection issues;

highlighting how the responsibility for compliance with data protection law can be administrated in a network;

analysing the data protection issues in relation to example IMS solutions;

and

providing example contract clauses that can be taken as a point of departure for more specifi c clauses in a particular network.

1.5 Recommendations for networked organisations

Data protection issues should be addressed at an early stage of network development if the networked organisation will handle personal data.

The business processes of the networked organisation should be analysed in order to identify data protection roles (data controller and data processor). Consider in particular if there will be instances of joint processing or if all processing will be carried out by separate controllers. Data controllers should consider if they in fact are jointly determining the means and purposes of the processing. Parties should also be aware of the possibility that the network operations involve more than one processing, and that the different instances of processing may have different controllers.

If the business process analysis indicates that there may be instances of joint processing, be aware that there may be considerable differences in national laws with respect to how data protection authorities regard joint processing. In many countries the principle of purpose limitation (personal data shall only be used for legitimate and specifi ed purposes and shall not be further processed for purposes incompatible with the purposes for which the data are fi rst collected) may be considered as a limiting factor for the possibility to choose a collaboration structure involving joint processing.

Joint controllers should defi ne clear roles and responsibilities with regard to the processing of personal data. It is of particular importance to ensure that data subjects are provided with relevant information about the processing and that the joint controllers in practice are able to fulfi l their

•

(19)

responsibilities like e.g. to facilitate the execution of the data subject’s right to access his or her personal data. Networked organisations should consider whether one of the joint controllers should be responsible for fulfi lling these more practical tasks.

For all relations between data controllers and data processors the law requires a contract that makes the responsibilities explicit. We recommend that collaborating data controllers also set up such contracts. Templates are provided in the appendices of the report.

1.6 Recommendation for organisations setting up an identity management system (IMS)

To a certain degree the design of an IMS will involve the establishment of a network of organisations. Hence, the above recommendations regarding networked organisations should equally be considered when setting up an IMS.

Data protection issues should be addressed at an early stage of network development since the identity management system in most cases will handle personal data.

The parties setting up an IMS are themselves responsible for compliance with data protection law. The use of standards and specifi cations like those provided by Liberty Alliance do not necessarily ensure compliance with data protection law.

Those defi ning specifi cations for identity management are usually not responsible controllers or processors under data protection law. Hence, they are in most cases not legally responsible for compliance, but they should nevertheless ensure that the specifi cations facilitate the development of compliant systems.

Organisations setting up an IMS should be aware of the roles they will play in the network. In particular they should consider if they will act as data controllers, data processors or both. Particular attention should also be given to the roles defi ned in the E-communications Directive, i.e. public electronic communications network and services providers.

The end users of the identity management system should be provided with relevant information about its functioning and the responsibilities of the participating organisations.

•

(20)

1.7 Recommendations for the EU Commission

1.7.1 Recommendations regarding networked organisations

The EC Data Protection Directive (95/46/EC) and the E-Communications Directive (2002/58/EC) provide a general framework that is adequate for networked organisations. Both directives defi ne roles that are relevant for organisations participating in a network where personal data is handled. In practice, a networked organisation will consist of collaborations between separate controllers, joint controllers, and all of these may outsource some work to processors. Amongst these forms of cooperation, the concept of joint data controllers appears as the most problematic. The Data Protection Directive does not clearly defi ne rules for joint processing, and there seem to be considerable differences in national laws and with respect to how data protection authorities regard joint processing. Hence, the role of joint processing under European data protection law should be reconsidered.

While the concept of joint processing should not necessarily be abolished, we consider that there is a need for clarifi cation.

Future research should focus on experiences with and consequences of joint processing. Such research could e.g. examine whether and how organisations manage to set up a suitable framework for joint processing and how the division of responsibilities affects data subjects and is perceived by them.

1.7.2 Recommendations regarding IMS

IMS may prove to be important cornerstones in the architecture of communication between individuals and multiple service providers. Both design and actual implementation have a high potential impact on privacy consequences of such systems. If data protection issues are ignored, this may have signifi cant consequences for the involved users, since such systems may facilitate the accumulation of detailed profi les of their use of digital identities. This may in turn have a negative impact on the uptake and ac- ceptance of the IMS, as illustrated by the Microsoft .Net Passport case.

Some of the challenges in IMS may be solved by giving research on privacy enhancing identity management a continued high priority.

The European legal framework for data protection law provides mainly adequate rules for setting up an identity management system that ensures fair processing of personal data. However, the rather general rules are diffi cult to apply, it is e.g. diffi cult to map the roles defi ned in data protection law with the roles included in a typical IMS, involving e.g. identity providers, attribute providers and service providers.

•

(21)

European data protection law applies to the processing of personal data, while the handling of anonymous data in principle falls outside its scope.

A third concept, which is of a particular importance in relation to IMS, is pseudonymity. This concept has a rather unclear position in European data protection law, and only a few, mostly national, rules refer to the concept.

It is in practice diffi cult to determine whether pseudonyms should be considered as personal data. The examples from the studied identity management frameworks illustrate that the concept of pseudonymous data spans from a globally unique identifi er, which is broadly available in a multi- organisation IMS, to an opaque handle (as defi ned by Liberty Alliance), which is available only to a limited set of service providers (normally two) and which can only be understood by those. One of the most important safeguards against extensive and privacy-intrusive profi ling is to prevent the possibility of merging local profi les from different domains. The use of pseudonyms is useful to ensure that users are not identifi able by third parties, while they still may be identifi ed and held responsible by a trusted party when identifi cation is justifi ed. From a privacy perspective it would be advantageous to

further encourage the development and use of anonymous and pseudonymous services,

clarify the normative status of pseudonymity, and to provide clearer rules about the use of pseudonyms.

The further development of IMS should be closely followed by the Art. 29 Working Party. A general challenge for national and international supervisory authorities is that they have a competence to review only the imple- mentations of information systems. At this point of time, the underlying specifi cations that defi ne the functioning of the system are already set and may be diffi cult to amend. This emphasizes the need of considering data protection issues at an early stage of development.

1.8 Agreements between the parties to refl ect their status

A more comprehensive version of this report is available from the Legal-IST project’s web site (www.legal-ist.org). The latter report includes appendices which were omitted here, and seeks to provide examples of contractual provisions which can be used in collaborations to allocate responsibility for processing personal data according to European data protection laws. These templates cover the relationships between the following parties:

(i) Data controller and data controller (Appendix F);

•

– – –

•

(22)

(ii) Joint data controllers (Appendix G); and

(iii) Data controller and data processor (Appendix H).

Appendix I sets out commentary to these template agreements.

It should be noted that the templates have been drafted from an English law perspective and will need to be adapted to other national laws.

(23)

The focus of this study is on privacy and data protection aspects of networked organisations and on the use of identity management technologies. The relationship between networked organisations and identity management can be examined at various levels. First, identity management can be utilized by networked organisations in order to facilitate communication both within the network and with third parties. Second, identity management involves some aspects of networking of organisations, since it is based on the communication and exchange of identifi cation data between different organisations in a network. Therefore, from a structural perspective both network phenomena can be seen as collaborations between organisations involving the exchange, and possibly pooling, of information. Such networks must comply with data protection laws to the extent that the exchanged or pooled information is clas- sifi ed as personal data.

In principle, both networked organisations and organisational networks to facilitate identity management may involve the processing of personal data, particularly if the networks are set up to serve consumers. From a data protection perspective, the main issue to be addressed in both types of networks is how the responsibility for processing personal data can be shared among the participants and the degree to which a network participant is legally responsible for collective processing of personal data.

This study provides an analysis of the networking parties’ duties and roles under data protection law and provides guidelines and model contracts to comply with the legal framework. The European data protection framework for collaborative networks is highlighted, including selected recommendations of the Article 29 Working Party of the European Directive on Data Protection.

2.1 Available material, resources and projects on IMS

A number of studies have dealt with technological and legal aspects of IMS and a number of projects focus on the technological aspects of identity management.

One of the most helpful studies on identity management is the ICPP and SNG study.⁵ This study concentrates on the relationship of an individual to

5 Independent Centre for Privacy Protection (ICPP) and Studio Notarile Genghini (SNG) Identity management Systems (IMS): Identifi cation and Comparison Study (2003). (Hereinafter ICCP and SNG 2003) http://www.datenschutzzentrum.de/idmanage/study/ICPP_SNG_IMS-Study.pdf

(24)

an organisation and emphasises the user’s ability to control the disclosure of personal data. The study introduces the term identity management applications (IMA) for the technical administration of identities. The term identity management systems (IMS) is reserved for the collection of technologies and processes in which IMA are embedded. It concludes that identity management applications are still at an early phase and there are still no multi-purpose applications.

The study is built on four pillars:

1. Basis and requirements for IMS, which are elaborated from sources of aca- demic literature and business information;

2. Usage scenarios, which show the practical relevance and additional requirements of IMS in various contexts;

3. Analysis of presently available IMA;

4. Survey on expectations on IMS, which was conducted among experts worldwide.

Another comprehensive study on IMS has been carried out by Roger Clarke.⁶ This study reviews the various possible architectures of identity management and evaluates prominent examples of current IMS. A particular focus in the study is on the tension between the currently dominating and often business oriented supply-side and the user demand-side of identity management.

The Liberty Alliance Project has issued a number of documents, which were of core importance for this report’s understanding of federated identity management. The Liberty Alliance Project is a consortium of more than 150 organisations worldwide working together to create open, technical specifi cations for federated network identity. These specifi cations, which are available for any organisation to download and incorporate into products and services, provide:

Simplifi ed sign-on capabilities using a federated network identity architecture that supports all current and emerging network access devices.

Permissions-based attribute sharing to enable organisations to provide users with choice and control over the use and disclosure of their personal information.

A commonly accepted platform and mechanism for building and managing identity-based web services based on open industry standards.

We were able to discuss our approach with representatives from the Liberty Alliance project at the “Identity management IdM 2005” conference held in Oslo on 22 June 2005. A number of representatives from industry and rese-

6 Clarke, Roger “Identity management – The technologies, their business, their problems, their prospects”, March 2004.

•

(25)

arch, not only related to Liberty Alliance, attended and spoke at the conference. This proved useful in confi rming the approach taken towards identity management in our study.

The Article 29 Working Group has adopted a document on “online authentication services” which analyses both Microsoft .Net Passport and the Liberty Alliance project.⁷ Even though the document most directly deals with these two authentication services, many of the comments are formulated in general terms, which makes them applicable to similar other identity management systems.

A number of on-going research projects in the IST area focus on identity management. Of particular interest to this study are the integrated projects PRIME and GUIDE.

GUIDE is conducting research and technological development with the aim of creating an architecture for secure and interoperable e-government electronic identity services and transactions for Europe. In order to establish a link with GUIDE, we attended the presentation of the GUIDE project at the eChallenges conference 2004 and we had regular contact with legal researchers in the project. However, when fi nalizing this Legal-IST study, the results of the legal research carried out by GUIDE were still not publis- hed; they were still considered project confi dential by GUIDE and thus not available for the Legal-IST study.

The main contribution of PRIME will be the design and development of practical, federated IMS that effectively and reliably enforce privacy.

Instead of merely enabling privacy by providing the components needed to build privacy-friendly solutions, PRIME will enhance privacy by showing how to combine these components into specifi c and integrated privacy- enhancing solutions. The PRIME framework v.1.0, which was made available just before submission of this Legal-IST study, also discusses legal issues including the foundations of privacy in EU law, privacy-enhancing technology, anonymity, trusted computing platforms, biometrics, eHealth, ambient intelligence and the PRIME scenarios.

These projects’ approach is described in more detail in Appendix D and is further discussed below in section 5.5. Compared to these projects, this Legal- IST study focuses more on identity management in the context of networked organisations, which are of core importance to Legal-IST. This study’s focus on organisational collaboration is complementary to the issues discussed in GUIDE and PRIME.

7 Article 29 Working Party “Working Document on on-line authentication services”, January 2003. http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp68_en.pdf

•

(26)

The LSE Department of Information Systems has issued a report entitled

“The Identity Project – An assessment of the UK Identity Cards Bill and its implications”, particularly dealing with government-based identity management systems.⁸ The Report concludes that the establishment of a secure national identity system has the potential to create signifi cant, though limited, benefi ts for society. However, the proposals currently being considered by the UK Parliament are according to the LSE report neither safe nor appropriate.

In addition to the UK proposal, the report also refers to national plans in other countries, e.g. France. The LSE report also discusses federated IMS based on the Liberty Alliance specifi cations. However, it is critical to the direct utiliza- tion of these specifi cations for government-built systems, and makes an independent suggestion involving cryptographic technologies.

2.2 Relevance and usability of study in IST

This study covers three aspects, which are of core importance to the Information Society Technologies domain, namely the protection of privacy, the uptake of new technologies and the new business models that are facilitated through these technologies.

Privacy is a fundamental right, recognised not only on the European level.

Privacy is also recognised – on the basis of various international surveys – as a precondition for enhancing trust and thus growth of e-commerce activities.

Privacy is also recognised by EU Ministers as a precondition for e-government services. On the one hand, privacy is becoming a part of the European social and legal culture, but on the other, new electronic products, services and methods may affect privacy. Privacy concerns may even inhibit the uptake of a certain technology, as the failure of Microsoft’s intended general use of the .Net Passport identity management system shows. Identity management and particularly privacy-enhancing IMS is an important research focus for many European research projects and for international collaborations. The technologies that currently are under development and the way these are implemented will probably have a major impact on the way we will communicate and collaborate through the Internet in the future. It is therefore important that researchers and those implementing the technologies are aware of the legal framework. Federated identity management consists both of a technology that facilitates the communication of identifi cation data and of a network of

8 The Identity Project - An assessment of the UK Identity Cards Bill and its implications, LSE, Version 1.09, June 27, 2005, http://is.lse.ac.uk/idcard/identityreport.pdf.

(27)

collaborating organisations, which allows the creation of new collaborative business models.

As emphasized e.g. by the Article 29 Working Group, it is important for the parties involved in an identity management network to set up clear contractual agreements that refl ect roles and responsibilities. This report aims to assist collaborators:

by facilitating an understanding of general data protection issues;

by highlighting how the responsibility for compliance with data protection law can be administrated in a network;

by analysing the data protection issues in relation to example IMS solutions;

and by providing example contract clauses that can be taken as a point of departure for more specifi c clauses in a particular network.

2.3 Structure of this report

This report is structured as follows:

Section 3 provides a general introduction to legal duties under data protection law;

Section 4 discusses data protection issues in relation to collaborative networked organisations;

Section 5 introduces identity management systems, including their key processes, available models and systems, how currently existing IMS have been evaluated and what current R&D projects focus on;

Section 6 presents and discusses centralised versus federated IMS, based on the Microsoft .Net Passport IMS and on the Liberty Alliance Specifi cations;

and

Section 7 analyses data protection issues in relation to the IMS, focusing on government based solutions involving national identifi cation numbers and discussing the IMS presented in section 6 with a particular focus on roles and responsibilities, criteria for lawful processing, information to be provided, proportionality and quality of the data, data subjects’ rights and the international movement of data and a summary of data protection implications of IMS.

Additional information is given in the Appendices:

Appendix A provides case studies relevant for section 4;

Appendix B gives an example of identity federation user experience;

Appendix C gives examples of single sign-on user experience;

•

(28)

Appendix D explains the use of “opaque handles” in the Liberty specifi cations to provide identity federation and single sign-on;

Appendix E provides a glossary of acronyms.

•

(29)

Data protection in Europe is governed by Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the ”Data Protection Directive”). This directive came into force on 13 December 1995 and the deadline for implementation into each European Economic Area (EEA) Member State’s national law was 24 October 1998. As with all national legislation derived from European law, individual Member States will interpret the Data Protection Directive in slight- ly different ways. When reviewing data protection issues, consideration should be given to the national data protection legislation passed in the country con- cerned as well as the Data Protection Directive. However, for the purposes of this report we have focused primarily on the Data Protection Directive.

The aim of the Data Protection Directive is to reconcile privacy protection with the free fl ow of trade. In particular, it sets out requirements for legitimate processing of personal data and requires that specifi c controls be afforded to sensitive data. There are requirements relating to the quality of the data and the legitimacy of the data processing. The Data Protection Directive also provides for extensive individual rights, not least the rights of access and rec- tifi cation, and restricts trans-border data fl ows outside the EEA to those states without adequate protection. It also signifi cantly strengthens security requirements for processing.

There are a number of specifi c exemptions and restrictions set out in the Data Protection Directive. These are not dealt with in any detail in this report. Suffi ce it to say that the scope of the principles relating to the quality of the data, information to be provided to the data subject, right of access and the publicising of processing may be restricted in certain circumstances. Such circumstances include the interests of national security, public security, the prosecution of criminal offences, important economic or fi nancial interests of a Member State or the EU or the protection of the data subject.

While the main focus of this report is on the Data Protection Directive, we will also analyse the most relevant provisions of Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the ”E-communications Directive”). The E-communications Directive provides specifi c rules for the processing of data related to provisioning of services over electronic communications networks

(30)

(e.g. traffi c and location data) and the information security requirements in such networks.

The EU Commission issued its fi rst report on the implementation of the Data Protection Directive into national law in 2003.⁹ The main conclusions of the report are that many Member States have been slow in transposing the Data Protection Directive into national law and that there are some divergences on how the provisions have been implemented. These and other fi ndings in the report will be presented in more detail later in the report. In addition, reference will be made to the recommendations by the Article 29 Working Party (“the Working Party”). The Working Party is an independent European advisory board on data protection comprised of representatives from the supervisory authorities in the EEA Member States. The Working Party’s tasks, which are described in Article 29 and 30 of the Data Protection Directive and in Article 15 in the E-Communications Directive, include contributing to the uniform application of the provisions in the two Directives. The recommendations and documents issued by the Working Party are given much weight by supervisory authorities and courts when interpreting the Data Protection Directive and the national provisions implementing the Data Protection Directive. Therefore, in the absence of other authoritative sources of law (e.g. clear legal provisions, case law or practice by the supervisory authorities) the recommendations by the Working Party should be given considerable weight when determining the applicable data protection law to networked organisations utilizing identity management systems.

3.1 Application of the Data Protection Directive

3.1.1 Territorial application

Article 4 of the Data Protection Directive establishes the rules for determining which Member State’s law applies to processing. The general rule is that a controller who is established in an EEA state must follow the national law applicable to the place in which he is established. If the controller has estab- lishments in more than one EEA state he must follow the relevant national law. The concept of establishment is therefore important since data protection requirements may differ from Member State to Member State. Article 4 also provides for a Member State’s law to apply where the controller is established outside the EU, even though this may be diffi cult to enforce.

9 The EC Commission’s First report on the implementation of the Data Protection Directive:

http://europa.eu.int/comm/internal_market/privacy/lawreport_en.htm.

(31)

A key issue for this report relates to the complex situations that can be created by Internet use. It is unclear how Article 4 applies to such circumstances. In its working document “Privacy on the Internet”¹⁰, the Article 29 Data Protection Working Party identifi ed a clear need to clarify the rule of the Data Protection Directive on applicable law (Article 4 paragraph 1 (c)), in particular in relation to on-line processing of personal data by a controller established outside the EEA. National data protection supervisory authorities are regularly requested to advise businesses and individuals on this subject. In its working document on «the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites», the Working Party suggests that the need to determine whether national law applies to situations with links to several countries is not specifi c to data protection, or to the Internet, or to the European Union. It is a general question of international law, which arises in on-line and off-line situations where one or more elements are present that concern more than one country. A decision is required on what national law is to be applied before a substantive solution can be developed.¹¹

3.1.2 Key Defi nitions

Article 3 sets out the scope of the Data Protection Directive. It applies to data processed by automatic means (e.g. a computer database of customers) and data contained in or intended to be part of non automated fi ling systems (i.e. traditional paper fi les). Not all paper fi les are caught by the Data Protection Directive. ’Filing system’ is defi ned as any structured set of personal data which are accessible according to specifi c criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. The Data Protection Directive does not apply where a person processes data for purely personal or household activities, nor where the activity falls outside the scope of Community law, e.g. public security or defence.

Furthermore, the Data Protection Directive only applies where ’personal data’ are being ’processed’. Personal data are defi ned as data which relate to an identifi ed or identifi able natural person. For example, most organisations will process personal data relating to employees, customers, suppliers and business contacts. These individuals are referred to in the Data Protection Directive as ‘data subjects’.

10 “Privacy on the Internet - An integrated EU Approach to On-line Data Protection”, WP 37, 21 Nov. 2000 http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2000/wp37en.pdf.

11 Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites – WP, 56, 30 May 2002 http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2002/wp56_en.pdf

(32)

’Processing’ is defi ned widely to mean any operation, such as collection, recording, organisation, storage, erasure or even destruction.

3.2 Roles and responsibilities

One of the key decisions in analysing data protection responsibilities is determining the status of the parties involved. In particular, this involves deciding which parties are controllers and which parties are mere processors. Data protection law applies whenever a controller processes personal data. The obligations set out in the Data Protection Directive are obligations which are placed on the controller. This means that controllers have the responsibility for ensuring compliance with data protection legislation, both at a national level and with the Data Protection Directive.

3.2.1 Controller

Article 2(d) defi nes the controller as the person who determines the purposes and means of the processing of personal data. In other words, you will be a controller if the processing of personal data is undertaken for your benefi t and you decide what personal data should be processed and why. A typical example of a controller is an employer.

3.2.2 Processor

Processors, on the other hand, are defi ned in Article 2(e) as the person who processes personal data on behalf of the controller. A common example is where an organisation appoints a third party IT company to provide IT services to that organisation on an outsourcing basis. In this circumstance, the organisation will be the controller (since it has decided to appoint the IT service provider) and the IT company is the processor, i.e. it acts on the instructions of the controller.

However, determining the status of the parties is not always so clear cut.

In some circumstances, for example in joint ventures where there may be a number of organisations purporting to operate as a single entity, it may be more suitable for those organisations to act as joint controllers of the personal data. The circumstances of each particular case will need to be considered. In

(33)

section 4 we introduce a number of scenarios involving multiple data controllers, which will be analysed in the context of networked organisations and IMS networks.

3.2.3 Public electronic communications network provider

In addition to the Data Protection Directive, e-businesses need to consider the legislative impact of E-communications Directive. This Directive introduces two central roles: the public electronic communications network provider and the public electronic communications service provider. These actors are responsible for the processing of traffi c and location data, which will be explained in further detail below.

The public electronic communications network provider operates the public electronic communications network. Electronic communications network is defi ned in Article 2(a) of the Framework Directive¹² and captures the operators of the relevant network infrastructure regardless of the technology used. The E-communications Directive applies only to “public” electronic communications networks, which excludes networks that are not made available wholly or mainly for provision of electronic communications services to the public (e.g. enterprise networks and other internal systems).

3.2.4 Public electronic communications service provider

The public electronic communications service provider offers electronic communications services to the public. An electronic communications service is defi ned in Article 2(c) of the Framework Directive as “a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting”.

This excludes services providing, or exercising editorial control over, content transmitted using electronic communications networks and services. It also excludes information society services,¹³ which do not consist wholly or mainly in the conveyance of signals on electronic communications networks. It is possible for entities to operate both as public electronic communications network provider and public electronic communications service provider, e.g. traditional telecommunications operators may both provide the network infrastructure and services on those networks to the public.

12 Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services (“Framework Directive”).

13 See Article 1 of Directive 98/34/EC and the Electronic Commerce Directive 2000/31/EC.

(34)

3.2.5 Data subject, subscriber and user

The terms “data subject”, “subscriber” and “user” refer to persons or entities whose personal data should only be processed according to data protection law. A “data subject” is the identifi ed or identifi able natural person to whom personal data relates. The term is used equally in both the Data Protection Directive and the E-communications Directive.

The terms “subscriber” and “user” are used in the E-communication to refer to the person or entity that is a party to contracts with providers of electronic communications services or the users of such services. It should be noted that the “user” does not necessarily need to be the “subscriber” and that they both have certain rights under the E-communications Directive. For example in a company, the company may be the subscriber, whereas the employees are the users. If the user or subscriber is a natural person, he or she will also be a data subject under the two Directives.

3.3 Criteria for lawful data processing

As explained above, in order to process personal data lawfully, the controller must identify a ground which justifi es the processing. The criteria for lawful processing depend on the kind of data that is processed, i.e. sensitive data, communications traffi c or location data, or general personal data.

3.3.1 Personal data

Article 7 sets out the criteria for the lawful processing of personal data. The Data Protection Directive states that personal data may be processed only if the data subject has unambiguously given his/her consent or the processing is necessary:

(a) For the performance of a contract to which the data subject is party;

(b) For compliance with a legal obligation to which the controller is subject;

(c) In order to protect the vital interests of the data subject;

(d) For the performance of a task carried out in the public interest; or (e) For the purposes of the legitimate interests pursued by the controller.

Article 7(e) is particularly useful for data controllers, especially those in the private sector (who may not be able to take advantage of some of the criteria listed above), because legitimate interests is such a wide concept. Some

(35)

European jurisdictions (e.g. Spain) have not implemented this part of the Data Protection Directive, for constitutional reasons, which greatly limits the processing purposes that can be legitimised there. However, relying on this ground is subject to challenge by a data subject who can show that processing is nevertheless prejudicial to his rights or freedoms or legitimate interests.

Article 2 of the Data Protection Directive defi nes the data subject’s consent as ”any freely given, specifi c and informed indication of his wishes by which the data subject signifi es his agreement to personal data relating to him being processed”, and states that it should be given ”unambiguously”. This defi nition can be broken down into four main components:

(a) ”Informed” means the data subject must be provided with suffi cient information about the processing of the data to allow him to make the decision to let the processing go ahead (i.e. the information listed in Article 10);

(b) The consent must be specifi c. The data subject must be informed of the specifi c processing activities proposed in order to be in a position to consent to them;

(c) The data subject must ”signify his agreement” and do so ”unambiguously”. This means that the data subject must do something positive to dem- onstrate consent. Silence or inaction will not suffi ce;

(d) Consent must be given ”freely”. This means that the data subject must have the possibility of refusing processing. Unequal bargaining power may mean that the data subject does not have a real choice in the matter. The Article 29 Working Party, in its Opinion¹⁴ relating to the use of consent in the employer/employee relationship, goes so far as to say that effective consent can never be given by an employee in these circumstances.

Where the controller does not rely on consent, but instead relies on one of the other criteria for lawful processing, the Data Protection Directive states that the processing must be necessary. In the UK, a data controller can assume that

«necessary» means «can only be achieved by». However, some European civil jurisdictions have adopted a more relaxed interpretation, treating necessary as

«reasonably required».

Article 5 states that «Member States shall, within the limits of the Provisions of this Chapter, determine more precisely the conditions under which the processing of personal data is lawful». This suggests that Member States are limited to the scope of the Chapter II provisions in the Data Protection Directive (on the lawfulness of the processing of personal data) when deciding what is lawful, but it does not restrict them in defi ning further conditions under which the processing of personal data might be unlawful.

14 http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2001/wp48en.pdf

(36)

3.3.2 Sensitive data

Article 8 provides that it is generally forbidden to process personal data re- vealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and information concerning health or sex life.

This provision has certain qualifi cations, so that it may be lawful to process such ”sensitive” personal data in cases where:

(a) The data subject has given his/her explicit consent;

(b) Processing is necessary for the purposes of carrying out obligations and specifi c rights of the controller in the fi eld of employment law in so far that it is authorised by national law for providing adequate safeguards;

(c) In order to protect the vital interests of the data subject;

(d) Processing is carried out by a foundation, association or any other non- profi t-seeking body with a political, philosophical, religious or trade-union aim and the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or

(e) The processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.

Of these, conditions (a), (b) and (e) are of most use to businesses. If none of these conditions can be met, then the controller may not process sensitive data.

3.3.3 Traffi c data

Article 2(b) of the E-communications Directive defi nes traffi c data as “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof”. The defi nition covers data such as call data, addressing or numbering data (e.g. IP-addresses or phone numbers), data relating to the routing, duration, time, protocol used or data generated for the purpose of billing.

Article 6(1) of the E-communications Directive generally provides that traffi c data must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication. Processing of traffi c data may only take place to the extent and duration necessary to fulfi l the following specifi ed purposes:

(2) For the purposes of subscriber billing and interconnection payments;

(3) For the purpose of marketing electronic communications services or providing value added services (i.e. processing of traffi c data or location data other than traffi c data beyond what is necessary for the transmission of a com-