Organisations tasked with certifying systems individuals use for inputting personally identifying information should have to abide by a “common set of security requirements”, an EU privacy body has said.
The European Data Protection Supervisor (EDPS) recommended that ‘trust service providers’, and those that issue individuals with electronic identification, should have to comply with a single set of data security standards under the EU’s proposed Electronic Trust Services Regulation.
The EDPS, an independent body which advises EU bodies such as the European Commission on privacy and data protection, made the recommendation in a new opinion [13-page 83KB PDF] on the terms of the draft Regulation.
“The EDPS considers that the proposed Regulation should establish a minimum set of requirements, in particular with respect to the circumstances, formats and procedures associated to security as well as the criteria, conditions and requirements, including the determination of what constitutes the state of the art in terms of security for electronic trust services,” it said.
The watchdog said that if common security requirements are not to be set out in the new laws, then provision should be put in place to allow the European Commission to “define where needed, through a selective use of delegated acts or implementing measures, the criteria, conditions and requirements for security in electronic trust services and identification schemes”.
Assistant EDPS Giovanni Buttarelli, who signed the opinion, said that the proposed new law should set out a requirement that trust service providers and electronic identification issuers should have to provide individuals who use their services with “appropriate information on the collection, communication, and retention of their data”. He added that those organisations should also have to provide individuals with “a means to control their personal data and exercise their data protection rights”.
He added that ‘privacy enhancing technologies’ (PETs) could be utilised “as enablers of trust by requiring that trust service providers and providers of identification services take PETs into consideration when defining an electronic service scheme”.
The European Commission proposed the draft Electronic Trust Services Regulation earlier this year in a bid to make it easier and more secure to complete e-commerce transactions across the EU without complication.
Currently lots of organisations operate electronic identification (e-ID) schemes to enable individuals to make online transactions. In some cases these organisations task third party companies to provide authentication of their services in a bid to provide security for users.
The Commission, though, wants individuals to be able to use their existing e-IDs for online transactions on similar schemes operated across the EU. Under its plans it wants EU Governments to “opt in” so that their e-ID schemes will be “mutually recognised” by other EU countries. In return for doing so those countries would be obliged to mutually recognise the schemes operated by the others who sign up to the scheme. Under the proposals EU Governments operating schemes would have to make sure that personal data is “attributed unambiguously to the natural or legal person” using the e-ID system.
As part of the plans the Commission has drafted laws around the way trust service providers should operate, but the EDPS has raised some data protection concerns around the proposals. It said that the trust service providers should be given a “set time limit” on how long they can legitimately retain individuals’ personal data.
Special attention for biometric data
The proposals should also be revised in order that the “data or categories of data will be processed for cross border identification of individuals” can be listed, whilst the EDPS also said that the amount of data categories included in an identification scheme should be minimised, with “special attention” given to biometric data.
“The Regulation should provide for … selective and partial disclosure of identity data, depending of the purpose for which the electronic identity is used for (for instance, a data subject that only needs to prove his/her age or that he/she lives in a specific town should not be obliged to disclose additional data),” Buttarelli added.
The watchdog said that safeguards around e-IDs should be as strong as is necessary to respond to the particular risks of those services for which they will be used.
“In the view of the EDPS, a competent authority issuing electronic identification means to interact with e-government services should be subject to higher security controls than a trust service provider issuing certificates to the clients of a supermarket in order to make their online shopping,” it added.
Buttarelli also stressed that e-ID schemes had to be interoperable, and claimed that the Regulation does not currently “include specific provisions detailing the mechanisms” to ensure this. He said interoperability of the schemes would improve the “effectiveness” of the Regulation.
“The EDPS recommends that the Regulation harmonises at least those aspects that are crucial for the interoperability, such as the data fields that will be used for identification of individuals, the security requirements and the data protection safeguards,” Buttarelli said.
The privacy watchdog also said that the draft Regulation should be altered so to include definitions of some terms relating to organisations’ data breach notification requirements.
The security requirements set out in the proposed Regulation require trust service providers to “without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body, the competent national body for information security and other relevant third parties such as data protection authorities of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein”.
The EDPS suggested that the Regulation could set out what is meant be the terms ‘breach of security’ and ‘loss of integrity’ whilst an explanation of ‘significant impact’ should also be included. It said those definitions “should be consistent with the obligations imposed on data controllers to mandatorily notify the national competent supervisory authorities of personal data breaches, and to notify individuals in case the data breach is likely to adversely affect them” under the terms of the EU’s Privacy and Electronic Communications Directive or the Commission’s proposed new data protection laws.
Copyright © 2012, Out-Law.com