D ata protection and smart cards
-
Upload
zaviera-nunez -
Category
Documents
-
view
30 -
download
1
description
Transcript of D ata protection and smart cards
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
11
DData protection ata protection andand smartsmart cardscards
Karel NeuwirtKarel Neuwirt
The Office for Personal Data ProtectionThe Office for Personal Data Protection
Czech RepublicCzech Republic
It is no accident that the European approach to protecting personal data is nowadays most widely accepted, from the countries of Central and Eastern Europe to Canada, and from various countries in the Asia-Pacific area to Latin America, where safeguarding privacy is receivinga great deal of attention in the form of laws that make explicit reference to the systems of rules that have been adopted in Europe.
Romano Prodi
President of the EC, 2002
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
33
… also potential risks involved in the use of new information technologies for both individuals and society. A clear regulatory framework will help to promote the opportunities and minimize risks. Governments need to co-operate in the international arena to this end… Guy de Vel
Director General of Legal Affairs, 2002
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
44
History of PrivacyHistory of Privacy
The Bible has numerous references to privacy
1361 – the Justice of the Peace Act (England)
1776 – Access to Public Record (Sweden)
1858 – prohibition the publication of private facts
(France)
1889 – prohibition the publication of information
relating to “personal or domestic affairs”
(Norway)
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
55
History of Data ProtectionHistory of Data Protection G. Orwell – “1984” - 1948 (Big Brother G. Orwell – “1984” - 1948 (Big Brother
world)world) Interest in the right of privacy increased in Interest in the right of privacy increased in
the 1960s and 1970s – the 1960s and 1970s – advancedadvanced of of information technologyinformation technology
Land of Hesse (Germany 1970) – the first Land of Hesse (Germany 1970) – the first data protection law in the worlddata protection law in the world
Sweden (1973), Germany (1977), France Sweden (1973), Germany (1977), France (1978)(1978)
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
66
Smart cardsSmart cards
Plastic card carried some personal dataPlastic card carried some personal data Diners Club, 1950Diners Club, 1950 Bank of America, credit card, 1960Bank of America, credit card, 1960 Patent of Ronald Moreno, 1974Patent of Ronald Moreno, 1974 Bull memory card, 1985Bull memory card, 1985 ORGA multifunctional processor cardORGA multifunctional processor card
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
77
TechnologyTechnology? Key or carrier of data ?? Key or carrier of data ?
Plastic card (data on surface)Plastic card (data on surface) Magnetic stripMagnetic strip MemoryMemory MicroprocessorMicroprocessor Laser memoryLaser memory Cryptographic chip Cryptographic chip
different level of data protectiondifferent level of data protection
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
88
Smart card applicationsSmart card applications
- - authentication of authorized personnel authentication of authorized personnel - support legally recognized electronic support legally recognized electronic
signaturessignatures- citizen electronic identity cardcitizen electronic identity card- social security identification of insured pers.social security identification of insured pers. - health passport cardhealth passport card- local services (transport, loyalty, leisure …)local services (transport, loyalty, leisure …)
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
99
Smart cards areSmart cards are- sensibly standardized sensibly standardized - securesecure- really personalreally personal- portableportable- familiar to userfamiliar to user- largely able for customizationlargely able for customization- widely offered on the marketwidely offered on the market- without credible competitionwithout credible competition
EC-Enterprise DG, 2002EC-Enterprise DG, 2002
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
1010
Security frameworkSecurity framework
Technology securityTechnology security: : reliability, technical reliability, technical solutions, quality of components used in system, solutions, quality of components used in system, resistant to breakdowns and attacks. resistant to breakdowns and attacks.
Implementation of international norms and Implementation of international norms and standards defined by CEN and ISOstandards defined by CEN and ISO
Application securityApplication security: : security level in whole security level in whole system (application). Risk management.system (application). Risk management.
Risk analysis. Risk analysis.
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
1111
Protection of dataProtection of data
is a fundamental issue for success is a fundamental issue for success
of the applicationof the application
- authorization access right to data- authorization access right to data
- protection against unauthorized reading, - protection against unauthorized reading, modification, misusemodification, misuse
- appropriate legislation- appropriate legislation
- ethical issues - ethical issues
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
1212
Council of EuropeCouncil of EuropeReport on the protection of personal data with Report on the protection of personal data with regard to the use of smart cards :regard to the use of smart cards :
www.coe.int/T/E/Legal_affairs/Legal_co-www.coe.int/T/E/Legal_affairs/Legal_co-operation/Data_protection/operation/Data_protection/
Guiding Principles for the Protection of Guiding Principles for the Protection of Personal Data with Regard to the Use of Personal Data with Regard to the Use of Smart CardsSmart Cards
working document, working document, CJ-PD, 2002CJ-PD, 2002
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
1313
Key factorsKey factorsNational legal frameNational legal frame
Council of Europe and EU legislationCouncil of Europe and EU legislation
Acceptance of all “players” – card holder,Acceptance of all “players” – card holder,
card issuer, card userscard issuer, card users
Technology – user friendly and secureTechnology – user friendly and secure
technologytechnology
High protected personal dataHigh protected personal data
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
1414
LegislationLegislation
Domestic data protection lawsDomestic data protection laws
Convention 108 and Council of Europe Convention 108 and Council of Europe RecommendationsRecommendations
Directive 95/46/ECDirective 95/46/EC Directive 2002/58/ECDirective 2002/58/EC
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
1515
National legislationNational legislation
Collecting and processing personal data in Collecting and processing personal data in systems which use smart cards should systems which use smart cards should respect all the principles of personal data respect all the principles of personal data protection established by national protection established by national legislationlegislation
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
1616
Legislation - EuropeLegislation - Europe
Convention for the Protection of Convention for the Protection of Human Rights and Fundamental Human Rights and Fundamental FreedomsFreedoms (Rome, 1950) (Rome, 1950)
Convention for the Protection of Convention for the Protection of Individuals with regard to the Individuals with regard to the Automatic Processing of Personal DataAutomatic Processing of Personal Data (ETS 108, 1981) (ETS 108, 1981)
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
1717
Legislation - EuropeLegislation - Europe Directive on the Protection of Directive on the Protection of
Individuals with regard to the Individuals with regard to the Processing of Personal Data and on the Processing of Personal Data and on the Free Movement of such DataFree Movement of such Data
((95/46/EC, 199595/46/EC, 1995))
Directive on privacy and electronic Directive on privacy and electronic communicationscommunications ((2002/58/EC, 2002)2002/58/EC, 2002)
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
1818
Convention 108Convention 108
The 1The 1stst legally binding international data legally binding international data protection instrumentprotection instrument
Strasbourg 28Strasbourg 28 January January 19811981
Article 8 Human Right ConventionArticle 8 Human Right Convention
Ratification – all EU countries + Ratification – all EU countries + Bulgaria,Bulgaria, Czech Republic,Czech Republic, Estonia, Hungary, Latvia, Estonia, Hungary, Latvia, Lithuania, Lithuania, Poland, RomaniaPoland, Romania, , Slovakia, Slovenia Slovakia, Slovenia
Schengen acquisSchengen acquis
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
1919
Additional ProtocolAdditional Protocol
Additional Protocol to the Convention 108 Additional Protocol to the Convention 108 regarding supervisory authorities and regarding supervisory authorities and transborder data flowstransborder data flows
ETS no. 181 – 8.11.2001ETS no. 181 – 8.11.2001 Signature – 18 countries Signature – 18 countries
Slovakia, Lithuania, Czech RepublicSlovakia, Lithuania, Czech Republic Ratification – Ratification – SwedenSweden, Slovakia, Slovakia
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
2020
Directive 95/46/ECDirective 95/46/EC
Free internal marketFree internal market Development of the informationDevelopment of the information society society Remove obstacles to the free movement Remove obstacles to the free movement
of the dataof the data
but respect fundamental human rightsbut respect fundamental human rights Harmonize national provisions in DPHarmonize national provisions in DP
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
2121
Directive 95/46/ECDirective 95/46/EC – cont. – cont.
Applies to any operation or set of operations Applies to any operation or set of operations which is performed upon personal data – which is performed upon personal data – processingprocessing
Personal data – the data relating to any Personal data – the data relating to any identified or identifiable individual – data identified or identifiable individual – data subjectsubject
Controller – determines the purposes and Controller – determines the purposes and the means of processingthe means of processing
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
2222
Directive 2002/58/ECDirective 2002/58/EC
Concerning processing of personal data and the Concerning processing of personal data and the protection of privacy in the electronic protection of privacy in the electronic communications sectors (Directive on privacy communications sectors (Directive on privacy and electronic communications)and electronic communications)
/repealed and replaced the Directive 97/66/EC//repealed and replaced the Directive 97/66/EC/
- Translates Directive 95/46/EC principles into the - Translates Directive 95/46/EC principles into the telecommunication sectortelecommunication sector
- Unsolicited communications : opt-in (prior consent)- Unsolicited communications : opt-in (prior consent)
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
2323
eEurope Smart CardeEurope Smart Card
Electronic cards – significant role in the Electronic cards – significant role in the information societyinformation society
EU Conference in Lisbon – smart card in EU Conference in Lisbon – smart card in the framework of the eEurope 2000: An the framework of the eEurope 2000: An Information Society for AllInformation Society for All
More about More about the the eESC eESC – see presentation – see presentation of of Lutz Martiny, ChairmanLutz Martiny, Chairman
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
2424
Specific risksSpecific risks Increasing volume of data – attack against Increasing volume of data – attack against
the cardthe card
Recording and processing of sensitive Recording and processing of sensitive personal datapersonal data
Payment operationPayment operation Health cardHealth card
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
2525
Access to dataAccess to data
Access by a cardholderAccess by a cardholder
– – how to realizehow to realize
Access by a third partyAccess by a third party
– – how to preventhow to prevent
Software level security Software level security
- cryptography- cryptography
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
2626
Data protectionData protection
Smart card and memory cardSmart card and memory card Contact and contactless cardContact and contactless card Privacy Enhanced Technology (PET)Privacy Enhanced Technology (PET) Specific risks in different applications Specific risks in different applications
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
2727
Guiding PrinciplesGuiding Principles
12 Principles for the protection of individuals 12 Principles for the protection of individuals
addressed to everyone in smart card application addressed to everyone in smart card application - SC issuer, project designer, managers, - SC issuer, project designer, managers, operators, and cardholder operators, and cardholder
Principles for lawfully and fairly data collection Principles for lawfully and fairly data collection and processingand processing
Application of Convention 108 principlesApplication of Convention 108 principles
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
2828
Guiding Principles Guiding Principles – cont.– cont.
SC processing of identification data, SC processing of identification data, “ordinary” personal data and sensitive data“ordinary” personal data and sensitive data
Cardholder (data subject) rightsCardholder (data subject) rights
Traces of use of smart cardTraces of use of smart card
Biometric dataBiometric data
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
2929
Relevant CoE documentsRelevant CoE documents
RecommendationsRecommendations::R(99)14 – R(99)14 – on universal community service concerning on universal community service concerning
new communication and information servicesnew communication and information services
R(99)5 – R(99)5 – for the protection of privacy on the Internetfor the protection of privacy on the Internet
R(97)5 – R(97)5 – on the protection of medical dataon the protection of medical data
R(95)4 – R(95)4 – on the protection of personal data in the area of on the protection of personal data in the area of telecommunication services with particular reference to telecommunication services with particular reference to telephone servicestelephone services
R(90)19 – R(90)19 – on the protection of personal data used for on the protection of personal data used for payment and other related operationspayment and other related operations
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
3030
Relevant CoE documentsRelevant CoE documents
R(89)2 – R(89)2 – on the protection of personal data used for on the protection of personal data used for employment purposes employment purposes
R(86)1 – R(86)1 – on the protection of personal data used for on the protection of personal data used for social security purposessocial security purposes
R(85)20 – R(85)20 – on the protection of personal data used for the on the protection of personal data used for the purposes of direct marketingpurposes of direct marketing
Draft Recommendation R(2002)… on the protection of Draft Recommendation R(2002)… on the protection of personal data collected and processed for insurance personal data collected and processed for insurance purposes purposes
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
3131
Legislation - EuropeLegislation - Europe
Recommendations of Council of EuropeRecommendations of Council of Europe Decision of the European CommissionDecision of the European Commission Working Party according the Article Working Party according the Article 29 (W29 (WPP 29) 29) Judgments of the European Court of Human Judgments of the European Court of Human
Rights (StrasbourgRights (Strasbourg)) Conference of the European Commissioners for Conference of the European Commissioners for
Data Protection Data Protection (2001-Athens, 2002-Bonn)(2001-Athens, 2002-Bonn) BerlBerlin Groupin Group ( (data protection in data protection in
telecommunication sectortelecommunication sector)) CEE and Baltic countries meetings (2002-CEE and Baltic countries meetings (2002-
Prague, Vilnius)Prague, Vilnius)
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
3232
CEEC webCEEC web
http://www.ceecprivacy.org http://www.ceecprivacy.org
Legal instrumentsLegal instruments
Discussion forumDiscussion forum
Links to CEEC websLinks to CEEC webs
INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022
3333
Thank you for your attentionThank you for your attention
• The Office for Personal Data ProtectionThe Office for Personal Data Protection
Havelkova 22, CZ-130 00 Prague 3Havelkova 22, CZ-130 00 Prague 3
Czech RepublicCzech Republic
tel.: +420 22100 8288tel.: +420 22100 8288
fax: +420 22271 8943fax: +420 22271 8943
[email protected]@uoou.cz
http://http://www.uoou.czwww.uoou.cz