330 likes | 427 Views
D ata protection and smart cards. Karel Neuwirt The Office for Personal Data Protection Czech Republic.
E N D
Data protection andsmartcards Karel Neuwirt The Office for Personal Data Protection Czech Republic INFOBALT, Vilnius, 21 October 2002
It is no accident that the European approach to protecting personaldata is nowadays most widely accepted, from the countries ofCentral and Eastern Europe to Canada, and from various countriesin the Asia-Pacific area to Latin America, where safeguarding privacyis receiving a great deal of attention in the form of laws thatmake explicit reference to the systems of rules that have been adopted in Europe. Romano Prodi President of the EC, 2002
… also potential risks involved in the use of newinformation technologies for both individuals and society. A clear regulatory framework will help to promote the opportunities and minimize risks. Governments need to co-operate in the international arena to this end… Guy de Vel Director General of Legal Affairs, 2002 INFOBALT, Vilnius, 21 October 2002
History of Privacy The Bible has numerous references to privacy 1361 – the Justice of the Peace Act (England) 1776 – Access to Public Record (Sweden) 1858 – prohibition the publication of private facts (France) 1889 – prohibition the publication of information relating to “personal or domestic affairs” (Norway) INFOBALT, Vilnius, 21 October 2002
History of Data Protection • G. Orwell – “1984” - 1948 (Big Brother world) • Interest in the right of privacy increased in the 1960s and 1970s – advanced of information technology • Land of Hesse (Germany 1970) – the first data protection law in the world • Sweden (1973), Germany (1977), France (1978) INFOBALT, Vilnius, 21 October 2002
Smart cards • Plastic card carried some personal data • Diners Club, 1950 • Bank of America, credit card, 1960 • Patent of Ronald Moreno, 1974 • Bull memory card, 1985 • ORGA multifunctional processor card INFOBALT, Vilnius, 21 October 2002
Technology ? Key or carrier of data ? • Plastic card (data on surface) • Magnetic strip • Memory • Microprocessor • Laser memory • Cryptographic chip different level of data protection INFOBALT, Vilnius, 21 October 2002
Smart card applications - authentication of authorized personnel • support legally recognized electronic signatures • citizen electronic identity card • social security identification of insured pers. • health passport card • local services (transport, loyalty, leisure …) INFOBALT, Vilnius, 21 October 2002
Smart cards are • sensibly standardized • secure • really personal • portable • familiar to user • largely able for customization • widely offered on the market • without credible competition EC-Enterprise DG, 2002 INFOBALT, Vilnius, 21 October 2002
Security framework Technology security: reliability, technical solutions, quality of components used in system, resistant to breakdowns and attacks. Implementation of international norms and standards defined by CEN and ISO Application security: security level in whole system (application). Risk management. Risk analysis. INFOBALT, Vilnius, 21 October 2002
Protection of data is a fundamental issue for success of the application - authorization access right to data - protection against unauthorized reading, modification, misuse - appropriate legislation - ethical issues INFOBALT, Vilnius, 21 October 2002
Council of Europe Report on the protection of personal data with regard to the use of smart cards : www.coe.int/T/E/Legal_affairs/Legal_co-operation/Data_protection/ Guiding Principles for the Protection of Personal Data with Regard to the Use of Smart Cards working document, CJ-PD, 2002 INFOBALT, Vilnius, 21 October 2002
Key factors National legal frame Council of Europe and EU legislation Acceptance of all “players” – card holder, card issuer, card users Technology – user friendly and secure technology High protected personal data INFOBALT, Vilnius, 21 October 2002
Legislation Domestic data protection laws Convention 108 and Council of Europe Recommendations Directive 95/46/EC Directive 2002/58/EC INFOBALT, Vilnius, 21 October 2002
National legislation Collecting and processing personal data in systems which use smart cards should respect all the principles of personal data protection established by national legislation INFOBALT, Vilnius, 21 October 2002
Legislation - Europe • Convention for the Protection of Human Rights and Fundamental Freedoms (Rome, 1950) • Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (ETS 108, 1981) INFOBALT, Vilnius, 21 October 2002
Legislation - Europe • Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (95/46/EC, 1995) • Directive on privacy and electronic communications(2002/58/EC, 2002) INFOBALT, Vilnius, 21 October 2002
Convention 108 The 1st legally binding international data protection instrument Strasbourg 28January 1981 Article 8 Human Right Convention Ratification – all EU countries + Bulgaria,Czech Republic,Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Slovakia, Slovenia Schengen acquis INFOBALT, Vilnius, 21 October 2002
Additional Protocol • Additional Protocol to the Convention 108 regarding supervisory authorities and transborder data flows ETS no. 181 – 8.11.2001 • Signature – 18 countries Slovakia, Lithuania, Czech Republic • Ratification – Sweden, Slovakia INFOBALT, Vilnius, 21 October 2002
Directive 95/46/EC • Free internal market • Development of the information society • Remove obstacles to the free movement of the data but respect fundamental human rights • Harmonize national provisions in DP INFOBALT, Vilnius, 21 October 2002
Directive 95/46/EC – cont. Applies to any operation or set of operations which is performed upon personal data – processing Personal data – the data relating to any identified or identifiable individual – data subject Controller – determines the purposes and the means of processing INFOBALT, Vilnius, 21 October 2002
Directive 2002/58/EC Concerning processing of personal data and the protection of privacy in the electronic communications sectors (Directive on privacy and electronic communications) /repealed and replaced the Directive 97/66/EC/ - Translates Directive 95/46/EC principles into the telecommunication sector - Unsolicited communications : opt-in (prior consent) INFOBALT, Vilnius, 21 October 2002
eEurope Smart Card • Electronic cards – significant role in the information society • EU Conference in Lisbon – smart card in the framework of the eEurope 2000: An Information Society for All • More about the eESC – see presentation of Lutz Martiny, Chairman INFOBALT, Vilnius, 21 October 2002
Specific risks • Increasing volume of data – attack against the card • Recording and processing of sensitive personal data • Payment operation • Health card INFOBALT, Vilnius, 21 October 2002
Access to data Access by a cardholder – how to realize Access by a third party – how to prevent Software level security - cryptography INFOBALT, Vilnius, 21 October 2002
Data protection • Smart card and memory card • Contact and contactless card • Privacy Enhanced Technology (PET) • Specific risks in different applications INFOBALT, Vilnius, 21 October 2002
Guiding Principles 12 Principles for the protection of individuals addressed to everyone in smart card application - SC issuer, project designer, managers, operators, and cardholder Principles for lawfully and fairly data collection and processing Application of Convention 108 principles INFOBALT, Vilnius, 21 October 2002
Guiding Principles – cont. SC processing of identification data, “ordinary” personal data and sensitive data Cardholder (data subject) rights Traces of use of smart card Biometric data INFOBALT, Vilnius, 21 October 2002
Relevant CoE documents Recommendations: R(99)14 – on universal community service concerning new communication and information services R(99)5 – for the protection of privacy on the Internet R(97)5 – on the protection of medical data R(95)4 – on the protection of personal data in the area of telecommunication services with particular reference to telephone services R(90)19 – on the protection of personal data used for payment and other related operations INFOBALT, Vilnius, 21 October 2002
Relevant CoE documents R(89)2 – on the protection of personal data used for employment purposes R(86)1 – on the protection of personal data used for social security purposes R(85)20 – on the protection of personal data used for the purposes of direct marketing Draft Recommendation R(2002)… on the protection of personal data collected and processed for insurance purposes INFOBALT, Vilnius, 21 October 2002
Legislation - Europe • Recommendations of Council of Europe • Decision of the European Commission • Working Party according the Article 29 (WP 29) • Judgments of the European Court of Human Rights (Strasbourg) • Conference of the European Commissioners for Data Protection (2001-Athens, 2002-Bonn) • Berlin Group (data protection in telecommunication sector) • CEE and Baltic countries meetings (2002-Prague, Vilnius) INFOBALT, Vilnius, 21 October 2002
CEEC web • http://www.ceecprivacy.org Legal instruments Discussion forum Links to CEEC webs INFOBALT, Vilnius, 21 October 2002
Thank you for your attention • The Office for Personal Data Protection Havelkova 22, CZ-130 00 Prague 3 Czech Republic tel.: +420 22100 8288 fax: +420 22271 8943 info@uoou.cz http://www.uoou.cz INFOBALT, Vilnius, 21 October 2002