The New European General Data Protection Regulation – Why Bother?
Pål Axelsson is SWAMID Identity Federation Operations Manager and author of Assessment of DP Legislation Implications
The sovereign states within the European Union (EU) are taking the privacy of their citizens seriously and in May 2018 a new EU-wide privacy law called the General Data Protection Regulation (GDPR) comes into effect in all 28 EU member states. Norway, Iceland and Liechtenstein will also implement the new legislation due to the European Economic Area (EEA) agreement. GDPR is replacing the old Data Protection Directive from 1995.
The GDPR will affect Research & Education (R&E) organizations based in the Unites States (US) due to its extended territorial scope even though there is no data protection agreement between the EU and the US that applies to the R&E sector. From a non-EU/EEA perspective there are three situations where GDPR applies in an identity federation world that can bring it into play for US R&E organisations:
- Service Providers outside EU/EEA provide a service to users within EU/EEA;
- Identity Providers outside EU/EEA have users living within EU/EEA; and
- Users from a non-EU/EEA Identity Provider access a service within EU/EEA.
The first two use cases are common for InCommon members, who should take GDPR into consideration in ways explained below. The third use case only applies if the US R&E organisation provides a service within EU/EEA, e.g., operates a center there.
Essential GDPR concepts
Several key terms are fundamental in the GDPR.
Personal data is defined as any information, single or in combination, that can identify a person directly or indirectly. This includes online identifiers such as eduPersonPrincipalName, eduPersonUniqueID, and eduPersonTargetedID, and IP addresses and cookies if they are capable of being linked back to the person.
Data subjects are always natural persons, i.e. living individual users.
Data processing is defined as all operations that are performed on personal data or on sets of personal data, whether or not by automated means. This includes using, storing, transferring, and erasure of personal data.
A data controller is a legal entity that is both responsible for and processes personal data. Another legal entity that processes personal data on behalf of a data controller is a data processor. There must always be a GDPR compliant data processing agreement between a data controller and its data processors.
The personal data processing principle is defined in Article 5 of the GDPR and lawful data processing is in the first part of Article 6.
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Lawful data processing is defined in the first part of Article 6:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
When and how should consent be used?
Consent is a data subject's agreement to the processing of their personal data that must be freely given, specific, informed and unambiguous. When assessing if consent can be given under these conditions it is of utmost importance that use of the personal data is not necessary for accessing the Service Provider. In particular, if the release of attributes from an Identity Provider to a Service Provider is based on one of the five defined types of necessary processing defined in Article 6 (b - f), consent should not be used.
If a service would like to use additional personal data that is not necessary for using the service, e.g., user profile data such as photo or phone number, the Service Provider should ask the user to freely give the information and also ask for consent of its use. It is very important that consent is done in a distinctly positive, opt-in, way, i.e., don’t use a pre-checked box because consent must always be a clear signal of the user’s willingness, not the Service Provider’s wish. The service must keep track of when consent is given and under which data processing conditions. Furthermore, the user must be able to withdraw the consent; in that case the personal data for which the user has withdrawn consent must be removed from the service.
Rights of the user
Rights and freedoms of data subjects is one of the basic principles behind GDPR and is defined in the EU Charter of Fundamental Rights. The GDPR defines the following rights of data subjects to ensure that users have control over their personal data.
- The “right of access” focuses on transparency: the user has the right to check what data is being processed about him or her. It is therefore important that the service have a user profile page where all personal data about the user is presented. This profile should also indicate which lawful principles are used for different sets of personal data.
- The “right to rectification” gives users the right to correct personal data that the service has about the user if it is inaccurate or incomplete. If the personal data is transferred from an Identity Provider to the Service Provider it is ok to redirect the user to the Identity Provider to correct the personal data; in that case the user must also be informed to log in again afterwards so that that data will be automatically corrected within the service. The Service Provider must also inform any third party with which the data was shared about the rectification.
- The “right to erasure”, also known as “right to be forgotten,” provides that the user can require all personal data about him or her to be erased from a service. Furthermore, when personal data is no longer used for processing it must erased from the service within a defined timeframe. This right is not absolute: there are some cases when it is not feasible, e.g., when the right of freedom of expression and information are exercised, when it is needed to exercise or defend a legal claim, or for archiving purposes in the public interest, academic provenance, historical research, or statistical purposes. If you have disclosed personal data to a third party you must inform them about the erasure.
- The “right to restrict processing” gives users the right to block further processing of their personal data. When processing is restricted personal data can be stored but no processing of any other kind is permitted. This right works in parallel with the right of erasure, e.g., to stop unlawful processing or to remain stored to support dispute resolution. If you have disclosed personal data to a third party you must inform them about the restriction.
- The “right of objection” allows user to object to processing of personal data. The most common usage of this right is for a user to object to direct marketing. It also possible to object to other types of processing, e.g., for purposes of scientific or historical research and statistics. If you have disclosed personal data to another party you must inform them about the objection.
There are further rights that are primarily concerned with automated processing of personal data that are not pertinent to identity federations and so are not described here.
How about data protection incidents?
Under the GDPR, a security incident leading to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data is called a personal data breach. If a personal data breach occurs for a European user, the Service Provider should inform the user’s Identity Provider that data protection for the user has been breached as soon as possible. This helps the Identity Provider meet their requirement to report a data breach to their national supervisory authority within 72 hours if the breach might present a threat to the user’s rights and freedoms. The REFEDS Security Incident Response Trust Framework for Federated Identity (SIRTFI) should be used for this. This means that Service Providers should ensure they have internal procedures meeting the SIRTFI specification and declare support for SIRTFI in their federation metadata. European Identity Providers need to do likewise.
The interfederation service eduGAIN, which connects the European Identity Providers to US Service Providers, is investigating solutions for a SIRTFI gateway for those Identity Providers in Europe that haven’t had time yet to ensure that their security procedures are adequate and declare support for SIRTFI. eduGAIN will also extend SIRTFI with a reporting functionality for data protection incidents that will include both coordination of incidents involving more than two parties and anonymized incident statistics.
What could be the cost of bad user privacy?
You have probably read about the €2.42 billion that Google was fined by the European Commission for abusing dominance in the search engine market earlier this year. Within GDPR there is a possibility of an administrative fine if you do not follow GDPR for your European users. The GDPR fine can in the worst case be 4% of the total worldwide annual revenue of the preceding financial year with a ceiling of €20 million. However, it is highly unlikely that a higher education institution or a research organisation within the US will be fined at the highest level for abuse of personal data they process based on a federated login. On the other hand, the goodwill loss can be significant if the use of personal data is done unwisely.
How to get attributes from European Identity Providers
The REFEDS Research and Scholarship Entity Category (REFEDS R&S) is designed for Service Providers that support, at least in part, research and scholarly interaction, collaboration, or management. REFEDS R&S is intended for global use by a wide range of different Service Providers, commercial, campus, or research, that fulfil the above condition, which is a lawful “legitimate interest” under GDPR. REFEDS R&S defines a very small set of personal data that can be released to R&S Service Providers: name, email address, a shared user identifier, and optionally the user’s affiliation with the Identity Provider. Under the GDPR, the Service Provider is the data controller over the transferred attributes.
The General Data Protection Regulation is a big leap forward for the protection of personal data and it is not easy to comprehend. The description of the law above is my attempt to explain how the new European law affects eduGain and InCommon participants.
Academic identity federations, with tools such as entity categories and SIRTFI, are already working in the spirit of GDPR to address data minimisation, privacy, and breach control. However, we need to do better on things like privacy policies and implementing support for users’ rights. Identity Providers and Service Providers need to step up and start using these tools that make global federation work smoothly and scalably in a privacy preserving manner.