GN2-05-163v3

8/8/2019 GN2-05-163v3

http://slidepdf.com/reader/full/gn2-05-163v3 1/43

09.09.05

Deliverable DJ5.1.3:GÉANT2 Roaming Policy and LegalFramework - Part 1: Legislation Overview

Deliverable DJ5.1.3

Contractual Date: 31/05/05 Actual Date: 09/09/05Contract Number: 511082Instrument type: Integrated Infrastructure Initiative (I3)Activity: JRA5Work Item: 2 (Roaming)Nature of Deliverable: R (Report)

Dissemination Level PU (Public)Lead Partner SURFnetDocument Code GN2-05-163v3

Authors: D.Simonsen (UNI-C), S. Hjortgaard Christensen (UNI-C), E. Kassenaar (SURFnet), K. Wierenga (SURFnet),N. Jeliazkova (IISTF), R. Paffrath (DFN), J. Rauschenbach (DFN), S. Papageorgiou (GRNET), J. Jandusova(CESNET), J. Furman (CESNET), S. Winter (RESTENA), G. Massen (RESTENA), R. Marx (RESTENA), R.Papež (ARNES), B. Esih (ARNES), M. Dias (FCCN), L. Guido (FCCN), C.Iglesias (RedIRIS), N.B. Zanon(SWITCH)

Abstract: This deliverable provides an overview of the rules, national legislation etc. which influence the roaming activities of GÉANT2,specifically regarding protection of personal data. The EU Data protection Directive provides the lowest common denominator. In addition

to this, eleven National Research and Educational Networks provided feedback on legislation relevant to roaming in their respectivecountries. Based on this deliverable and the technical requirements for the roaming infrastructure, a policy for eduroam-ng will be providedin a second part of the document in year 2 of the projects life time.

8/8/2019 GN2-05-163v3


Project: GN2Deliverable Number: DJ5.1.3

Table of Contents0 Executive Summary iv

1 Roaming, Legal Rules and AUPs 5

1.1.1 Encryption of credentials 8

1.1.2 Further attribute exchange about the user 8

1.1.3 Storage of user data for logging and forensic purposes 8

1.1.4 Access to home and visited sites' Acceptable Use Policy (AUP) 9

2 Overview of relevant legislation 10

2.1 The EU Data protection Directive 10

2.2 Country specific regulation 12

2.2.1 ARNES, Slovenia 12 2.2.2 CARNet, Croatia 12 2.2.3 CESNET, Czech Republic 13 2.2.4 DFN, Germany 13 2.2.5 FCCN, Portugal 13 2.2.6 GRNET, Greece 13 2.2.7 ISTF, Bulgaria 13 2.2.8 RedIRIS, Spain 14 2.2.9 RESTENA, Luxembourg 14

2.2.10 SURFnet, The Netherlands 14 2.2.11 SWITCH, Switzerland 15

3 Towards a Common Policy for eduroam Federations 16

3.1 Protection of user credentials and further attributes 17

3.2 Logging and monitoring 18

3.3 Access to relevant AUPs 19 3.4 Eduroam federation document 19

4 Conclusion 21

Date of Issue: 09/09/05EC Contract No.: 511082Document Code: GN2-05-163v3 ii

8/8/2019 GN2-05-163v3



Table of FiguresFigure 1: Access at the home institution ...................................................... ........................................................... ............... 6 Figure 2: Access at an institution from the same national RADIUS domain......................................................................... 7 Figure 3: Access at an institution from a different national RADIUS domain ....................................................... ............... 7

Date of Issue: 09/09/05EC Contract No.: 511082Document Code: GN2-05-163v3 iii

8/8/2019 GN2-05-163v3



0 Executive SummaryPart1 of the document gathers best effort descriptions of national legislation that should be taken into account

when implementing the GÉANT2 roaming activities. These descriptions should not be seen as an attempt toprovide full overview of all legal details. It should be noted that the field of investigation, technically and legally,changes over time. The basis of the investigation is the existingeduroam federation, the starting point for theGÉANT2 roaming infrastructure. The legal overviews were carried out by eleven JRA5 partners, based onadvices of legal consultants of the NRENs, and give a good indication of the spectrum of common legal groundand differences within the GÉANT2 community.

Several levels of legislation are valid when mapping the present roaming activities (eduroam ). EU directives,national legislation, NREN-acceptable use policies, institutional rules as well as the policy for theeduroam federation itself will all have to be considered. For the roaming user the visited institution's acceptable usepolicy (AUP) will probably be the most relevant rules to abide to, as this always has to take all relevantlegislation and other relevant rules into account. The user must always abide by the legislation, AUPs etc. ofthe institution where he is physically situated, even when using virtual private network (VPN) systems toconnect to his home institution.

All overviews of national legislation agree that the EU directive on data protection (seehttp://europa.eu.int/comm/justice_home/fsj/privacy/ ) is of paramount importance. It has already beenimplemented in all EU member states' legislation and thereby provides a widespread harmonization within theGÉANT2 community. This document cannot be seen as exhaustive. Even if an attempt has been made totake the relevant legislation documents into account it is not excluded that several other directives anddeclarations might be of importance.

The institutions have the authority over their networks and always decide what resources to authorize the userto use on the basis of appropriate authentication. It is a local decision. This is also valid for network access andin turn means that the roaming user cannot expect services other than those established as the minimumprovided within the GÉANT2 community. This level of service has yet to be formally agreed upon as well aslevel(s) of security provided byeduroam -ng. A clear definition ofeduroam -ng is needed in the form of a policyconcerning the already mentioned topics as well as responsibilities, authority etc. This will be the subject of part2 of this deliverable, that will be provided in year 2.

Date of Issue: 09/09/05EC Contract No.: 511082Document Code: GN2-05-163v3 iv

http://europa.eu.int/comm/justice_home/fsj/privacy/

http://europa.eu.int/comm/justice_home/fsj/privacy/

8/8/2019 GN2-05-163v3



1 Roaming, Legal Rules and AUPsUsers that roam between institutions within the GÉANT2 community will be able to use their credentials

provided by thehome institution to get access to both network resources and network based services. Thismeans that communication between the visited institution (resource provider) and the home institution will occur.This communication will cross both administrative domains and national borders. The user credentials aregenerally perceived critical by both the institutions and the users as they often give access to email, coursemanagement systems etc. via single sign on systems at the home institutions. They should be thought of asreferring to 'natural persons' and thereby as 'personal data'.

The first generation ofeduroam was conceived and built in the pioneering spirit of the Internet: keep it simple,let it grow. eduroam encompassed several fundamentally different approaches to roaming, in a time ofdevelopment and maturing of wireless technologies. The pioneering times are not over, but a need to simplifythe message about what eduroam is and what you can expect from it has emerged along with the expansion.So far eduroam deals with authentication only (leaving a rudimentary authorisation decision to the networkprovider that is purely based on the authentication information; but this will be changing looking at theintegration with AAI). Finally theeduroam -ng infrastructure should integrate with coming services andapplications (AAI and single sign on) that were not initially imagined in connection witheduroam . All this callsfor a clear and simple definition ofeduroam -ng.

In practice, the user could authenticate using his email address (of his home institution) and password affiliatedwith that address - at the resource institution. The credentials would be routed safely back to the homeinstitution which replies whether it acknowledges the user to be one of its own, or not. From then on it's up tothe visited institution to decide what the roaming user gets access to.

The business model in place is simple: An institution provides network access to visiting users and vice versa,in case the own users travel to the other institution. To have trust in theeduroam set-up it is expected that allparticipants follow common rules that will be formulated in a policy document, ensuring a certain level of trustand that the overall system is safe by applying transitive security.

International meetings have revealed that the interest ineduroam is large and growing. It seems clear that'eduroam regions' will emerge (Europe being only one of several possible) and hence theeduroam -ng policymust interact with other regional policies to ensure that users' roaming is indeed possible across the manycountry borders and administrative domains of the emergingeduroam -world.

Date of Issue: 09/09/05EC Contract No.: 511082Document Code: GN2-05-163v3 5

8/8/2019 GN2-05-163v3


GÉANT2 Roaming Policy and Legal Framework - Part 1: Legislation OverviewRoaming, Legal Rules and AUPs


The present solution for roaming,eduroam , has established a hierarchy of servers (institutional, national andinternational) that route the user credentials to the home institution from anywhere in the federation (figure 1).Because of the hierarchical set-up, trust is established between different domains without the need to knoweverybody in the federation.

Figures 1 - 3 below show the flow of credentials in three scenarios, usingeduroam as we know it today: 1) theuser being authenticated at the home institution, 2) the user being authenticated at a neighbouring institution inthe same country and 3) the user being authenticated at an institution abroad. The credentials consist in thisexample of email address and password. The realm of the email address (@xyz.tld) makes it possible to routethe credentials back to the home institution.eduroam-ng might have a slightly different technical architecture,but this will not change the general picture and the rules that should be observed.

Figure 1: Access at the home institution

The user is being authenticated at home, using the eduroam infrastructure. The top level domain, domain nameand user name of the email address are recognized locally and handled locally.


8/8/2019 GN2-05-163v3




Figure 2: Access at an institution from the same national RADIUS domain

The user is being authenticated at a next door institution (No 2), in the same country, using the eduroaminfrastructure. The domain name of the email address is not recognized locally and the request is transferred tothe national server that routes the request to the right institution (No 1).

Figure 3: Access at an institution from a different national RADIUS domain


8/8/2019 GN2-05-163v3




The user is being authenticated at an institution abroad (No 3, PT), using the eduroam infrastructure. The toplevel domain name of the email address is not recognized locally nor at the national server (PT) and therequest is transferred to the international RADIUS server (EU1) that routes the request to the right country (DK),where it is directed towards the right institution (No 1).

In order to promote eduroam from the pilot infrastructure that it is today towards the full service that JRA5 willdeliver, it is important to assure that current and future architectures respect the relevant legislation. Among theissues that should be addressed building eduroam-ng is the data quality and proportionality principle: datashould be accurate and, where necessary, kept up to date. The data should be adequate, relevant and notexcessive in relation to the purposes for which they are transferred or further processed. The areas of particularinterest are:

1.1.1 Encryption of credentials

Since the user credentials (i.e. email address and password) typically give access to several systems such asemail, course management systems at the home institution etc. it is of paramount importance that thecredentials are kept private and are not exposed to untrustworthy parties. Handling and transfer of such data isgoverned by the EU directive on data protection that has been implemented in all EU member states. This,among other things, calls for end to end encryption between the client machine and the home institution so thatno 'man in the middle attack' can take place.

1.1.2 Further attribute exchange about the user

In order to provide the roaming user access to advanced services, more detailed information about the user willoften be required by the visited site. Before releasing such data the EU directive on data protection mandatesthat the user must give his consent.

1.1.3 Storage of user data for logging and forensic purposes

Logging of roaming activities and user data must strictly follow the proportionality principle, to ensure both the

users' and the institutions' trust in eduroam-ng. One of the main anchors of trust on the institutional side ofeduroam is the possibility of tracking down misuse since each institution grants access to net based resourcesto people from other institutions. Log files should/must be kept for as long as the national legislationpermits/mandates.


8/8/2019 GN2-05-163v3




1.1.4 Access to home and visited sites' Acceptable Use Policy (AUP)

The user should always abide to the AUP of his home institution. Further more, when roaming, he must alwaysabide to the rules of the place where he is physically situated. Therefore all participating institutions shouldmake their AUP easily available, both locally and at the national eduroam-ng website.


8/8/2019 GN2-05-163v3



2 Overview of relevant legislationRoaming users in the context of JRA5 move between institutions and countries and will be authorized for

network access and network based services after successful authentication and authorization sessions. Just asdifferent countries have different traffic rules, so do they have different laws and rules governing the use ofnetwork resources. Building a roaming infrastructure is therefore not only a question of technical solutions, butalso of potential conflicting legislation in the participating countries.

This deliverable draws up the legal landscape as background to a future roaming policy that does not conflictwith legislation and ensures that trust in the roaming infrastructure is maintained.

The legislative harmonization in EU certainly makes this field of investigation more transparent since the dataprotection act has been implemented in all member states' national legislation. Nevertheless, national variationexits and eleven countries from the JRA5 group have contributed with legislative overviews.

The following eleven JRA5 partners have provided best effort legal overviews of what legislation appears to berelevant for existing and future roaming activities:

ARNES, CARNet, CESNET, DFN, FCCN, GRNET, ISTF, RedIRIS, RESTENA, SURFnet and SWITCH.

All parties found Directive 95/46/EC from the European Parliament and from the Council of 24 October 1995(Data Protection Directive, DPD) to be most relevant. It ensures the protection of privacy and private life as wellas protection of personal data with regard to fundamental rights and freedom of natural persons. The directiveregulates the processing of personal data and formulates the legal framework on the protection of the data

subjects. All EU countries have implemented the directive, whilst Luxembourg has gone even further thanrequired ( see below).

2.1 The EU Data protection Directive

The protection of privacy is ensured by Article 8 of the European Convention for the protection of Human Rightsand Fundamental Freedoms (see http://europa.eu.int/comm/justice_home/fsj/rights/fsj_rights_intro_en.htm). Itshould be underlined that all Member States and the European Union are bound by the provisions of thisConvention.


8/8/2019 GN2-05-163v3


GÉANT2 Roaming Policy and Legal Framework - Part 1: Legislation OverviewOverview of relevant legislation


Furthermore, the Convention for the protection of individuals with regard to automatic processing of personaldata (No 108/1981) was the first legally binding instrument in the data protection field. The Charter ofFundamental Rights of the European Union (seehttp://europa.eu.int/comm/justice_home/fsj/rights/charter/fsj_rights_charter_en.htm), signed and proclaimed inNice on 7 December 2000, provides in Article 7 for the protection of private and family life, home andcommunication and in Article 8 for the protection of personal data. The new European Constitution containsalso articles specifically devoted to data protection and privacy (e.g. I-51), and there are strong indications thatthe European Union may promote further development in the very near future. This being said, the results ofthe referendums in France and Holland introduce some uncertainty as to the status of these initiatives.

Over the past decade, the European Commission has promoted and/or adopted a number of Directives andDecisions intended to create a legal framework within the European Union that provides strong protection tocitizens against the non-consensual, excessive collection, processing or communication of their personal data.

In particular, Directive 95/46/EC from the European Parliament and from the Council of 24 October 1995 (theData Protection Directive), more info underhttp://europa.eu.int/comm/justice_home/fsj/privacy/index_en.htm)ensures the protection of privacy and private life as well as the protection of personal data with regard tofundamental rights and freedoms of natural persons (Article 1, para. 1). It makes reference to specificity andsensitivity of processing of sound and image data (Articles 2(a) and 33 and recitals 14 and 26). It deals in detailwith issues linked to data quality (Article 6), criteria for making data processing legitimate (Article 7), processingof special categories of data (Article 8), information to be given to data subjects (Articles 10 and 11), datasubject’s right of access to data and right to object to the processing (Articles 12, 14 and 15), safeguardsapplying in relation to automated individual decisions (Article 15), confidentiality and security of processingoperations (Articles 16 and 17), notification of processing operations (Articles 18 and 19), and prior checking ofprocessing operations likely to present specific risks to the rights and freedoms of data subjects (Article 20).

In addition to the general Directive 95/46/EC, theDirective 2002/58/EC of the European Parliament and of theCouncil of 12 July 2002 concerning the processing of personal data and the protection of privacy in theelectronic communications sector (replacing Directive 97/66/EC) is also relevant.

The universities involved could also take adequate measures in order to implement the so-calledprinciple of moderation in the use of personal data which is aimed at preventing or reducing, to the greatest possibledegree, the processing of personal data.

One possible goal is to take additional steps in order to develop privacy-enhancing technologies (PETs). Froma regulatory point of view, it could be stressed that the framework principles behind the concept of PETs arelaid in Directive 95/46/EC and especially in Articles 6(1), 17 and Recital 46 of the preamble to the Directive. Inparticular, Article 6(1) refers to the principle of data minimisation by stating that the processing of personal datashould be limited to data that are adequate, relevant and not excessive.

This principle is strengthened by the reference that data should only be kept in a form that permits identificationof data subjects for no longer than is necessary for the purposes for which the data were collected or for whichthey are further processed. Article 17 of the Directive in question requires that controllers implement securitymeasures which are appropriate to the risks presented for personal data in storage or transmission, with a view


http://europa.eu.int/comm/justice_home/fsj/privacy/index_en.htm

http://europa.eu.int/comm/justice_home/fsj/privacy/index_en.htm

8/8/2019 GN2-05-163v3




to protecting personal data against accidental loss, alteration, unauthorised access, in particular where theprocessing involves the transmission of data over a network, and against all other unlawful forms of processing.

And Recital 46 of the preamble to the Directive underlines the fact that the protection of the rights and freedomsof the individuals with regard to the processing of personal data requires that appropriate technical andorganisational measures should be taken, both at the time of the design of the processing system and at thetime of the processing itself.

In the following pieces of text eleven countries point out legislation that either might be of general interest forthe roaming infrastructure or specific for that particular country. The list is ordered by country to illustrate howthe different NRENs view the field of interest. The results are not harmonised and most likely incomplete.

2.2 Country specific regulationIn all countries, there exists national legislation which is largely an implementation of the EU Data ProtectionDirective. In addition, further specific legislation may impose additional requirements. This chapter provides anoverview of some of these additional requirements. Links to the appropriate documents are provided in fullversions of these contributions in the appendix.

2.2.1 ARNES, Slovenia

Slovenia mentions the relevance of the national laws: Personal Data Protection Act (harmonised with EUdirectives) and the Electronic Communications Act. ARNES claims to be operating a 'closed network' andhence the national law (Data Communications Act) doesn't apply to ARNES. They do their best to work inaccord with all provisions of the acts which forbids the collection of personal registration numbers. ARNES isconsidering stopping collecting these data.

2.2.2 CARNet, Croatia

Croatia points out that The Data Protection Act states that personal data filing systems or personal data

contained in personal filing systems may be transferred abroad for further processing only if the state orinternational organisation to whom the personal data is being transferred to have adequately regulated the legalprotection of personal data and have ensured an adequate level of protection. This will have to be taken intoaccount ifeduroam should be chosen as the infrastructure to pass further attributes for authorization purposes,as envisioned in the plans for AAI and SSO. Prior to transferring personal data abroad, the personal data filingsystem controller shall, in case of reasonable doubt regarding the existence of an adequate personal dataprotection system, obtain an opinion regarding this issue from The Personal Data Protection Agency in hiscountry.


8/8/2019 GN2-05-163v3




2.2.3 CESNET, Czech Republic

The Czechs mention Act No 151/2000 Coll. On telecommunications according to which all personal data aswell as data that are subject to the telecommunication secret have to be deleted or made anonymous after amaximum period of 2 months except where this information is used for identification or investigation of networkabuse. Persons operating telecommunication services are obliged to notify the relevant authorized bodies ofinformation being telecommunication secret or personal data.

2.2.4 DFN, Germany

Germany emphasizes that there is no obligation to note and keep communications and traffic data preventively.

Only if a judicial resolution directed toward future communication procedures of a participant is present, thedata must then be stored in the context of the resolution and handed over to the public prosecutors office.

2.2.5 FCCN, Portugal

Portugal points our attention to the Computer Criminal Law based on the guiding principles contained in thereport of the European Committee on Crime Problems of the Council of Europe. The offences therein punishedare i.e. damage to data and programmes, compute related sabotage, illegitimate access, illegitimateinterception of computer systems or networks, illegitimate reproduction of computer programmes.

Mentioned as potentially relevant are also the Access Directive (2002/19/EC), the Authorisation Directive(2002/20/EC) and the Framework Directive (2002/21/EC) as is the Decree-Law nr. 7/2204 which deals withlegal aspect connected with the services of the information society like electronic contracts, ISP liability andunsolicited commercial e-mails.

2.2.6 GRNET, Greece

Greece points to the fact that personal data protection and privacy is ensured by Article 8 of the EuropeanConvention on the protection of Human Rights and Fundamental Freedoms. All member states of the EuropeanUnion are bound by the provisions of this Convention.

2.2.7 ISTF, Bulgaria

According to the Constitution of The Republic of Bulgaria the privacy of citizens is inviolable. Everyone isentitled to protection against any illegal interference in his private or family affairs and against encroachmentson his honour, dignity and reputation. Everyone is entitled to seek, obtain and disseminate information but thisright shall not be exercised to the detriment of the rights and reputation or others, or to the detriment of nationalsecurity, public order, public health and morality.


8/8/2019 GN2-05-163v3




2.2.8 RedIRIS, Spain

SPAIN refers to Spanish Personal Data Protection Act (LOPD), to Information Society Services and ElectronicCommerce Act(LSSICE), to Regulation of Security Measures of automate Personal data Files (RMD) and toReport 327/2003 of the Spanish Agency of Data Protection on whether IP addresses are personal data.

There are two different sets of data in the roaming system that may contain personal data: on one hand theinformation provided by the home institution and contained in the credentials and, on the other hand, the logsthat must be kept on authenticated sessions and network access sessions.

In either case, the guest user must express consent to the use of the personal data(art. 6 LOPD). The guestuser must be provided with information about the personal data file (art. 5 LOPD): data to be processed,purpose of the processing, controller of the file, persons to whom the data will be provided, whether the data iscompulsory, the consequences of not providing the data.

Besides the users' policy of the home and visited universities, the guest user must we aware that the LSSICEregulates certain activities related the provision of Information Society Services and electronic commerce, suchas electronic contracting.

Furthermore, the Spanish Penal code sets out a number of punishable conducts related to computer andnetwork usage, for example: illegitimate access to a telecommunications terminal when this causes a harm tothe owner (art. 256 Penal Code), discovering secrets (art. 197 Penal Code), infringement of copyright for acommercial purpose and when it harms a third party (arts. 270 et ss.)

2.2.9 RESTENA, Luxembourg

Luxembourg has implemented European Union directive 95/46/EG and has gone even further than the directivesuggests. The usage of any information that can be associated with a person must be reported to the nationaldata protection committee. The customer must declare consent before any personally related data may bestored.

2.2.10 SURFnet, The NetherlandsThe Netherlands points out that traffic data is a subject of concern due to certain user storage regulations(Directive 2002/58/EC in reflexion 15): "A communication may include any naming, numbering or addressinginformation provided by the sender of a communication or the user of a connection to carry out thecommunication. Traffic data may include any translation of this information by the network over which thecommunication is transmitted for the purpose of carrying out the transmission. Traffic data may, inter alia,consist of data referring to the routing, duration, time or volume of a communication, to the protocol used, to thelocation of the terminal equipment of the sender or recipient, to the network on which the communicationoriginates or terminates, to the beginning, end or duration of a connection. They may also consist of the formatin which the communication is conveyed by the network".


8/8/2019 GN2-05-163v3




Regarding data transfers to third countries an independent body in which all European data protectionauthorities are represented (The Article 29 Working Party) has made a paper about acceptable level ofprotection (Transfers of personal data to third countries; Applying Articles 25 and 26 of the EU data protectiondirective).

2.2.11 SWITCH, Switzerland

For the data protection issues the Federal data protection Act and the different cantonal data protection actsapply. For civil liability issues, the relevant cantonal legislation applies and for lawful interception topics theFederal law of interception in the telecom traffic applies.

Switzerland is not a member of the EU and follows therefore not the respective EU data protection directive(see Appendix A). Swiss data protection law is none the less very similar to EU data protection law. As dataprotection is not a federal duty, the cantons have their own data protection law, which applies to the respectiveuniversities, except the Federal Polytechnic Schools that underlies Federal data protection law. Anyhow theprinciple of what is personal data and how you are allowed to process data are more or less the same.

If you do not get consent of the user you need in Switzerland a legal basis for the processing of the data. Thislegal basis may be already given by cantonal law but has to be checked by the Institutions themselves.


8/8/2019 GN2-05-163v3


8/8/2019 GN2-05-163v3


GÉANT2 Roaming Policy and Legal Framework - Part 1: Legislation OverviewTowards a Common Policy for eduroam Federations


• Purpose limitation principle: data should be processed for a specific purpose and subsequently used orfurther communicated only insofar as this is not incompatible with the purpose of the transfer.

• Data quality and proportionality principle: data should be accurate and, where necessary, kept up todate. The data should be adequate, relevant and not excessive in relation to the purposes for whichthey are transferred or further processed.

• Transparency principle: individuals should be provided with information as to the purpose of theprocessing and the identity of the data controller in the third country and other information insofar asthis is necessary to ensure fairness.

• Security principle: technical and organizational measures should be taken by the data controller thatare appropriate to the risks presented by the processing.

• Rights of access, rectification and opposition: the data subject should have the right to obtain a copy ofall data relating to him/her that are processed and a right to rectification of those data that are shown tobe inaccurate. In certain circumstances he/she should also be able to object to the processing of thedata relating to him/her.

• Restrictions on onwards transfers to non-parties to the contract: further transfers of the personal databy the recipient of the original data transfer should be permitted only where the second recipient (therecipient of the onward transfer) is subject to rules affording an adequate level of protection

The US and Australia can be seen as countries with adequate protection for those institution that are followingthe Safe Harbour Principles. A list of these institutions can be found at the website of the U.S. Department ofCommerce.3

3.1 Protection of user credentials and further attributes

As the Working Party already stated in its Recommendation 2/99 on the respect of privacy in the context ofinterception of telecommunications adopted on the 3 of May 1999, the fact that a third party acquiresknowledge of traffic data concerning the use of telecommunication services has generally been considered asa telecommunication interception and constitutes therefore a violation of the individuals’ right to privacy and ofthe confidentiality of correspondence as guaranteed by Article 5 of directive 97/66/EC. In addition, suchdisclosure of traffic data is incompatible with Article 6 of that directive.

Any violation of these rights and obligations is unacceptable unless it fulfils three fundamental criteria, inaccordance with Article 8 (2) of the European Convention for the Protection of Human Rights and FundamentalFreedoms of 4 November 1950, and the European Court of Human Rights’ interpretation of this provision: alegal basis, the need for the measure in a democratic society and conformity with one of the legitimate aimslisted in the Convention. The legal basis must precisely define the limits and the means of applying the

3 http://www.export.gov/safeharbor/


8/8/2019 GN2-05-163v3




measure: the purposes for which the data may be processed, the length of time they may be kept (if at all) andaccess to them must be strictly limited. Large-scale exploratory or general surveillance must be forbidden. Itfollows that public authorities may be granted access to traffic data only on a case-by–case basis and neverproactively and as a general rule.

Using encryption it is today possible to pass user credentials (typically email address and password) throughthe eduroam (RADIUS) infrastructure to the home institution for authentication purposes. If more attributesshould later be exchanged it can either happen using the same eduroam system ('in band') or a separate set ofapplications ('out-of-band') that come in to play only after the initial successful authentication.

Two principally different ways of obtaining further information on a given user are: 1) sending attributedescribing a given user to the visited site or 2) answering questions about the user posed by the visited site.The latter method will disclose less information about the user as Boolean answers tend to be less informative.

All of the above mentioned rules should be observed as well as the principle of 'proportionality' (see above).The SCHema for Academia group (SCHAC), that works on international attribute harmonization is beingfollowed closely as the common and proper understanding of attributes is of course crucial.

3.2 Logging and monitoring

The recent political developments in the area of traffic data retention indicate that a proactive storage of log andtraffic data, not mandatory today, may be a reality in the near future.

There might be situations when retention is necessary even today. An actual decision should be made on theretention of data processed and stored in connection with the provision of available electronic communicationsservices or data on public communications networks for the purpose of investigation, detection and prosecutionof crime and criminal offences (in these it can be requested by governmental bodies).

Therefore guidelines can be developed in GN2-JRA5 for the storage and logging of data and for the use of thisdata.

‘The electronic privacy information center’ (EPIC is a public interest research center in Washington, D.C. It wasestablished in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the FirstAmendment, and constitutional values) closely follows the legal development of data retention at:http://www.epic.org/privacy/intl/data_retention.html

The procedures of defining the rules are still not completed. So recently a vote in the European Parliamentturned down a proposal on data retention (put forward by the member states and therefore not within the jurisdiction of the Parliament) which will most likely now be taken up by the Commission to get formallyscrutinized by the Parliament. More can be found at:http://www.theregister.co.uk/2005/06/08/data_retention_quandry/


8/8/2019 GN2-05-163v3




3.3 Access to relevant AUPs

Both the AUP of the visited institution as well as the AUP of the home institution must always be obeyed. Incase of overlapping rules the stricter rule will apply. It is therefore necessary that the AUPs are easilyaccessible to the user, who must be informed about which rules apply where. Each NREN will be asked tomake available a list of all the AUPs of the participating institutions in that particular country and an overviewwill be made available on the eduroam website.

In Figure 1 – 3 institutions should always make their AUP easily available to the users. Perhaps it should evenbe required to accept it before further use of the network is granted.

National eduroam web sites should list all participating institutions AUPs and point to the institutions eduroam

web sites.

The Greek participant GRNET has indicated in the legal survey that they assume that before a user visitsanother University, they have signed a relevant form in which they state that they shall behave according to theprovisions and regulations of the University that they intends to visit and are informed that they are subjected tothe laws of that country. Therefore, the user obtains access only if they have been informed of and hasaccepted the AUP.

3.4 Eduroam federation document

The purpose of the roaming activity in JRA5 is to build the European network roaming service. The federationof eduroam-ng sites is implemented as a combination of technical and legal components. The legalcomponents build the trust between the members of the federation by specifying the responsibilities, obligationsand liability of the respective members. This set of agreements between the members of the federation iscommonly called the federation document. As a separate deliverable a federation document will be producedthat contains the following items:

• Purpose of the federation

• Federation scope

• Joining requirements

• eduroam -ng policy authority, policy change procedures and possible sanctions

• Minimal security requirements

• Minimal service for all levels of the infrastructure


8/8/2019 GN2-05-163v3




The federation document will be published in a separate document/deliverable.


8/8/2019 GN2-05-163v3



4 ConclusionThe "Roaming Policy and legal Framework Document Part 1" provides the legislation overview for 11 countries

and some basic rules to be obeyed when providing a roaming service. The national contributions in theappendix have been provided taking into account legal advices in the NRENs. But even when lawyers havebeen involved by collecting input for this document it must be stated, that the majority of the people contributingstem from a technical background and are not experts in the legal area. Therefore it might be wise to updatethis paper after some time permitting more feedback from experts to these issues. We also see the necessity toprovide a more detailed description and guidelines for the involved partners, service specifications and othertechnical recommendations. This will be done in the Part 2 of this document that is planned to be provided inthe year 2 of the project. We expect that both document parts together will give a sufficient umbrella for aroaming service and a good platform for the harmonisation with "eduroamers" around the world. The describedproblems can projected from the roaming infrastructures to eduGAIN and should be reflected in a later stagewhen the AAI is approaching a more service-oriented level.


8/8/2019 GN2-05-163v3



Appendix A Natio al Contributions (full versionn s)

A.1ARNES, Slovenia

ULATIONS

ghts and Fundamental Freedomsin the Constitution ofthe Republic of Slovenia.

nstitution of the Republic of Slovenia [1]states:

a contrary to the purpose for which it was collected is prohibited.

use, supervision and protection of the confidentiality of personal data shall be provided by law. Everyone has the right of access to the collected personal data that relates to him and

rights, responsibilities, principles and measures to prevent unconstitutional, unlawfuland unjustified encroachments on the privacy and dignity of an individual (hereinafter: individual) in the

processed lawfullyand fairly.

2. proportionalitywhich states that, personal data that is being processed must be adequateand in their extent appropriate in relation to the purposes for which they are collected and further

DATA PROTECTION AND PRIVACY REG

Protection of Personal Data is listed amongHuman Ri

The 38th Article ofThe Co

The protection of personal data shall be guaranteed. The use of personal dat

The collection, processing, designated

the right to judicial protection in the event of any abuse of such data. The Personal Data Protection Act of theRepublic of Slovenia [2] has been enforced on the 1st of January 2005 and has been harmonized withEUDirective 95/46EC.

This Act determines the

processing of personal data. It also defines the National Supervisory Body for Protection of Personal Data.

The Personal Data Protection Act of the Republic of Slovenia follows three main principles:

1. Principle of lawfulness and fairnesswhich determines that Personal data shall be

Principle of

processed


8/8/2019 GN2-05-163v3


GÉANT2 Roaming Policy and Legal Framework - Part 1: Legislation OverviewNational Contributions (full versions)


3. Prohibition of discrimination which states that the protection of personal data shall be guaranteed toevery individual irrespective of nationality, race, colour, religious belief, ethnicity, sex, language,political or other belief, sexual orientation, material standing, birth, education, social position,citizenship, place or type of residence or any other personal circumstance.

Personal data according to the Personal Data Protection Act this is any data relating to an individual,irrespective of the form in which it is expressed. Personal data may only be processed if there is a provision forthis by statute, or if the personal consent of the individual has been given for the processing of certain personaldata.

This rule is even more restrictive for sensitive personal data, as it may only be processed if the individual hasgiven explicit personal consent for this. Such consent as a rule must be in writing, and for the organisations inthe public sector provided by statute. There are only a few exemptions from this rule. Arnes is considered as

part of the public sector but does not collect any sensitive personal data.

Sensitive personal data is data on racial, national or ethnic origin, political, religious or philosophical beliefs,trade union membership, health status, sexual life, the entry in or removal from criminal record or records ofminor offences that are kept on the basis of a statute that regulates minor offences (hereinafter: minor offencerecords). Biometric characteristics are also sensitive personal data if their use makes it possible to identify anindividual in connection with any of the aforementioned circumstances.

Sensitive personal data must, during processing, be specially marked and protected, such that access to it byunauthorised persons is prevented. In my opinion, for the Personal Data Protection Act to be effective it willneed some changing for the future.

Another Act that considers data protection and privacy regulations is the Electronic Communications Act [3].This Act refers only to an “Operator” which provides a public communications network or publicly availablecommunications services. Since Arnes is a closed network operator, it doesn't classify as an “Operator” andthis law doesn't apply to us. However we do our best to work in accord with all the provisions of this Act.

We collect the following data on our users:

1. full name or title of user and their organisational form;

2. personal registration number (EMSO);3. phone number;

4. address of the user;

5. user name of the user;

6. affiliation of the user;

7. tax number for natural persons, and tax and registration numbers for legal entities.


8/8/2019 GN2-05-163v3




The new modification of the Electronic Communications Act forbids the collection of personal registrationnumbers, so Arnes will probably stop requiring this data. The Data collected may only be used for the purposesdescribed in the Arnes' internal policies, which are based on the relevant laws. Our internal policy also dictatesthat personal data must be stored only as long as it is needed for the fulfilment of the purpose for which theywere collected. At the end I would like to stress the fact that – at the moment Arnes only establishes eduroamconnections between organisations and they are the ones that collect and store any personal data. Thishowever will be changed in the future.

Reference:

[1] http://www.oefre.unibe.ch/law/icl/si00000_.html

[2] Unofficial translation can be obtained by request from [email protected]

[3]http://mid.gov.si/mid/mid.nsf/V/KA0E6FADE1BF5BBFAC1256EA50054D399/$file/Electronic_Communicatios_Act_May04.pdf

A.2 CARNET, Croatia

At this moment CARNet doesn't have an explicit roaming policy, but we have an internal act about AcceptableUse of CARNet Network (http://www.carnet.hr/crepozitorij/CDA0035.pdf - at this moment we have only Croatian

version of this document, but we will have English translation very soon).

The laws of the Republic of Croatia are published in Narodne novine (www.nn.hr - Croatian only), the official journal of the Republic of Croatia. For the JRA5 relevant laws are:

1. Personal Data Protection Act (Zakon o zaštiti osobnih podataka), 18.06.2003. -http://www.nn.hr/clanci/sluzbeno/2003/1364.htm - in Croatian

2. Electronic Signature Act (Zakon o elektroni?kom potpisu), 24.01.2002. -http://www.nn.hr/clanci/sluzbeno/2002/0242.htm - in Croatian

3. The Telecomunicaton Act (Zakon o telekomunikacijama), 21.07.2003. -http://www.nn.hr/clanci/sluzbeno/2003/1731.htm - in Croatian

4. Public Information Access Act (Zakon o pravu pristupa infromacijama), 21.10.2003. -http://www.nn.hr/clanci/sluzbeno/2003/2491.htm - in Croatian

5. Eletronic Commerce Act (Zakon o elektroni?koj trgovini), 21.10.2003. -http://www.nn.hr/clanci/sluzbeno/2003/2504.htm - in Croatian,http://www.azop.hr/DOWNLOAD/2005/02/16/Croatian_Act_on_Personal_Data_Protection.pdf inEnglish


http://mid.gov.si/mid/mid.nsf/V/KA0E6FADE1BF5BBFAC1256EA50054D399/$file/Electro

http://mid.gov.si/mid/mid.nsf/V/KA0E6FADE1BF5BBFAC1256EA50054D399/$file/Electro

8/8/2019 GN2-05-163v3




The most important law for the JRA5 is the Personal Data Protection Act of the Republic of Croatia.Fundamentals of Personal Data Protection Act have come from the Constitution of Republic of Croatia and theAct is harmonized with EU Directive 95/46/EC.

The 37th Article of The Constitution of the Republic of Croatia state(http://www.sabor.hr/DOWNLOAD/2003/05/19/Constitution.pdf - in English):

"Everyone shall be guaranteed the safety and secrecy of personal data. Without consent from the personconcerned, personal data may be collected, processed and used only under conditions specified by law.Protection of data and supervision of the work of information systems in the State shall be regulated by law.The use of personal data contrary to the purpose of their collection shall be prohibited."

The Personal Data Protection Act determines supervision of collecting, processing and using of personal data

in the Republic of Croatia where the personal data is any data relating to an individual. The Act establishesCroatian Personal Data Protection Agency (http://www.azop.hr/). The Activity of the Agency is carrying outadministrative and professional tasks regarding to personal data protection. In the framework of public tasks ofthe Agency are the following tasks:

• supervises implementation of personal data protection,

• indicates the violations noted during personal data collecting

• compiles a list of national and international organizations which have adequately regulated personaldata protection,

• resolves requests to determine possible violations of rights guaranteed by the Act and maintains theCentral Register.

The Act also defines:

Personal data processing means any operation or set of operations which is performed upon personal data,whether or not by automatic means, such as collection, recording, organization, storage, adaptation oralteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,alignment or combination, blocking, erasure or destruction, as well as the implementation of logical,

mathematical and other operations on such data.Personal data filing system - means any set of personal data which are accessible according to specific criteria,centralized, decentralized or dispersed on a functional or geographical basis, regardless of whether it has beenstored in computer personal data bases, in any other form of technical tools or manually.

Personal data filing system controller - means a natural or legal person, state or other body that determines thepurposes and means of the processing of personal data. Where the purposes and means of processing havebeen regulated by law, the same law shall designate the personal data filing system controller.


8/8/2019 GN2-05-163v3




In Croatia we (CARNet and Srce) are currently running the national project aimed to establish and maintain theAAI for academic and research community (AAI@EduHr; http://www.aaiedu.hr). Currently home institutions (e.g.CARNet members) are Personal data filing system controllers and they collect individual personal data.

In our opinion, for the JRA5 the most important is part VI of the Act "Personal Data transfer abroad from theRepublic of Croatia" described in the Article13th:

"Personal data filing systems or personal data contained in personal data filing systems may be transferredabroad from the Republic of Croatia for further processing only if the state or the international organization thepersonal data is being transferred to have adequately regulated the legal protection of personal data and haveensured an adequate level of protection.

Prior to transferring personal data abroad from the Republic of Croatia, the personal data filing system

controller shall, in case of reasonable doubt regarding the existence of adequate personal data protectionsystem, obtain an opinion regarding this issue from the Personal Data Protection Agency."


8/8/2019 GN2-05-163v3




A.3 CESNET, Czech Republic

Overview of Czech national legislation relevant to data protection

Data protection in the Czech Republic is governed in particular by the Act No. 101/2000 Coll., on the protectionof personal data and partially by the Act No. 151/2000 Coll., on telecommunications. Personal data are alsoprotected by Penal Code (Act No. 140/1961 Coll.).

The Act No. 101/2000 Coll., on the protection of personal data governs the rights and obligations duringpersonal data processing and sets out the conditions for transfer of personal data to third countries. Personaldata, as defined by the Act (sec. 4 letter a)), is any information concerning an identified or identifiable data

subject. As a general rule, the processing must be always carried out with the consent of the data subject (sec.5 par.2). An exception is permitted solely in cases defined by the Act (e.g. when processing is necessary forcompliance with a legal obligation to which the controller is subject, when processing is necessary in order toprotect the vital interests of the data subject or when processing is carried out solely for archive purposes). Thecontroller determines the purposes and means of the processing of personal data; he may process onlyaccurate personal data and the data must be adequate, relevant and not excessive in relation to the purposesfor which they are processed (sec. 5 par. 1). Furthermore the Act sets out measures that must be taken in orderto secure the processed personal data.

As for transfer of personal data to third countries, transfer of personal data to the EU countries cannot belimited (sec. 27 par. 1). The Office for Personal Data Protection supervises the observance of legally mandated

responsibilities in the processing of personal data. A breach of the legally mandated responsibilities mayconstitute an offence or an administrative offence, for which a fine up to 10 mil. Kc may be imposed.

According to the Act No. 151/2000 Coll., on telecommunications, all personal data as well as data that aresubject to telecommunication secret have to be deleted or made anonymous after a maximum period of 2months except where this information is used for identification or investigation of network abuse (sec. 84 par. 7).Furthermore, persons operating telecommunication services are obliged to notify the relevant authorized bodies(e.g. bodies responsible for penal proceedings or other bodies authorized by law) of information beingtelecommunication secret or personal data (sec. 86 par. 1). For breach of telecommunication secret or dutiesconcerning the protection of personal or transfer data a fine up to 5 mil. Kc may be imposed, for naturalpersons the fine may amount up to 100 000 Kc. The Czech Telecommunication Office supervises theobservance of the above mentioned duties.

Personal data and telecommunication secret are also protected by Penal Code. A person that makesunauthorized use (tells, makes accessible, processes or appropriates) of personal data in connection with theexecution of public administration may be sentenced to imprisonment of up to 3 years or with a fine orprohibition of activity (sec.178). A breach of telecommunication secret may constitute a criminal offencepunished by imprisonment of up to 2 years or prohibition of activity (sec.239). A person that gains access todata carrier and makes unauthorized use of the information carried or destroys, damages, changes or makesthe information unusable or perverts technical or program equipment of a computer or another


8/8/2019 GN2-05-163v3




telecommunication facility may be sentenced to imprisonment of up to 1 year or with a fine or prohibition ofactivity or criminal forfeiture (sec. 257a).

A.4 DFN, Germany

DFN has provided a so called FAQ list on legal issues for DFNRoaming sites. Answers are based on thefeedback from the "Forschungsstelle Recht (Münster)" according to the Germany's telecommunication law.

Which data may a computing centre keep considering the regulations of the relevant data protection acts?

Regulations for the protection of personal data are in a multiplicity of regulations, among other things in the

Federal Law for Data Protection, in the national data protection acts as well as in range-specific regulations.For the DFNRoaming service in particular also the data protection legal regulations from thetelecommunications law (TKG) in §§ the 91 FF and the Teledienstedatenschutzgesetzes (TDDSG) are to beconsulted. According to this any collection, processing and use of personal data is permitted only if theconcerned person consented to the procedures or a legal permission exists (appropriate regulations to finditself finally in §§ 91 FF. TKG, §§ 5 FF. TDDSG).

Inventory data (contract data) may be raised after the TK Datenschutzregelungen in § 95 TKG and § 5Teledienstedatenschutzgesetz (TDDSG) without consent only to that extent, as it is necessary for the purposeof the ground, content arrangement, change or completion of a contractual relation.

The law permits the collection and use of traffic data (data over the closer circumstances of communicationsuch as beginning, duration, end, goal or transferred volume of data) so far it is necessary for certain purposesto the operational completion of the telecommunication service achievement (§ 96 Abs. 2 TKG with reference to§§ 97, 99, 100, 101 TKG). The range of the cognizance for the collection and use is here substantially morerestrictively regulated than with the inventory data.

A consent can take place in writing, alternatively in addition, electronically (§ 94 TKG), if it is guaranteed that itis based on a clear and conscious action of the participant, is logged, at any time be called up and theparticipant can recall the consent at any time with effect for the future. The participants must be informed firstabout kind, range, place and purpose of the data acquisition and processing. The explanation must take placevoluntarily; so the contribution of TK services may not be done dependent in principle on the indication ofpersonal data, which are not necessary for the execution of the services and account. Special additionalrequirements to the consent are defined in relation to traffic data in § 96 Abs. 4 TKG.

The data must be deleted, at the latest, at the expiration of the respective maximum storage period. The lengthis a result from the respective authorities standards or from the content of the consent.

Which data a computing centre must or may keep for purposes of a possible prosecution?


8/8/2019 GN2-05-163v3




There is in principle no obligation to note and keep communication contents and traffic data preventively.Something else applies only if a judicial resolution directed toward future communication procedures of aparticipant is present according to §§ 100a, 100b StPO (communication contents) or §§ 100g, 100h StPO(traffic data). The data must be recorded, stored in the context of the resolution and handed over to the publicprosecutor's office (investigation authority).

Information on traffic data of the past must be provided, if an appropriate judicial resolution is present inaccordance with §§ 100g, 100h code of criminal procedure (StPO) and the data is actually available. The datamight be not available due to the absence of legal permission to store them (§ § 96 FF. TKG) or due to amissing consent and therefore for the fulfilment of the information request is not possible.

If a computing centre states or get knowledge on the fact that a user used the means of the centre in a criminalway, it is not advisable to investigate the incident on own responsibility, because the unauthorized collection

and storage of data can represent a criminal offence or infringement of the regulations as well.

Instead as promptly as possible the police or the public prosecutor's office should be informed so that thosecan accumulate evidence or determine the further steps of the investigations.

Which changes at the aforementioned principles result from the circumstance that in the case of DFNRoaminga user is identified by an IP address from the address area of a guest-giving location or a user is identified byan IP address from the address area from his home institution?

The Roaming provider acts towards these participants as an ACCESS Provider. The same principles apply asin the case of ACCESS Providing to "own" participants.

A.5 FCCN, Portugal

FCCN, NREN-PT; February, 2005, RELEVANT NATIONAL LEGISLATION CONCERNING ROAMING POLICY

Law nr. 67/98, October 26, 1998 (this act implements the Directive 95/46/EC of the European Parliament and ofthe Council of 24 October 1995), regulates the processing of personal data and states the legal framework onthe protection of the data subjects. Law 67/98, October 26, is the main source of Personal Data Protection Law(according to article 10.º of the Law n. 67/98, the controller or his representative shall provide the data subjectwith the following information:

(a) The identity of the controller and of his representative, if any;

(b) The purposes of the processing;

(c) The data to be processed;

(d) Other information such as:


8/8/2019 GN2-05-163v3




(i) the recipients or categories of recipients;

(ii) whether replies are obligatory or voluntary, as well as the possible consequences of failure to reply;

(iii) The existence and conditions of the right of access and the right to rectify, provided they arenecessary, taking account of the specific circumstances of collection of the data in order toguarantee the data subject that they will be processed fairly.

In addition, the documents supporting the collection of personal data shall contain the information abovereferred). However, when dealing with data protection, we must also consider the following acts or regulations:article 35.º of the Portuguese Constitution; Law nr. 68/98, October 26 (determines that the National

Commission for the Protection of Personal Data (.CNPD.) is the Portuguese representative in EU, forparticipation at EUROPOL);

• Law 41/2004, August 16 (personal data and privacy protection in the telecommunicationssector . corresponds to Directive 2002/58/CE, July 12);

• Law nr. 109/91, August 17 (Computer Criminal Law), the Portuguese legislator based this lawon the guiding principles (minimum list) contained in the Report of the European Committee onCrime Problems of the Council of Europe (1990).

• Law nr. 109/91 prescribes that corporate bodies shall be held criminally liable.

The offences therein punished are, for example: damage to data and programmes, computer-related sabotage,illegitimate access, illegitimate interception of computer systems or networks, illegitimate reproduction ofcomputer programmes. Considering that Internet use may lead to the diffusion of defamatory or libellouscontent, ours Civil and Penal Codes also regulate it. The Penal Code contains the following offences:

• penetrating into privacy (Art. 193),

• computer related swindle (Art. 221),

•

improper use of guarantee or credit cards (art. 225) and• guarantee or credit cards levelled to currency (Art. 267, No. 1, subparagraph c)), concerning eventual

offences against ones private life or right of image, Arts. 79 and 80 of the Civil Code, see also Art. 8 ofthe European Charter of Human Rights.

Although the Portuguese procedural law already permits the interception of communications from and to acomputer or between computers, Portugal´s ratification of the Convention of the Council of Europe on Cyber-crime will require not only that the legally prescribed cyber-offences be revised, but also that proceduralmeasures concerning the powers and means necessary to investigate and find the facts about such infractionsbe developed, especially those referring to evidence.


8/8/2019 GN2-05-163v3




Law nr. 5/2004, February, 2004 - Law on Electronic Communications.

This law is aimed at setting up a legal regime applicable to electronic communications networks and services,and to the related resources and services, determining the competences of the corresponding nationalregulating authority. This law results of the process of transposition of Directives Nos. 2002/19/CE ( access andinterconnection of electronic communications networks and related resources - access directive), 2002/20/CE(authorisation of electronic communications services and networks FCCN, NREN-PT; February, 2005 -authorisation directive), 2002/21/CE (common regulating framework for electronic communications servicesand networks - framework directive), all of the European Parliament and of the Council, of 7 March, and ofDirective No. 2002/77/CE of the Commission, of 16 September.

Decree-Law nr. 7/2004, January, 2004, - Portuguese legal framework on electronic commerce (e-commerce).

This decree-law is the result of the transposition of the Directive No. 2000/31/EC of the European Parliamentand of the Council, of 8 June 2000, and it deals with legal aspects connected with the services of theinformation society like, for instance, electronic contracts, ISP liability and unsolicited commercial emails.Decree-Law nr. 7/2004, also reproduces the basic content of Arts. 12-13 of the Directive 2002/58/CE of theEuropean Parliament . Directive on privacy and electronic communications . but only those two articles, whichare about unsolicited communications (Spam), the remaining articles of the directive were not yet transposed.Basically, Decree-Law nr. 7/2004 establish that the intermediary service providers do not have the general dutyto monitor all the information they transmit, store or provide the access to. A final note for Chapter III (Arts. 11-19) - ‘Liability of intermediary service providers., in special Arts. 14, 15 and 16 that corresponds, respectively, toArts. 12, 13 and 14 of the Directive: ‘mere conduit´ (art. 12), ‘caching´ (Art. 13) and ‘hosting´ (Art. 14). Theseare fundamental provisions that cannot be overlooked, however, FCCN is not an ISP, so we are not completelysure that Decree- Law nr. 7/2004 is applicable to our network.

A.6 GRNET, Greece

NTUA/GRNET, Greek legislation synopsis

This document was written for NTUA on behalf of GRNET for their participation in GN2-JRA5 GN2-JRA5participant: Spiros Papageorgiou ([email protected])

European dimension

The protection of privacy is ensured by Article 8 of the European Convention for the protection of Human Rightsand Fundamental Freedoms. It should be underlined that all Member States and

the European Union are bound by the provisions of this Convention. Furthermore, the Convention for theprotection of individuals with regard to automatic processing of personal data (No 108/1981) was the first legalbinding instrument in the data protection field. The Charter of Fundamental Rights of the European Union,signed and proclaimed in Nice on 7 December 2000, provides in Article 7 for the protection of private and familylife, home and communication and in Article 8 for the protection of personal data. Whereas the new European


8/8/2019 GN2-05-163v3




Constitution contains also articles specifically devoted to data protection and privacy (e.g. I-51), and there arestrong indications that the European Union may promote further development in the very near future.

Over the past decade, the European Commission has promoted and/or adopted a number of Directives andDecisions intended to create a legal framework within the European Union that

provides strong protection to citizens against the non-consensual, excessive collection, processing orcommunication of their personal information. In particular, Directive 95/46/EC of the European Parliament andof the Council of 24 October 1995 (the Data Protection Directive ensures the protection of privacy and privatelife as well as the protection of personal data with regard to fundamental rights and freedoms of natural persons(Article 1, para. 1), makes reference to specificity and sensitivity of processing of sound and image data(Articles 2(a) and 33 and recitals 14 and 26), and deals in detail with issues linked to data quality (Article 6),criteria for making data processing legitimate (Article 7), processing of special categories of data (Article 8),

information to be given to data subjects (Articles 10 and 11), data subject’s right of access to data and right toobject to the processing (Articles 12, 14 and 15), safeguards applying in relation to automated individualdecisions (Article 15), confidentiality and security of processing operations (Articles 16 and 17), notification ofprocessing operations (Articles 18 and 19), and prior checking of processing operations likely to presentspecific risks to the rights and freedoms of data subjects (Article 20).

In addition to the general Directive 95/46/EC, the Directive 2002/58/EC of the European Parliament and of theCouncil of 12 July 2002 concerning the processing of personal data and the

protection of privacy in the electronic communications sector (replacing Directive 97/66/EC) is also relevant.The Universities involved could also take adequate measures in order to implement the so-called principle ofmoderation in the use of personal data (which is aimed at preventing or reducing, to the greatest possibledegree, the processing of personal data). One possible goal is to take additional steps in order to developprivay-enhancing technologies (PETs). From a regulatory point of view, it could be stressed that the frameworkprinciples behind the concept of PETs are laid in Directive 95/46/EC and especially in Articles 6(1), 17 andRecital 46 of the preamble to the Directive. In particular, Article 6(1) refers to the principle of data minimisationby stating that the processing of personal data should be limited to data that are adequate, relevant and notexcessive. This principle is strengthened by the reference that data should only be kept in a form that permitsidentification of data subjects for no longer than is necessary for the purposes for which the data were collectedor for which they are further processed. Article 17 of the Directive in question requires that controllersimplement security measures which are appropriate to the risks presented for personal data in storage or

transmission, with a view to protecting personal data against accidental loss, alteration, unathorised access, inparticular where the processing involves the transmission of data over a network, and against all other unlawfulforms of processing. And Recital 46 of the preamble to the Directive underlines the fact that the protection ofthe rights and freedoms of the individuals with regard to the processing of personal data requires thatappropriate technical and organisation measures should be taken, both at the time of the design of theprocessing system and at the time of the processing itself.

National Data Protection Legislation

The Hellenic Constitution of 1975, as revised in April 2001, contains a set of fundamental rules covering privacyand the broader right to personality. Furthermore, Greece has constitutional provisions, which deal with respect


8/8/2019 GN2-05-163v3




for, and the protection of, human value that cannot be waived by the individual. In particular, according toArticle 9A of the Hellenic Constitution, «every individual has the right to be protected from the collection,processing and use, particularly by electronic means, of personal data, as stipulated by the law». Furthermore,Article 19 para. 1 of the Constitution provides that «the secrecy of letters and of free correspondence orcommunication by any other means is absolutely inviolable (…)». Two are the competent regulatory authoritiesin Greece, the Hellenic Data Protection Authority and the Hellenic Authority for the Information andCommunication Security and Privacy (ADAE). The mission of the Hellenic Data Protection Authority (which hasthe status of an Independent Administrative Authority) is to supervise the implementation of Law 2472/97 andthe totality of regulations pertaining to the protection of the individual with respect to the processing of personaldata. The Authority’s aim is to promote: respect of and protection as regards the rights of the individual and thestate of democracy; mutual cooperation between the individual and public administration/private enterprises;action of preventive, suppressive and corrective character in the field of personal data protection. The HellenicAuthority for the Information and Communication Security and Privacy (ADAE) has been established under

article 1 of the law 3115/2003, following the guidelines set in paragraph 2 of the article 19 of the GreekConstitution, in order to protect the secrecy of mailing, the free correspondence or communication in anypossible way as well as the security of networks and information. The concept of privacy encompasses thecontrol of observing and regulating the terms and processes of waiving of privacy protection rights as foreseenby the law. The main legal instrument of national law relating to data protection issues is Law 2472/97 on theprotection of individuals with respect to the processing of personal data. This Law implements Directive95/46/EC.

• Law 2225/94, as amended by Law 3115/2003, covers mainly the procedures that have to be followedconcerning the security and privacy of communication.

• Law 2774/99 relates to the processing and the protection of personal data in the telecommunicationssector (implementing Directive 97/66/EC, as amended by Directive 2002/58/EC).

The relevant law on electronic communications (which implements the Framework, Access, Authorisation, andData Protection Directives in the electronic communications sector) is not yet into force. For the purposes ofLaw 2472/97, and in particular article 2, processing of personal data" ("processing") shall mean any operationor set of operations which is performed upon personal data by Public Administration or by a public law entity orprivate law entity or an association or a natural person, whether or not by automatic means, such as collection,recording, organisation, preservation or storage, modification, retrieval, use, disclosure by transmission,dissemination or otherwise making available, correlation or combination, interconnection, blocking (locking),

erasure or destruction.Furthermore, according to article 4 para. 1 of Law 2472/97, personal data, in order to be lawfully processed,must be, inter alia, collected fairly and lawfully for specific, explicit and legitimate

purposes and fairly and lawfully processed in view of such purposes; adequate, relevant and not excessive inrelation to the purposes for which they are processed at any given time; accurate and, where necessary, keptup to date. Moreover, in line with article 5 para. 1 of Law 2472/97, processing of personal data will be permittedonly when the data subject has given his/her consent. Exceptionally, as mentioned below, data may beprocessed even without such consent, only under the conditions of article 5 para. 2 of Law 2472/97. In addition,with regard to administrative sanctions, article 21 para. 1 of Law 2472/97 providesthat the Data Protection


8/8/2019 GN2-05-163v3




Authority may impose on the Controllers or on their representatives, if any, the following administrativesanctions for breach of their duties arising from this law as well as from any other regulation on the protection ofindividuals from the processing of personal data: a warning with an order for the violation to cease within aspecified time limit; a fine amounting between three hundred thousand Drachmas (around 900 euros) and fiftymillion Drachmas (around 150,000 euros); a temporary revocation of the permit; a definitive revocation of thepermit; the destruction of the file or a ban of the processing and the destruction of the relevant data.

According to the Data Protection Authority of Greece, the monitoring and registration of websites visited byusers and the access to data saved on their computers constitutes processing of personal data in the sense ofarticle 2 paragraph (d) of Law 2472/97. This processing cannot be considered to be lawful in case it takes placewithout the consent of the data subject and does not fall under any of the exemptions laid down in article 5,para. 2 of this Law.

Indeed, processing of personal data can be permitted only when the data subject has given his/her consent, asprovided in article 5 para. 1 of Law 2472/97. Exceptionally, data may be processed even without such consent,only if, in accordance with article 5 para. 2 of Law 2472/97, processing is necessary for the execution of acontract to which the data subject is party or in order to take steps at the request of the data subject prior toentering into a contract; processing is necessary for the compliance with a legal obligation to which theController is subject; processing is necessary in order to protect the vital interests of the data subject, if he isphysically or legally incapable of giving his consent; processing is necessary for the performance of a taskcarried out in the public interest or a project carried out in the exercise of public function by a public authority orassigned by it to the Controller or a third party to whom such data are communicated; processing is absolutelynecessary for the purposes of a legitimate interest pursued by the Controller or a third party or third parties towhom the data are communicated and on condition that such a legitimate interest evidently prevails over therights and interests of the persons to whom the data refer and that their fundamental freedoms are not affected.Furthermore, as already mentioned, and in line with article 4 of Law 2472/97, personal data, in order to belawfully processed, must be adequate, relevant and not excessive in relation to the purposes for which they areprocessed at any given time.

In those cases where data collection and processing related to users’ visits to websites occurs, even if it isperformed exclusively for statistical purposes, it constitutes a violation of the principle of proportionality, asestablished in article 4 para.1(b) of Law 2472/97, in cases where the data collected is more than required forthe intended purpose. Besides, in accordance with article E para. 5 of the Directive 115/2001 of the DataProtection Authority, the principles of purpose and proportionality, as these are established by law and

interpreted by the Authority, permit only a case by case and exceptional collection and processing of such dataand on the condition that such acts are founded on an evidently superior lawful interest of the controller (article.5 para. 2e of Law 2472/97).

The principle of proportionality also results to the prohibition of the general, systematic and preemptivecollection and registration of data related to the usage of the Internet. In particular, according to article E para. 4of the directive 115/2001 of the Data Protection Authority of Greece, general communication, includingelectronic mail, data collection and processing is allowed only when it is absolutely necessary for theorganization and control toward performing a specific task or a work cycle and, especially, expenditure control.Communication data recorded have to be limited to those absolutely necessary and relevant for theachievement of these purposes. In no case is it permitted to record nor process the whole number called or the


8/8/2019 GN2-05-163v3




totality of communication data or their content information. It should be stressed that content information mayonly be collected following permission of a judicial authority and on the condition that collection is imposed forreasons of national security or for verifying particularly serious crimes (Article 19 of the Greek Constitution, Law2225/1994 as amended by Law 3115/2003).

In general, therefore, the access and registration of websites and/or other elements of electroniccommunication (e.g. email) is illegal, and such data may not be used for the control of the behaviour of users.As far as declassification is concerned, it should be noted that the provisions of article 19 of the GreekConstitution, in combination with the provisions of article 3 and 4 of Law 2225/94, lead to the conclusion thatthe only competent bodies for declassification of communications performed in any manner are the JudicialCouncil or the Prosecutor (in case of extreme emergency) and only in order to ascertain particularly seriouscrimes expressly stipulated by law or for reasons of national security. Therefore, a prior Order of the Prosecutoris required.

In addition, in line with article 7.2 (c) of Law 2472/97, exceptionally, the collection and processing of sensitivedata, as well as the establishment and operation of the relevant file, will be permitted by the Personal DataProtection Authority of Greece, when processing is necessary for the establishment or exercise or defence ofhis/her rights in court or disciplinary body.

In this case, it is reasonable that the permit from the competent Authority may only be given to the controller,the only person entitled to ask for the permit. In case that the complainant is not the controller, the DataProtection Authority encourages him to submit a request to the corresponding controller in order for the lawfulprocedure to be followed. In any other case, the Authority does not issue a permit but an opinion concerningwhether data transfer is lawful or not. On the basis of the principle of proportionality, provisions of article 7.2 (c)apply in proportion to non-sensitive personal data, the only difference being that, in this case, a permit from theData Protection Authority is not required, but it is possible to ask for a decision or a relevant opinion.

That is, exceptionally, the collection and processing of non-sensitive data is permitted by the Authority for theestablishment or exercise or defence of a right in court. The corresponding controller is responsible to decidewhether law requirements are met and, more specifically, whether data are indeed asked for in order to beused in court and whether they are relevant to the case under dispute. In this case, the controller may ask forthe Personal Data Protection Authority’s opinion. If the complainant is not the controller, the Authority inquestion encourages him to submit a request to the corresponding controller who, in turn, is under theobligation to justify the transfer of data as well as his/her possible refusal to grant the request.

When personal data are produced before a judicial or public prosecutor’s authority and are included in the casefile or constitute part of a pre-trial or formal investigation are dealt with according to the following differences:

• Concerning personal data included in the case file or concerning material of a pre-trial/formalinvestigation, the Personal Data Protection Authority is not competent because the case file ofapending trial and, by proportion, material of a pre-trial/formal investigation, does not constitute a fileaccording to the provisions of Law 2472/97.

• Concerning the legitimacy of personal data collection and their use when a trial is pending or when apre-trial/formal investigation is taking place, the judicial officer or the public prosecutor is competent to


8/8/2019 GN2-05-163v3




judge, within the evaluation framework of the evidence or the investigation material, especially giventhat the right to protection of the individual’s personal data is now also constitutionally consolidated inArticle 9 A of the Greek Constitution.

The above also applies in the case of a public prosecutor’s order, in which the competent public prosecutorapplies the relevant law provisions in order for the order to be issued. In consequence, the person to whom thepublic prosecutor is addressed to has to comply with the said order. The addressing of all the above issuesrequires careful examination of the policy to be finally adopted. It is recommended to draft a relevant agreementto be signed by all universities that will participate in the said program, for the purpose of the efficient operationof the whole project.

This is useful especially for those cases where divergences exist between the relevant national laws, i.e. thereis a difference in levels of data protection afforded in the countries that participate in this project due to the

existence of a wide variety of national laws, regulations and administrative provisions.

We also assume that before a user visits another University, he has signed a relevant form in which he statesthat he shall behave according to the provisions and regulations of the University that he intends to visit and isinformed that he is subjected to the laws of that country. Therefore, the user obtains access only if he has beeninformed on and has accepted the “Policy of Accepted Use and Internet Use Security Policy”. This documentmust be clear and the Universities have to exchange views and comments on such drafts for the purpose oflegal security. Furthermore the Universities should define in this document the consequences for users in caseof non-compliance with the relevant provisions.

Additionally, Universities should not collect and process data that are generally related to electroniccommunications (which include, inter alia, emails), unless this is absolutely necessary. More specifically, theregistered data of communication should be limited to those which are absolutely necessary and appropriate forthe aim pursued. Under no circumstances the processing of the total number or the total data of communicationor part of their content should be allowed.

A.7 ISTF, Bulgaria

We don’t have an explicit roaming policy. A general Acceptable Use Policy is available athttp://www.ist.bg/en/aup.htm Relevant Laws:

1. Personal Data Protection Act of Bulgaria , effective as of January 1, 2002http://grao.government.bg/zakoni/zzld-1.html(in Bulgarian)

2. The Telecommunication Act, effective as of October 7, 2003,http://www.mrrb.government.bg/docs/doc_319.doc(in Bulgarian)

3. Electronic Documents and Electronic Signature Act , effective as of October 7, 2001,http://www.mi.government.bg/norm/laws.html?id=23237(in Bulgarian)

4. Classified Information Protection Act, effective as of April, 20025. Public Information Access Act, effective as of January 1, 2002,

http://www.mi.government.bg/norm/laws.html?id=42854(in Bulgarian)6. Some texts from theConstitution http://www.parliament.bg/?page=const&lng=en(in English)


http://www.ist.bg/en/aup.htm

http://grao.government.bg/zakoni/zzld-1.html

http://www.mrrb.government.bg/docs/doc_319.doc

http://www.mi.government.bg/norm/laws.html?id=23237


http://www.parliament.bg/?page=const&lng=en

http://www.parliament.bg/?page=const&lng=en



http://www.mrrb.government.bg/docs/doc_319.doc

http://grao.government.bg/zakoni/zzld-1.html

http://www.ist.bg/en/aup.htm

8/8/2019 GN2-05-163v3




We think the most relevant to JRA5 is the Personal Data Protection Act. According to it, only registered“Personal data administrators ” could gather, record and process personal data. For more details please seebelow.

An excerpt from the Constitution:

“According to the CONSTITUTION OF THE REPUBLIC OF BULGARIA from. SG. 56/13 Jul 1991, amend. SG.85/26 Sep 2003 in C h a p t e r T w o FUNDAMENTAL RIGHTS AND OBLIGATIONS OF CITIZENS the privacy of citizens is inviolable. Everyone is entitled to protection against any illegal interference in his private or family affairs and against encroachments on his honor, dignity and reputation. Everyone is entitled to seek, obtain and disseminate information but this right shall not be exercised to the detriment of the rights and reputation of others, or to the detriment of national security, public order, public health and morality.”

Personal Data Protection Act

"Personal data" means any information for an individual, disclosing his/her physical, psychological, mental,family, financial, cultural, or public identity. Personal data administrator is a public authority or natural or legal person authorized to specify the type of thedata processed, the purpose of processing, and the methods of processing and of protection. The process ofprotection of individuals with regard to the processing of personal data and the access to such data is regulatedby the Personal Data Protection Act of Bulgaria, which is effective as of 1 January 2002.

The purpose of the Act is to ensure the inviolability of person and personal life, by protecting the individualsfrom illegal processing of their personal data, and regulates the access to such data, while being collected andprocessed. The protection of personal data is provided through the implementation of the rights of the citizens,as laid down by the Personal data protection act. Every individual has the following rights:

• the right of consent for the processing of personal data that relate to him/her;• the right of information about the purposes and means of processing, the recipients to whom the datamay be disclosed, the scope of data usage, the name and address of the administrator;• the right to require access, correction and updating of the gathered data that relate to him/her;• the right to require from the personal data administrator to confirm the existence of personal data

related to him/her;• the right to require from the personal data administrator to delete, to transfer into anonymous data or to

block data processing where it is illegitimately done, and where the data are not necessary for thepurposes for which they are processed;

• the right to object before the administrator against unlawful processing of personal data that relate tohim/her;

• the right to prohibit the entire or partial disclosure of his/her personal data to the administrator, whichare meant to be used for purposes of trade, advertising, or marketing;

•

the right of grievance in cases of violation of his/her rights by approaching the Commission for theprotection of personal data.

A.8 REDIRIS, Spain

This report is an outline of the main legal concepts and regulation that RedIRIS should take into account whensetting up a roaming service in the context of the eduroam and GÉANT2 projects.


8/8/2019 GN2-05-163v3




PERSONAL DATA PROTECTION

References:

- Ley Orgánica 15/1999, de 13 de diciembre, de Protección de datos de carácter personal (LOPD),Spanish Personal Data Protection Act.

- Ley 34/2002, de , de Servicios de la Sociedad de la Información y de Comercio Electrónico (LSSICE),Information Society Services and Electronic Commerce Act.

- R.D. 994/1999, de 11 de junio, por el que se aprueba el Reglamento de Medidas de Seguridad de losficheros automatizados que contengan datos de carácter personal (RMD),

Regulation of Security Measures of automated Personal Data files.

- Report 327/2003 of the Spanish Agency of Data Protection on whether IP addresses are personal data.

There are two different sets of data in the roaming system that may contain personal data: on one hand theinformation provided by the home institution and contained in the credentials and, on the other hand, the logsthat must be kept on authenticated sessions and network access sessions.

In either case, the guest user must provide express consent to the use of the personal data(art. 6 LOPD).Besides, the guest user must be provided with information about the personal data file (art. 5 LOPD): data to beprocessed, purpose of the processing, controller of the file, persons to whom the data will be provided, whetherthe data is compulsory, the consequences of not providing the data and the rights

Furthermore, the files must be protected with security measures, which are set out in detail in RMD. The dataincluded in the credentials should require only basic security measures (art. 4.1 RMD).

However, the logs of authenticated and network access session may require different security measures.According to Report 327/2003, the controller of a file must treat IP addresses as personal data when there is apossibility to link the IP address with a certain person. Therefore, the access logs must be considered personaldata files.

Besides, the Report 327/2003 explains that if the IP address is related to certain data, such as the web pagesaccessed from that IP address, that allow to create a profile of a certain person, the data should be protectedby higher security measures (art. 4.4 RMD). This extra security measures can be costly (for example, theyinclude an audit every two years). Therefore, unless there is a clear reason to record data about the activities ofan IP address, it should not be done.

On top of the regulation of personal data files, LSSICE requires ISPs to maintain a log of the traffic data (art. 12LSSICE) for 12 months. This log should be handed to Judges, the prosecutor office upon request and to thePolice in certain circumstances. This duty requires further regulation which is still not forthcoming, therefore theextent of this requirement is still unclear. It is also debatable whether Universities are to be considered ISPs.


8/8/2019 GN2-05-163v3




LOPD also provides a list of authorities who can request access to personal data (art. 11.2 LOPD).

NETWORK SERVICES

Whether a guest user can use certain services provided by the visited University or by third-parties through thelocal network (such as access to electronic magazines) will depend on the nature of the service and theexisting contracts with third-parties.

USE OF NETWORK ACCESS

References:

- Ley Orgánica 10/1995, de 23 noviembre, que aprueba el Código Penal (Penal code).

- LSSICE

Besides the users' policy of the home and visited universities, the guest user must we aware that the LSSICEregulates certain activities related the provision of Information Society Services and electronic commerce, suchas electronic contracting.

Furthermore, the Spanish Penal code sets out a number of punishable conducts related to computer andnetwork usage, for example:

- Illegitimate access to a telecommunications terminal when this causes a harm to the owner (art. 256Penal Code)

- Discovering secrets (art. 197 Penal Code).

- Infringement of copyright for a commercial purpose and when it harms a third party (arts. 270 et ss.)

A.9 RESTENA, Luxembourg

Overview over national data protection legislation in Luxembourg

The current data protection law is an implementation of European Union directive 95/46/EG. It is called“Protection des personnes à l'égard du traitement des données à charactere personnel” [1], issued at August, 2,2002. A non-official English translation is available at the data protection committee's home page [2]. Althoughit implements the aforementioned directive, its content goes a lot farther than what is required by the directive.

The most outstanding feature is the requirement of reporting the usage of all information that can be associatedwith a person: whenever a company wants to store information that can be uniquely traced back to a person itfirst needs to register which type of data it wants to collect to the national data protection committee [3]. Thecommittee will register and file the request (it does, however, not actively check if the data that is gathered by


8/8/2019 GN2-05-163v3




the company really is required by them). In any case the company is required to inform its customer about thetype, purpose and amount of data that is stored and the customer must declare consent before the data mayactually be stored. In case of a suspected misuse of collected data the committee will get active and investigatethe issue.

The reporting requirement generates a significant work overhead for both this committee and all companiesthat handle personal data. Luckily, the law enables to ease this stringent policy. After a by-law of the GrandDuke in December 2004 that enables article 12 (3)(a) and 40 of the law from August, 2, 2002 it is now possiblethat companies declare an external person or entity as data protection officer. This person needs to havespecial qualifications as defined in article 40 and must be approved by the committee. After that, he is the soleresponsible person for the handling of data. This person or entity still needs to report the usage of data to thecommittee.

EU directive 2002/58/CE, which deals with data protection in electronic communication, is not yet implementedbut in a draft state. The current draft is publicly available [4]. It is expected that this new law will further ease theburden by leaving out the requirement to report the usage of all data to the committee. However, there is nospecific date by which this law should be finished (the current draft is from 2003). A law that regulates the termsopen vs. closed network does not exist yet but is in a late draft state and is expected to be finished in May 2005.The current state-of-the-law is that RESTENA is classified as a communications operator (this term is more orless equal to the commonly used term “telco”), mainly because we are communicating via fiber lines withexternal entities and because we are operating the Luxembourg Internet Exchange for commercial providers.

[1] http://www.etat.lu/memorial/memorial/a/2002/a0911308.pdf

[2] http://www.cnpd.lu/loi_langue_anglaise.pdf

[3] http://www.cnpd.lu/

[4]http://www.cnpd.lu/projet_de_loi_5181.pdf

A.10 SURFnet, The Netherlands

The Netherlands points out that traffic data is a subject of concern due to certain user storage regulations(Directive 2002/58/EC in reflexion 15): "A communication may include any naming, numbering or addressinginformation provided by the sender of a communication or the user of a connection to carry out thecommunication. Traffic data may include any translation of this information by the network over which thecommunication is transmitted for the purpose of carrying out the transmission. Traffic data may, inter alia,consist of data referring to the routing, duration, time or volume of a communication, to the protocol used, to thelocation of the terminal equipment of the sender or recipient, to the network on which the communicationoriginates or terminates, to the beginning, end or duration of a connection. They may also consist of the formatin which the communication is conveyed by the network".


http://www.cnpd.lu/projet_de_loi_5181.pdf

http://www.cnpd.lu/projet_de_loi_5181.pdf

8/8/2019 GN2-05-163v3




Regarding data transfers to third countries an independent body in which all European data protectionauthorities are represented (The Article 29 Working Party) has made a paper about acceptable level ofprotection (Transfers of personal data to third countries; Applying Articles 25 and 26 of the EU data protectiondirective). Basic contents are:

• Purpose limitation principle: data should be processed for a specific purpose and subsequently used orfurther communicated only insofar as this is not incompatible with the purpose of the transfer.

• Data quality and proportionality principle: data should be accurate and, where necessary, kept up todate. The data should be adequate, relevant and not excessive in relation to the purposes for whichthey are transferred or further processed.

• Transparency principle: individuals should be provided with information as to the purpose of the

processing and the identity of the data controller in the third country and other information insofar asthis is necessary to ensure fairness.

• Security principle: technical and organizational measures should be taken by the data controller thatare appropriate to the risks presented by the processing.

• Rights of access, rectification and opposition: the data subject should have the right to obtain a copy ofall data relating to him/her that are processed and a right to rectification of those data that are shown tobe inaccurate. In certain circumstances he/she should also be able to object to the processing of thedata relating to him/her.

• Restrictions on onwards transfers to non-parties to the contract: further transfers of the personal databy the recipient of the original data transfer should be permitted only where the second recipient (therecipient of the onward transfer) is subject to rules affording an adequate level of protection

A.11 SWITCH, Switzerland

Switzerland's legal framework

1. Summary

1.1. Overview of relevant legislation

For the data protection issues the Federal data protection Act and the different cantonal data protection actsapply. For civil liability issues, the relevant cantonal legislation applies and for lawful interception topics theFederal law of interception in the telecom traffic applies.

1.2. Open versus closed networks


8/8/2019 GN2-05-163v3




Though SWITCH is a different legal entity to the Institutions, SWITCH provides not a service to a third partyand qualifies therefore not as a TSP

2. Introduction and facts of case

The following legal opinion is based on the facts of case as defined in the Documentation on the GÉANT2Roaming Requirements (Deliverable DJ5.1.2, Version dated 14.6.2005). It is understood that the HomeInstitution (HI) does deliver only a YES/NO answer, whether the user belongs to the HI or not, but no attributes(option 1). If attributes were delivered this would be an option 2.

3. Overview of relevant legislation

3.1. Main legal issues

The facts of case concern three legal issues: data protection (i), civil liability in case of abuse (ii) and lawfulinterception (iii).

i) When transferring an answer from the HI to the Resource Institution (RI) data protection is an issue.The question is, weather a yes/no answer (option 1) or an answer with attributes (option 2) are to be qualifiedas personal data according Swiss data protection law and if yes, what are the legal conditions that the transfercan be done.

ii) If the user which is logged in the resource of the RI abuses the resources, who is liable for the damageif the user can not be caught? The RI or the HI?

iii) When the general prosecutor requests data or real-time interception the question is what data has tobe logged by whom.

3.2. Data protection

Switzerland is not a member of the EU and follows therefore not the respective EU data protection directive(see Appendix A). Swiss data protection law is none the less very similar to EU data protection law. As data

protection is not a federal duty, the cantons have their own data protection law, which applies to the respectiveuniversities, except the Federal Polytechnic Schools that underlies Federal data protection law. Anyhow theprinciple of what is personal data and how you are allowed to process data are more or less the same.

If the credential is an anonymous one such as a matriculation number, the credential itself is no personal data.If a personalised e-mail address is used as a credential (as it is planed for RADIUS), they are qualified aspersonal data as such and can be processed according to Swiss law only as long as necessary (e.g. a SwissInstitution is RI). The authentification of a user by his HI by yes/no (option 1) is no personal data as such andtherefore data protection law is irrelevant. But when the Swiss HI sends attributes together with a personalizede-mail address (option 2) to the RI, Swiss data protection law applies. Then the export of personal data to


8/8/2019 GN2-05-163v3



foreign countries is only allowed when the protection of personal data is equivalent to the Swiss regulation. Thisis the case for most EU-Member-states, except for company's personal data (e.g. scientific spin-off-companies).

Nonetheless transparency and consent of the user would provide any further problems. It would be thereforewise to inform the user which data are transferred and processed about him from his HI to the RI and to ask hisconsent.

If you do not get consent of the user you need in Switzerland a legal basis for the processing of the data. Thislegal basis may be already given by cantonal law but has to be checked by the Institutions themselves.

3.3. Civil liability in case of abuse

The Institutions should regulate who will be liable of misuse of the resource if the user can not be identified. As

it is not feasible that all Institutions conclude for this purpose agreements with other Institutions, but they couldagree to stick to a common policy.

3.4. Lawful interception

Lawful interception is for the Institutions in Switzerland only a topic, if they provide e-mail-account-services ormobile telephone services to third parties. Providing network connectivity or access to resources does ingeneral not oblige the Institutions to make real-time interception available to the general prosecutor. None theless, Institutions have to grant access to the general prosecutor that he can intercept in real-time.

As long as the Institution does not qualify as Telecom Service Provider (TSP), law requires no data logs. Seethe qualification as TSP under para. 4.

4. Open versus closed networks

When an Institution provides telecom services to third parties then it qualifies as TSP. (Exchange-) students,employees, scholars, visitors are not third parties respectively are a closed user group why most Institutions arenot a TSP. But e.g. alumni's and spin-off-companies are qualified under Swiss telecommunication law as thirdparties, why Institutions have to be careful not to open their user group.

From the point of view of SWITCH, which is a foundation under private law of the Swiss Federation and the

eight university cantons, the NREN-services SWITCH provides is limited to the Institutions. Though SWITCH isa different legal entity to the Institutions, SWITCH provides not a service to a third party and qualifies thereforenot as a TSP.

Nicole Beranek Zanon, Legal Counsel SWITCH, Attorney-at-Law, June 29, 2005