INFOBALT, Vilnius, 21 October 2002 1 Data protection and smart cards Karel Neuwirt The Office for Personal Data Protection The Office for Personal Data

INFOBALT, Vilnius, 21 October 200INFOBALT, Vilnius, 21 October 20022

11

DData protection ata protection andand smartsmart cardscards

Karel NeuwirtKarel Neuwirt

The Office for Personal Data ProtectionThe Office for Personal Data Protection

Czech RepublicCzech Republic

It is no accident that the European approach to protecting personal data is nowadays most widely accepted, from the countries of Central and Eastern Europe to Canada, and from various countries in the Asia-Pacific area to Latin America, where safeguarding privacy is receivinga great deal of attention in the form of laws that make explicit reference to the systems of rules that have been adopted in Europe.

Romano Prodi

President of the EC, 2002


33

… also potential risks involved in the use of new information technologies for both individuals and society. A clear regulatory framework will help to promote the opportunities and minimize risks. Governments need to co-operate in the international arena to this end… Guy de Vel

Director General of Legal Affairs, 2002


44

History of PrivacyHistory of Privacy

The Bible has numerous references to privacy

1361 – the Justice of the Peace Act (England)

1776 – Access to Public Record (Sweden)

1858 – prohibition the publication of private facts

(France)

1889 – prohibition the publication of information

relating to “personal or domestic affairs”

(Norway)


55

History of Data ProtectionHistory of Data Protection G. Orwell – “1984” - 1948 (Big Brother G. Orwell – “1984” - 1948 (Big Brother

world)world) Interest in the right of privacy increased in Interest in the right of privacy increased in

the 1960s and 1970s – the 1960s and 1970s – advancedadvanced of of information technologyinformation technology

Land of Hesse (Germany 1970) – the first Land of Hesse (Germany 1970) – the first data protection law in the worlddata protection law in the world

Sweden (1973), Germany (1977), France Sweden (1973), Germany (1977), France (1978)(1978)


66

Smart cardsSmart cards

Plastic card carried some personal dataPlastic card carried some personal data Diners Club, 1950Diners Club, 1950 Bank of America, credit card, 1960Bank of America, credit card, 1960 Patent of Ronald Moreno, 1974Patent of Ronald Moreno, 1974 Bull memory card, 1985Bull memory card, 1985 ORGA multifunctional processor cardORGA multifunctional processor card


77

TechnologyTechnology? Key or carrier of data ?? Key or carrier of data ?

Plastic card (data on surface)Plastic card (data on surface) Magnetic stripMagnetic strip MemoryMemory MicroprocessorMicroprocessor Laser memoryLaser memory Cryptographic chip Cryptographic chip

different level of data protectiondifferent level of data protection


88

Smart card applicationsSmart card applications

- - authentication of authorized personnel authentication of authorized personnel - support legally recognized electronic support legally recognized electronic

signaturessignatures- citizen electronic identity cardcitizen electronic identity card- social security identification of insured pers.social security identification of insured pers. - health passport cardhealth passport card- local services (transport, loyalty, leisure …)local services (transport, loyalty, leisure …)


99

Smart cards areSmart cards are- sensibly standardized sensibly standardized - securesecure- really personalreally personal- portableportable- familiar to userfamiliar to user- largely able for customizationlargely able for customization- widely offered on the marketwidely offered on the market- without credible competitionwithout credible competition

EC-Enterprise DG, 2002EC-Enterprise DG, 2002


1010

Security frameworkSecurity framework

Technology securityTechnology security: : reliability, technical reliability, technical solutions, quality of components used in system, solutions, quality of components used in system, resistant to breakdowns and attacks. resistant to breakdowns and attacks.

Implementation of international norms and Implementation of international norms and standards defined by CEN and ISOstandards defined by CEN and ISO

Application securityApplication security: : security level in whole security level in whole system (application). Risk management.system (application). Risk management.

Risk analysis. Risk analysis.


1111

Protection of dataProtection of data

is a fundamental issue for success is a fundamental issue for success

of the applicationof the application

- authorization access right to data- authorization access right to data

- protection against unauthorized reading, - protection against unauthorized reading, modification, misusemodification, misuse

- appropriate legislation- appropriate legislation

- ethical issues - ethical issues


1212

Council of EuropeCouncil of EuropeReport on the protection of personal data with Report on the protection of personal data with regard to the use of smart cards :regard to the use of smart cards :

www.coe.int/T/E/Legal_affairs/Legal_co-www.coe.int/T/E/Legal_affairs/Legal_co-operation/Data_protection/operation/Data_protection/

Guiding Principles for the Protection of Guiding Principles for the Protection of Personal Data with Regard to the Use of Personal Data with Regard to the Use of Smart CardsSmart Cards

working document, working document, CJ-PD, 2002CJ-PD, 2002


1313

Key factorsKey factorsNational legal frameNational legal frame

Council of Europe and EU legislationCouncil of Europe and EU legislation

Acceptance of all “players” – card holder,Acceptance of all “players” – card holder,

card issuer, card userscard issuer, card users

Technology – user friendly and secureTechnology – user friendly and secure

technologytechnology

High protected personal dataHigh protected personal data


1414

LegislationLegislation

Domestic data protection lawsDomestic data protection laws

Convention 108 and Council of Europe Convention 108 and Council of Europe RecommendationsRecommendations

Directive 95/46/ECDirective 95/46/EC Directive 2002/58/ECDirective 2002/58/EC


1515

National legislationNational legislation

Collecting and processing personal data in Collecting and processing personal data in systems which use smart cards should systems which use smart cards should respect all the principles of personal data respect all the principles of personal data protection established by national protection established by national legislationlegislation


1616

Legislation - EuropeLegislation - Europe

Convention for the Protection of Convention for the Protection of Human Rights and Fundamental Human Rights and Fundamental FreedomsFreedoms (Rome, 1950) (Rome, 1950)

Convention for the Protection of Convention for the Protection of Individuals with regard to the Individuals with regard to the Automatic Processing of Personal DataAutomatic Processing of Personal Data (ETS 108, 1981) (ETS 108, 1981)


1717

Legislation - EuropeLegislation - Europe Directive on the Protection of Directive on the Protection of

Individuals with regard to the Individuals with regard to the Processing of Personal Data and on the Processing of Personal Data and on the Free Movement of such DataFree Movement of such Data

((95/46/EC, 199595/46/EC, 1995))

Directive on privacy and electronic Directive on privacy and electronic communicationscommunications ((2002/58/EC, 2002)2002/58/EC, 2002)


1818

Convention 108Convention 108

The 1The 1stst legally binding international data legally binding international data protection instrumentprotection instrument

Strasbourg 28Strasbourg 28 January January 19811981

Article 8 Human Right ConventionArticle 8 Human Right Convention

Ratification – all EU countries + Ratification – all EU countries + Bulgaria,Bulgaria, Czech Republic,Czech Republic, Estonia, Hungary, Latvia, Estonia, Hungary, Latvia, Lithuania, Lithuania, Poland, RomaniaPoland, Romania, , Slovakia, Slovenia Slovakia, Slovenia

Schengen acquisSchengen acquis


1919

Additional ProtocolAdditional Protocol

Additional Protocol to the Convention 108 Additional Protocol to the Convention 108 regarding supervisory authorities and regarding supervisory authorities and transborder data flowstransborder data flows

ETS no. 181 – 8.11.2001ETS no. 181 – 8.11.2001 Signature – 18 countries Signature – 18 countries

Slovakia, Lithuania, Czech RepublicSlovakia, Lithuania, Czech Republic Ratification – Ratification – SwedenSweden, Slovakia, Slovakia


2020

Directive 95/46/ECDirective 95/46/EC

Free internal marketFree internal market Development of the informationDevelopment of the information society society Remove obstacles to the free movement Remove obstacles to the free movement

of the dataof the data

but respect fundamental human rightsbut respect fundamental human rights Harmonize national provisions in DPHarmonize national provisions in DP


2121

Directive 95/46/ECDirective 95/46/EC – cont. – cont.

Applies to any operation or set of operations Applies to any operation or set of operations which is performed upon personal data – which is performed upon personal data – processingprocessing

Personal data – the data relating to any Personal data – the data relating to any identified or identifiable individual – data identified or identifiable individual – data subjectsubject

Controller – determines the purposes and Controller – determines the purposes and the means of processingthe means of processing


2222

Directive 2002/58/ECDirective 2002/58/EC

Concerning processing of personal data and the Concerning processing of personal data and the protection of privacy in the electronic protection of privacy in the electronic communications sectors (Directive on privacy communications sectors (Directive on privacy and electronic communications)and electronic communications)

/repealed and replaced the Directive 97/66/EC//repealed and replaced the Directive 97/66/EC/

- Translates Directive 95/46/EC principles into the - Translates Directive 95/46/EC principles into the telecommunication sectortelecommunication sector

- Unsolicited communications : opt-in (prior consent)- Unsolicited communications : opt-in (prior consent)


2323

eEurope Smart CardeEurope Smart Card

Electronic cards – significant role in the Electronic cards – significant role in the information societyinformation society

EU Conference in Lisbon – smart card in EU Conference in Lisbon – smart card in the framework of the eEurope 2000: An the framework of the eEurope 2000: An Information Society for AllInformation Society for All

More about More about the the eESC eESC – see presentation – see presentation of of Lutz Martiny, ChairmanLutz Martiny, Chairman


2424

Specific risksSpecific risks Increasing volume of data – attack against Increasing volume of data – attack against

the cardthe card

Recording and processing of sensitive Recording and processing of sensitive personal datapersonal data

Payment operationPayment operation Health cardHealth card


2525

Access to dataAccess to data

Access by a cardholderAccess by a cardholder

– – how to realizehow to realize

Access by a third partyAccess by a third party

– – how to preventhow to prevent

Software level security Software level security

- cryptography- cryptography


2626

Data protectionData protection

Smart card and memory cardSmart card and memory card Contact and contactless cardContact and contactless card Privacy Enhanced Technology (PET)Privacy Enhanced Technology (PET) Specific risks in different applications Specific risks in different applications


2727

Guiding PrinciplesGuiding Principles

12 Principles for the protection of individuals 12 Principles for the protection of individuals

addressed to everyone in smart card application addressed to everyone in smart card application - SC issuer, project designer, managers, - SC issuer, project designer, managers, operators, and cardholder operators, and cardholder

Principles for lawfully and fairly data collection Principles for lawfully and fairly data collection and processingand processing

Application of Convention 108 principlesApplication of Convention 108 principles


2828

Guiding Principles Guiding Principles – cont.– cont.

SC processing of identification data, SC processing of identification data, “ordinary” personal data and sensitive data“ordinary” personal data and sensitive data

Cardholder (data subject) rightsCardholder (data subject) rights

Traces of use of smart cardTraces of use of smart card

Biometric dataBiometric data


2929

Relevant CoE documentsRelevant CoE documents

RecommendationsRecommendations::R(99)14 – R(99)14 – on universal community service concerning on universal community service concerning

new communication and information servicesnew communication and information services

R(99)5 – R(99)5 – for the protection of privacy on the Internetfor the protection of privacy on the Internet

R(97)5 – R(97)5 – on the protection of medical dataon the protection of medical data

R(95)4 – R(95)4 – on the protection of personal data in the area of on the protection of personal data in the area of telecommunication services with particular reference to telecommunication services with particular reference to telephone servicestelephone services

R(90)19 – R(90)19 – on the protection of personal data used for on the protection of personal data used for payment and other related operationspayment and other related operations


3030

Relevant CoE documentsRelevant CoE documents

R(89)2 – R(89)2 – on the protection of personal data used for on the protection of personal data used for employment purposes employment purposes

R(86)1 – R(86)1 – on the protection of personal data used for on the protection of personal data used for social security purposessocial security purposes

R(85)20 – R(85)20 – on the protection of personal data used for the on the protection of personal data used for the purposes of direct marketingpurposes of direct marketing

Draft Recommendation R(2002)… on the protection of Draft Recommendation R(2002)… on the protection of personal data collected and processed for insurance personal data collected and processed for insurance purposes purposes


3131

Legislation - EuropeLegislation - Europe

Recommendations of Council of EuropeRecommendations of Council of Europe Decision of the European CommissionDecision of the European Commission Working Party according the Article Working Party according the Article 29 (W29 (WPP 29) 29) Judgments of the European Court of Human Judgments of the European Court of Human

Rights (StrasbourgRights (Strasbourg)) Conference of the European Commissioners for Conference of the European Commissioners for

Data Protection Data Protection (2001-Athens, 2002-Bonn)(2001-Athens, 2002-Bonn) BerlBerlin Groupin Group ( (data protection in data protection in

telecommunication sectortelecommunication sector)) CEE and Baltic countries meetings (2002-CEE and Baltic countries meetings (2002-

Prague, Vilnius)Prague, Vilnius)


3232

CEEC webCEEC web

http://www.ceecprivacy.org http://www.ceecprivacy.org

Legal instrumentsLegal instruments

Discussion forumDiscussion forum

Links to CEEC websLinks to CEEC webs


3333

Thank you for your attentionThank you for your attention

• The Office for Personal Data ProtectionThe Office for Personal Data Protection

Havelkova 22, CZ-130 00 Prague 3Havelkova 22, CZ-130 00 Prague 3

Czech RepublicCzech Republic

tel.: +420 22100 8288tel.: +420 22100 8288

fax: +420 22271 8943fax: +420 22271 8943

[email protected]@uoou.cz

http://http://www.uoou.czwww.uoou.cz

Documents

INFOBALT, Vilnius, 21 October 2002 1 Data protection and smart cards Karel Neuwirt The Office for Personal Data Protection The Office for Personal Data