1 / 17

European data protection and privacy regulations

European data protection and privacy regulations. Johny GASSER Orange Business Services – Consulting & Solutions Integration International Cyber Center 2011 Workshop on Cyber Security and Global Affairs Budapest, May 31 to Jun 2, 2011. agenda. section 1 status of the data protection

beatrice-west
Télécharger la présentation

European data protection and privacy regulations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. European data protection and privacy regulations Johny GASSEROrange Business Services – Consulting & Solutions Integration International Cyber Center2011 Workshop on Cyber Security and Global AffairsBudapest, May 31 to Jun 2, 2011

  2. agenda section 1 status of the data protection section 2 European regulations basics section 3 concerns with US section 4 potential solutions International Cyber Center – Budapest Workshop

  3. status of the data & privacy protection International Cyber Center – Budapest Workshop

  4. data protection status source: http://www.forrester.com/cloudprivacyheatmap International Cyber Center – Budapest Workshop

  5. data protection status - Europe source: http://www.forrester.com/cloudprivacyheatmap International Cyber Center – Budapest Workshop

  6. are security and privacy issues Top concerns? source: Forrester Research, January 2010“As IaaS Cloud Adoption Goes Global, Tech Vendors Must Address Local Concerns ” International Cyber Center – Budapest Workshop

  7. European regulations basics International Cyber Center – Budapest Workshop

  8. key European regulations on data and privacy protection • European Convention on Human Rights (ECHR) (formally the Convention for the Protection of Human Rights and Fundamental Freedoms) • European Commission Directive 95/46/ECthe data protection directive • European Commission Directive 2002/58/EC Directive 2002/58 on Privacy and Electronic Communications, also known as E-Privacy Directive • National Constitutions • National regulations (penal, civil, data protection, etc) • International Treaty – Cybercrime Convention International Cyber Center – Budapest Workshop

  9. definitions(source EU Directive 95/46 – data protection) • personal datashall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; • processing of personal data ('processing')shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; International Cyber Center – Budapest Workshop

  10. EU directive 95/46 • personal data must be collected for specified, explicit and legitimate purposes, and kept up to date • personal data may be processed only if the data subject has unambiguously given his/her consent • it is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. • every data subject should have the right to obtain from the controller which data is processed • the data subject should have the right to object, on legitimate grounds, to the processing of data relating to him/her • the controller must notify the national supervisory authority before carrying out any processing operation. International Cyber Center – Budapest Workshop

  11. EU directive 95/46 – cross border transfer • Transfers of personal data from a Member State to a third country with an adequate level of protection are authorized. • the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited • list of countries having adequate level of protection is published and maintained by European Commission • the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations International Cyber Center – Budapest Workshop

  12. concerns with US International Cyber Center – Budapest Workshop

  13. concerns about USRumors, myths and facts • use of Patriot actBush administration has convinced the Belgium private SWIFT to provide US with an access to all inter bank orders. Justification were about the fact that SWIFT has subsidiaries in US, so Patriot Act was applicable.This has been revealed in 2006 by the New York Times. • activities of the NSAThe National Security Agency (NSA) carries out industrial espionage on governmental organizations and private-sector firms, with its wiretapping network Echelon.This has been officially revealed in 1998 in a report presented to the European Parliament, and confirmed in 2000 by former CIA director James Woolsey, in an article in March for the Wall Street Journal.Confirmed case are Airbus with Saudi Arabia contract, Thomson CSF with Brazil military contract and Japanese NEC. International Cyber Center – Budapest Workshop

  14. potential solutions International Cyber Center – Budapest Workshop

  15. potential solutions for European Companies • do not work with US companies for sensitive data, or financial industry Take care about “in the cloud” services • work only with companies applying SAFE HARBOUR principles • use standards contractual clauses as defined by EC (Decision 2001/497/EC) • perform audit on site in US, or obtain SAS70/SSAE16/ISAE3402 independent audit report • deploy solution and infrastructure to ensure that no private data are accessible from US, even in disaster recovery scenario For US companies • apply to the SAFE HARBOUR self certification • demonstrate that you can not access personal data, or provide logs in real-time of which access has been done, etc • work hard to get the trust of your European customers International Cyber Center – Budapest Workshop

  16. summary data protection in Europe • is not simple to address • is serious, it is a fundamental right of the Human Rights • SAFE HARBOUR is an effective solution for US companies, easiest and safest for US companies, but it has limits: self certification • Employees have rights to privacy, even at job, even if business only rule in contract, signed. • In the cloud services are subject to data protection regulations… including cross borders flows restrictions… International Cyber Center – Budapest Workshop

  17. thank you

More Related