The General Data Protection Regulation's Article 4(1) establishes six principles for any processing of personal data. It's interesting to compare how federated authentication – where a student authenticates to their university/college, which then provides relevant assurances to the website they want to access – performs against those principles when compared with traditional direct logins to websites.
Although the Article 29 Working Party seem to have had applications such as incident response in mind when drafting their guidance on exports, that guidance could also be helpful in the field of federated authentication.
[this article is based on the draft text published by the European Council on 28th January 2016. Recital and article numbers, at least, will change before the final text]
The European Council of Ministers have now published a proposed text for the General Data Protection Regulation. This still needs to be edited by the Commission's "lawyer-linguists" to check for inconsistencies, sort out the numbering of recitals and articles etc. But the working parties of both the Parliament and the Council have recommended that the resulting text should be adopted by the respective full bodies at meetings in the next couple of months.
A helpful comment on page 3 of the Information Commissioner’s discussion of the latest (Council) draft of the General Data Protection Regulation:
We reiterate our view that there must be realistic alternatives to consent – for example 'legitimate interests' where the data processing is necessary to provide the goods or services that an individual has requested.
A question that comes up from time to time when discussing federated access management is "how can I rely on another organisation to manage accounts for me?". Federation saves services the trouble of managing user accounts by instead delegating the job to an external identity provider, but it's entirely reasonable to think carefully about that. Why should any service trust someone else to manage the keys to its valuable content?
After more than three years of discussion, all three components of the European law making process have now produced their proposed texts for a General Data Protection Regulation should look like.
Last week the European Commission published their proposed new Data Protection legislation. This will now be discussed and probably amended by the European Parliament and Council of Ministers before it becomes law, a process that most commentators expect to take at least two years. There's a lot in the proposal so this post will just cover the general themes.
A recent discussion got me thinking about what might be the right number of passwords. There are plenty of references that still say you should have a different password for every service, and breaches such as Adobe’s last year show why. If you use the same password on two different websites and one of those gets compromised, either by phishing or loss and cracking of a password file, then both accounts are put at risk.
It’s often said that technical people are bad at designing user interfaces. Ken Klingenstein’s presentation at the TERENA Networking Conference reported (and demonstrated) the results when user interface experts looked at the problem of explaining federated login to users.
