Data Protection Regulation

10 September 2014 at 8:57am

Sharing Information to Protect Privacy

Andrew Cormack
incident response
Data Protection Regulation
Privacy
I was invited to give a presentation on legal and ethical issues around information sharing at TERENA’s recent security services workshop. The talk highlighted the paradox that sharing information is essential to protect the privacy of our users when their accounts or computers have been compromised, but that sharing can also harm privacy if it’s not done correctly.
Read more
24 April 2014 at 1:59pm

Legitimate Interests and Federated Access Management

Andrew Cormack
Access Management
Data Protection Directive
Data Protection Regulation
I only wish the Article 29 Working Party had published their Opinion on Legitimate Interests several years ago, as it could have saved us a lot of discussion in the federated access management community.
Read more
14 April 2014 at 11:13am

Reducing the Impact of Privacy Breaches

Andrew Cormack
Privacy
Breach Notification
Data Protection Regulation
Cybersecurity Directive
eSignature Directive
At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected.
Read more
14 February 2014 at 2:07pm

Low-risk identifiers in Access Management

Andrew Cormack
Data Protection Regulation
Access Management
The Information Commissioner’s analysis of the European Parliament’s amendments to the draft Data Protection Regulation discusses the wide range of information that falls within the definition of "personal data" and gives examples that seem particularly relevant to identity federations.
Read more
10 January 2014 at 11:44am

Everything by consent?

Andrew Cormack
Data Protection Regulation
Access Management
As a privacy-sensitive person, I'm concerned that the trend in European Data Protection law seems to be to place more and more weight on my consent as justification for processing my personal data. In theory that sounds fine – given full information and a free choice, I can decide whether or not I'm willing for the processing to take place.
Read more
25 November 2013 at 9:11am

Clouds and the draft Data Protection Regulation

Andrew Cormack
Cloud computing
Data Protection Regulation
At the moment both cloud computing providers and their business customers in Europe have to deal with at least twenty-eight different interpretations of Data Protection law. And there are nearly as many different national rules and formalities when using non-European cloud providers (the UK approach is described in the Information Commissioner’s Guide to Cloud Computing).
Read more
28 October 2013 at 11:03am

Legislating for Indirectly-linked identifiers

Andrew Cormack
Data Protection Directive
Data Protection Regulation
Privacy
A law that promotes Privacy by Design and Data Minimisation ought to encourage the use of indirectly-linked identifiers, which allow processing to be done separate from, or even without, the ability to identify the person whose information is being processed. However European Data Protection law has never really worked out what these identifiers are. The resulting regulatory uncertainty discourages the use of indirectly-linked identifiers to protect privacy and may even result in obligations that create new privacy risks.
Read more
8 October 2013 at 9:31pm

Federated Access Management: Legal Developments

Andrew Cormack
#VAMP2013
Access Management
Data Protection Regulation
Privacy
data protection
At the VAMP workshop last week I was asked to review legal developments that might affect access management federations. On the legislative side the new European Data Protection Regulation seems to be increasingly mired in politics.
Read more
15 August 2013 at 3:25pm

Bins, MACs and Privacy Law

Andrew Cormack
Data Protection Regulation
Privacy
ePrivacy Directive
A recent news story reported that a small number of litter bins in London were collecting a unique identifier from passing mobile phones and using these for some sort of "footfall analysis". There doesn’t seem to be much detail about the plans: it struck me that a helpful application could perhaps be look for the same phone passing slowly and repeatedly past, and display an "are you lost?" map on the bin’s advertising screen!
Read more
25 June 2013 at 3:30pm

Sharing to Win Privacy

Andrew Cormack
Data Protection Regulation
Privacy
ePrivacy Directive
incident response
#firstcon13
The theme of this week’s conference of the Forum of Incident Response and Security Teams (FIRST) is “Sharing to Win”. Perhaps inevitably, I’ve had a number of people (and not just Europeans) tell me that privacy law prevents them sharing information that would help others detect and recover from computer security incidents. If that’s right, then those laws are working directly against the privacy they are supposed to be protecting.
Read more
Subscribe to Data Protection Regulation