Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME 2015 Session 29: DP Code of Conduct: Q&A with Art 29

Convener: Marcus Hild

Abstract: Geant Code of Conduct Q&A, with the questions being about how the pseudonymity helps or does not help institutions to release data to services or enable access to services. Concensus in the group seems to have been that while p. improves data processing practises, it will often not be sufficient as legal grounds for processing or transfering data.

Tags: Privacy


Valter: Geant is to take it to the article 29 of the working party, which is the body in Europe that has the possibility to encourage and endorse the code of conducts. The endorsement has no legal value but that something has ben endorse means that the local data protection officers will recognize the value. We will submit the second version, which will be more detailed.

The time scale is somewhere before the summer of next year. Because we also agree that we want to do the changes that will be taking the guidelines and making them prescriptive, and with that we will change the text.

The process is still the same, to go from a university organisation to being used in different countries.

Niels: Will the new and the old version be versioned aka recognizable?

Valter: I don’t know, this was a decision that we took 15 minutes ago.

Niels: Is it needed?

Valter: Since it’s going to be more pages it needs to be clear. The most important thing is that the principles are going to remain the same from the version 1. The version 2 is just going to go a lot more into details about how to get to those principles.

Peter: It’s a given that there will be no requirements.

Niels: Data Ownership. The current code of conduct says nothing about it, it’s only about passing data from IDP to SP, the biggest difference is the data ownership.

Marcus: There is a very wide spread misunderstanding of data ownership, it exists but only for the data subject. Anyone processing the data is never an owner, he needs to process the data securely, but he is not the owner and if he is transmitting data from one institution to another. That means that he gives that data to a new controller, he needs to make sure he is giving it to a trustworthy one but the link is still to the original user.

Niels: Aren’t you talking about the attributes, I am talking about the data created by that user, the research papers.

David: But is that actually outside of the scope. The university has ownership on some texts as they funded it.

Niels: This is the vehicle where the SP expresses a number of things, and the institutional IDP and only the whole package that needs to be evaluated by the IDP and for them a bit of the package is important.

David: They are the resource providers that claim to take ownership of the data, so I think you need also a technical element to express that, you have to assert that next to CoCo.

Marcus: That’s copyright basically.

Peter: You will see that it’s in the scope of this, the main thing is access control. If you say its access control to all those systems the data transferred is a part of the other stuff, it’s not a part of the transmission.

David: Systems that do user managed attributes where the user sends attributes, nobody can tell him not to, the IDP doesn’t usually release the attributes because the data is owned by the person. Does the IDP have the right now to release the data if the owner instructs him to release the data?

Marcus: Everything stays in the control of the data. There is no ownership, there is also no right to get the data from the third party. The law will give you the copy of the data the subject has. You can only force him for other reasons, it’s not data protection, like the agreement you have with him, if you want him to release them and he doesn’t and he is bound by a contract he can get a penalty for it.     That might be in breach but laws might not, maybe in the contract its not regulated that he has to do it. DP is always about it, to not let the user give any files, to keep it for himself.

Niels: That is perceived as one of the scenarios to prevent the data being sent over the board and to have the government collect data and if that doesn’t work or help you can just send everything.

Marcus: There are different tools for it.

Matthew: We need something that is unchanging, as we have these requirements, and to have the iGp release anything and because we need that. If someone owes from one institution to another, we need to track that. It’s easier if they are in Irns.

Peter: The member states have different interpretations, one have the pen PAI, the extremist’s view, if someone can make the connection to the PI, as I don’t know what I am releasing. For example in Austria, in the law it says that a person can legally make a connection to someone. So there is no consistency here, there is the danger, that even if you only release something that’s opaque to the recipient, you will be made reliable that you still supply with the persistent identifier that will help him understand the subject.

Niels: We are back to my question to the ownership. There is a service called ORCID, what it does, it is a LinkedIn for researches. You login using the credentials and you type in your whole life, instantly as you do that, you have a lot of identifiers.

Peter: One of the legal grounds to release data is if it is published already; the secrecy can’t be claimed on them. We step in and say hey the IP address is unique, we tell the recipients, don’t use the email address as an identifier and we give them an opaque synonym. If we only gave them the synonym it would satisfy and if we only send them the public information it would be okay but we want them both and that spoils the whole thing, as we give them the synonym.

Marcus: You need to keep the whole picture. That might be an argument that the pseudonymization is not a good helping tool. In most cases it brings you some improvement and sometimes it doesn’t. If you have the full IP and the address you can also use the name as an identifier.

Niels: If you only send a pseudonymous identifier as information, that could put the IDP in trouble who would stop trusting you completely.

Peter: We think we are making an improvement and on the technical level it is obvious if we don’t give them the email and something pseudo we are giving him less, it is an improvement but you have to rely on other grounds to make it legal.

Niels: We have many of these actually but in our community we want to establish collaboration and that requires people to login to other places, with not entire bio attached but something at least so that that they can recognize each other. You have for example in CERN and people from UK login to help.

Peter: I think the answer to the general question is that you get bonus points in other parts (…)

Data Controller sends the data to the SP, and the SP sends this back asking who’s it is, and the IDP asks for the personal information back. The pseudonymization doesn’t hold legally. It’s a bonus point as you said but it’s not free from the general obligations.

Marcus: In Austria people are soft on pseudonymized data but in most European countries that is not the case. For example Amazon, they require personal information like your address in order to deliver you the package.

Peter: This is a good technology for new systems but for old ones it might be pretty bad. What is the likelihood of the attribute release in Europe?

Niels: I think it turned into zero, as it won’t happen unless the contract is signed, and that is never going to scale as there are thousands and thousands of facilities.