Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
It's a pleasure to, for me to introduce Dr. Che OV the inspector general for protection of personal data from the polished data protection authority.
I think, yes. He's not only has a long name, but a very long title. And I think it's a highly, yeah, come on up to the stage. It's a highly important, highly important topic. We are touching now, which is really around data protection, the EU legislation, all these things. And I just hand it over to you. Thank you very much and welcome This microphone if it's On. Okay. Cause I Do not have the one in my head. There's But it's another for hands. You can choose either one.
Okay, perfect. This one works Should work. Yeah.
Okay, perfect. Thank you very much. Good afternoon. My name is VO Viv Roski I'm inspector general for personal data protection, which stands for data protection authority in the neighboring country of Poland. There's a very long name. There's a historical story about it. The first general inspector of something has been created in this country before the second world war. And that was a general inspector of the army.
And after that, if somebody has to be independent from the government, it's, it's, he's usually called inspector general and he's inspecting, but it's actually the equivalent of data Schutze in, in, in, in Germany, equivalent of the position of Mr. Pet, who is the data protection authority in your country? I hope my presentation will appear.
Yeah, they are looking for that. I guess I copied it really. Okay. So let me say a few words in the beginning. There will be the discussion tomorrow in one of the panels about the changes in the data protection law in Europe. So I'm not going to copy this discussion that will happen. That will happen with the other participants of the panel. And I would like to, just to address one important issue, which is the fact that at the same time, we are changing the law on electronic signatures and identification in Europe.
And at the same time we are, we are changing the law on personal data protection. And the aim in both situation is actually the same, which is to have the regulation instead of the directive, which means that to have one really harmonized market and harmonized law, instead of the laws that appear in all the countries, when we implement the data protection law. So usually the people who are coming from the official ground say that nothing, what they will say can be treated as an official position of the organ.
I'm in slightly better situation because the, the, the data protection authority in Poland is a single person body. So I can say that everything, what I will say is actually in compliance with what the data protection authority in Poland thinks. But on the other hand, I have to say that it's not necessarily the same as it is in Germany and as it is in BAV. So that is this inconsist that we are trying to, that we are trying to lose to skip when we are discussing about the changes in the data protection law in the European union right now.
And let me address first you data subjects, because that's actually data about you, ladies and gentlemen do data subjects. This is not something that we find in the coal mine. This is not something which is somewhere in databases of some companies, somewhere in the data centers.
No, this is data about us, and it's also precisely written in the draft regulation on a ID and okay. And the key issues which are going to be addressed are both of these regulations.
I made a slightly different color of those slides, which are about the data protection and those slides, which are about a I D because it's sometimes very hard to find out which rule appears in which draft regulation and the regulation, the draft regulation on the protection of individuals with regard to the processing of personal data and the free movement of such data, which is usually called the general data protection regulation has been proposed by the commission in SEP, in January last year.
And hopefully, and with the hopes of miss Redding, whom I had an opportunity to meet in Warsaw yesterday, it, the discussion on that will be finished by the end of the year. And in the first half of 2014, their regulation will be ready to be taken by the parliament and the council. We don't know exactly what will be in this regulation, but the regulation will be that's something which can, we can be sure for the political reasons, because there are the elections to the European parliament.
There will be the new commission, and definitely the results of this discussion are going to be used in the campaign before the elections and in the programs of the new commissioners, the same thing will happen, I guess, with the a I D regulation, which probably will be ready to be, to be adopted at the same time. Both of them should move us from nineties to 2014, but actually 2011, because that was 2011 when the drafts were somehow written down.
So we will still have the problem of not being up to date, but it's not really 100% good when the law tries to really catch the technol technological solutions. But definitely the main reason is to, to, to find what is actually going on in 21st century. Is it a copper revolution, as it was said by Christopher corner?
No, I guess not because Copernicus has removed the earth from the center and he put the sun into the center and here definitely at least as the data protection law is concerned, the subject of the data is still in the center. And if you look at the regulation on a, I D you will find out that there are certain rules and certain articles, which are recalling data protection law, and especially article 11 and article 15, which I will talk about in a while, but it starts actually in article eight.
What you have right now on the screen is the official proposal and the text, which is right now under the discussion in the council. So there are slight changes between these two texts texts. And as you can see, the new element, which is going to be added is this, this paragraph one a, which includes recalling privacy by design and the directive 19 5 46, which is the directive on data protection, which exists at the moment, which exists at the moment. But of course, everybody thinks that in the end, it will be changed into the recalling the regulation, which will be voted at the same time.
So we are smooth, honestly, working on the same documents. I'm not going to go farther in the details of privacy by design. I heard that you had the, the speech from Anne KA in the other part of this conference, but it would probably mean if this part will be in the final text of ID in ID regulation, that all these rules, the seven main rules of privacy by design should be included in the activities, both in the development of the, a identity solutions and in the deployment of them at the end user.
And there are some countries including my country who wants to remove this part because they say that this is philosophy. This is not the real law. This is not something that you can really implement.
Of course, uncover can, would not agree with us. She would say, no, this is something that really can be implemented. And we are operational operational operationalizing it in Canada.
Yeah, that's somehow true, but there are a lot of doubts about it. And you have to be aware that if this law will be the law in Europe, it will be fully applicable and fully effective in Germany without implementation in the German law, which means that privacy by that the ideas or privacy by design shall be in use in their services while the main discussion about privacy by design is not going on here. It's going on, where the regulation on data protection is concerned. And then there is a discussion, what is the privacy by design and what is the privacy by default?
I'm not going to go to the details of that, but we have to know that something which is going to be the main part of article eight is actually discussed by the top totally different persons at the totally different parts of the council and totally different committees of the parliament, because these are even in the European parliament, two different committees, which are discussing on that Liba, which is dealing with the rights of the people rights of the citizens, as far as the data protection is concerned and intra, as far as the, as far as the a I D is concerned.
And definitely there are some additional things that are, that the parliamentarians are going to add to the document that was proposed by the commission. It recalls the new things to be taken into consideration where any kind of AI identification service is under preparation, or is going to be deployed on the European soil or in the European environment. And if we go farther, we'll find an interesting article 11, which is the clue of combination between these two acts. Funny enough, there is nothing about AI identification in the regulation on data protection.
There is nothing about it, but there are the rules, especially in the article 11, as far as the, the, as far as the a I D regulation is concerned, but there are a lot of doubts about it, especially as far as the paragraph one, and paragraph four are concerned, there is one country which already said that article one, which is here will be an additional red tape and additional problem for each enterprise that is going to deal with identity.
They are recognizing this as an additional problem that they will have that this, especially the startups, especially the companies which are introducing the innovative solutions that they will have to, that they will have to follow the results of the regulation that right now directive, but in the future regulation, the only country is Sweden. Sweden is saying that it might be the problem. Germany has its own doubts as well.
I will go on further, hello, some doubts as well, but rather about the problem of the Sonys that's of course connected with the fact that several solutions about pseudonyms are already now in the German national law. And Germany is concerned that the new regulation, which is on the Europeans on the European level, taken on the European level may kill the good solutions. And the good experiences that have been already established in this country.
Poland is saying that if we have a general problem with the data retention general problem with the data retention, and if we were recalling the main rules of the directive on data protection, then we have to remember that there is a main rule of minimization of data, which is in the data protection regulation right now in the data protection directive. And it may mean that we probably need some additional rule in the I, I D regulat about the longtime retention of data.
Otherwise it will be actually the, the data protection law may be the problem to keep the data which may be used for the a D purposes for a long time, actually by the end of the world. But cause probably, probably it should be kept for such a long time. So let's see another problem which we, which we face. We have the supervisory bodies, which should be informed about any data breach incident that happened with the data and the a I D regulation is very strong about it. Also the data protection regulation is very strong about it.
If we look at the texts, the text of the data protection regulation draft from January last year and the primary text from June, 2012, as, as far as the a ID is concerned, they are okay. I mean, they at least say the same things about the same problem, but right now the discussion is in two different committees in two different committees in the parliament, in two different committees in the council, what will be the results we actually don't know?
And I am not surprised that the, that the European union wants to have this data cation system, you know, that it exists in most of the Europeans, sorry, most of the American states. And also there are works on that. On the federal level.
Here, we have the answers to the question that was said by a Eurobarometer about the, if we want to be informed about the incidents with our data, I know the slide is not very well visible, but I can say to you that in all the countries that this question had been asked, at least 78, 70 8% of the people said, yes, we want to be informed. We want to be informed about the data breach data breach incidents.
So what their commission did, the commission has proposed that not only the supervisory body as far the a I D systems are concerned, should be informed about it, but in several situations where it could also harm the personal data, this information should be passed to the data protection authority. And it all, it all has to be done in 24 hours from the incident.
Of course, there is a long discussion that this 24 hours is simply not practical. And you are, you are not able to achieve this goal, but we don't know what will be the end of that. Probably in one of these regulations, the, there will be the limit, let's say 72 hours. And in the other one, it'll be set in the reasonable time. So we will have actually two data breach notifications that you will have to issue to two supervisory buddies.
While one of the supervisory buddies should also inform the other supervisory body about the data breach, which happened, of course, I'm, I think we can escape from this problem and we can omit this problem. The only, the only thing is that in most of the countries in Europe, these are not only different parliamentarians who are dealing with it in the European parliament, but these are also different ministries, which are doing that. So who should coordinate these efforts, probably data protection authorities in some way. That's why I'm here. I'm trying to do it in Poland.
And I'm trying also to say, there is something which might be the problem for you in the future, but this is especially you, the market who has to put the stress on the government of your countries, if you are the European country from the European country or to the governments that are discussing with the European union about the, the, the regulation, if you are from outside of the EU, because otherwise we may find ourself in a situation where we have two regulations, which both regulate somehow the same business.
And just for the end of this, of this presentation, that's also about that Aboriginal notification. And I'm, I will leave to the organizers, the whole presentation with the information about all the, all of these roles. But now I would like to put the last point.
It is also said that the trust service providers can be located outside of the European union and can be recognized as trust service providers, even if they are not actually based on the European soil, but the parliament is right now, proposing slide change to this law, adding the things which are in the blue on the, the end of the slide, especially the security of the trust service provider provided and the supervision of qualified trust service providers. The third country in question shall afford adequate protection of the personal data in accordance with the directive.
It sounds nice, but it's very administrative and very practical when you go to the data protection law, because adequacy does not mean that you are saying you are adequate, that you are, that you are joining, let's say safe Harbor system. No, it means that the European union has recognized the country as having an adequate protection. That is actually what is adequacy. 2013 probably it'll look slightly different in the future, but we don't know exactly how it will look like probably the trust service providers can be can have the special binding corporate rules that they will be using.
Probably it'll be true if not, then it means that there are only 12 territories in the countries, in the world who are treated as adequate. And one of them is Switzerland. One of them is Canada, but these are, these are the only strong places. The other ones are G say, J and UA right now as well, Israel. Okay. But you will not find United States in this, on this wrist. And you will not find the other countries where some of the, some of you are coming from, and the last slide for today.
The other question that has been asked by Euro barometer in 2011 to the citizens of Europe was the question. Is it true? Are you aware of the fact that the companies holding information about you may sometimes use it for different purposes than the ones that they were collected for simply misuse the data? And you can find out that in Sweden, the people actually don't accept it for them. It's unbelievable almost that the data can be used for the other purpose than the one for which it was collected. Why in the UK and in the island more than 80%, no, 80%. Exactly.
80% of people are absolutely sure that the data is used for the different purposes than the purposes for which it was collected and thinking why the European commission is so strong in preparing the proposals. You have to remember that they were actually basing on the, on the researchers that were done by Euro barometer.
Well, I know that data protection authorities are not the ones who are liked very much in this room, but I would like to stay to, to leave you with this information that you have to put the stress on the government, at least to coordinate this to regulation, no matter what will be in demo. Thank you.