brokerage 2007 presentation regulation
TRANSCRIPT
Legal and regulatoryresearch
Jos Dumortier
2
Core Research Areas
The Networked Individual
Access To And Control Of Information
Information Security And Trust
Information Transport – Electronic Communications
The Electronic Society
3
1. The Networked Individual
The Citizen
The Patient
The Consumer
…
4
Example: the Citizen
E-Government: collect data onceand re-use them subsequentlyfor all government services
Data protection legislation: onlyuse personal data for specificpurpose for which they havebeen collected
5
Discussion: Legal limitations for the use of uniqueidentifiers
Belgium: prohibition to usenational number without specificpermission
Belgium: promotion of e-ID (withnational number) for privatetransactions
6
How to validate electronic signatureswithout “using” the national identifier?
Discussion:
7
Similar problems
The Patient
Legal principle: collect datadirectly from the patient
E-health platforms: sharinghealth data (BeHealth,Flemish Health InformationSystem)
The Consumer
Legal principle: no directmarketing without consent
Personalisation technologies:proposed legal framework forRFID
8
2. Information: Access & Control
Content Regulation
Intellectual Property Rights
Public Information: Access & Re-use
Geographical Information Systems
9
Example 1: New legislation on re-using publicinformation
European Directive: promote re-use of government-ownedinformation in commercial applications
Example: company register (KBO)
Belgium: no re-use of personal data withoutanonymisation
10
Example 2: Geographical information and personal data
ROP (DORO 18/05/99)
Discussion: Can we publish the list of building lots (bouwgronden) onthe Internet (without the land register number or the name of the landowner)
11
Opinion Privacy Commission 27/09/2006
Maps of building lots contain personal data!
• personal data: all data containinginformation on an identifiable person
• identifiable: every person who can beidentified directly or indirectly
• land owners are (very often) naturalpersons
• via a map or an aerial photograph the nameand address of the land owner can bediscovered
12
Conclusion Privacy Commission 27/09/2006
- the Register of Building Lots (ROP) has aspecific purpose (administration)
- publication of these data on the Internet is not compatible with this purpose
- OK for publication of aerial view but only on1/50,000 scale and without possibilities for interactive selection
13
3. Information Security & Trust
Electronic Signatures
Digital Preservation
Cybercrime
14
“Writing”
15
Example 1: Electronic employment contract
Draft law: possibility to concludewritten employment contracts inelectronic form Signature by means of e-ID Or by « equivalent » means
Employer should guarantee theelectronic archival of the contract viaan accredited trusted archivalservice provider (draft law)
16
Example 2: Trusted Third Parties
Draft law: Legal status of TTPs Electronic archiving Electronic time stamping Electronic registered mail
Legal value of documents ortransactions can be made dependentof quality conditions
Voluntary accreditation: independenttechnical auditors
Evaluation profile: to be drafted bytechnical working group (withinFedict)
Commission for Trusted Services:deals with complaints
17
Example 3: Preservation of invoices
In principle: 2 originals , 7 years(private consumer: 5 years)
Preservation in Belgium, orelsewhere in the EU (subject toon line access)
Authenticity and integrity mustremain guaranteed
18
Digital archiving of paper invoices
Permitted by law since January 2006
Also valid for (« old » invoices) Example: scan all my invoices of 2005
Only valid scans from original invoices (not from parallel files)
If invoice refers to order form: also scan the order form
Very important: scan results in a copy of the invoice
The authenticity and integrity of this copy should be guaranteed !!!
19
How to guarantee that a copy is « authentic »?
Authentic: copy = original
Not possible by technological means
VAT-Administration: keep your paper invoices for 6 months (after the date ofscanning)
Example: I scan all my (paper) invoices of 2005 on 20 January 2007 – Keeporiginal paper invoices until 20 June 2007
20
How to guarantee the integrity?
Scanning process: strict conditionsScanning software/configuration without edit/import possibilitiesScanning (always) recto/verso - If verso only contains General Terms (scan only
once)Keep original colors / Sufficient resolutionUnique identification number + date/time on the digital imageImmediately secure the digital image (advanced electronic signature or sealing
algorithm+WORM)Identification of the person who scansSecure scanning environment (protect access)Possibilty for immediate retrieval (ex. by unique number)Incoming invoices: first terminate the administrative process (or use OCR and keep
the data of the administrative process)Back upDocument the scanning process (describe company, hardware, software, security
measures, etc…)
21
First method: scanning + advanced electronic signature
Scan recto/verso Keep colors Minimum 300 dpi/24bit-colors/JPEG2000 Isolated scanning module (no edit/import facility) PDF or TIFF Automatically add unique id-number Add fields with id of operator, login name, date/time of creation, … Immediately secure with digital signature Outsourcing: certificate of outsourcer needed Retrieval using unique id-number of invoice Possibility to combine unique id-number with other identification data (needed to
process the result in ERP system) Minimum application: 1 subbook of incoming invoices for minimum 12 months
starting 1 January (or start accounting year).
22
2. Second method: scanning + sealing algorithm
Compose seal: seal of previous invoice, invoice date, invoice number,scanning date, sequential nr, VAT numbers of provider/client, VATamount, total amount
Generate seal (algorithm) Store seal in a separate record with other data Link record with previous record Scan invoice Write seal on the digital image Store result on WORM disk Keep disks on Belgian territory
23
4. Information Transport – e-Communications
access to communications networks and services
interconnection and interoperability
network integrity and security
radio spectrum allocation
universal service
24
Example: Wholesale Line Rental (WLR)
Fact: introduction of competition in the market of “accessto the telephone network from a fixed location” is very slow
Remedy 1: carrier selection / carrier pre-selection
Remedy 2: local loop unbundling
Proposed remedy 3 (intermediate): wholesale line rental(doorverkoop van abonnementen)
25
Convergence
26
Convergence
Who is competent to regulate“converged” e-communications?
27
5. The Information Society
e-Health e-Voting e-Business e-Government e-Learning e-Banking e-Justice …
28
Example: Proposed Directive on Payment Services
Europe: harmonisation of strict rules for payment service providers(banks, credit card companies, etc.)
New evolution: payment via mobile phone (mobile operator becomesa payment service provider)
Example: m-banxafe (Belgium)
Discussion: from which stage will we apply the strict rules for paymentservices to mobile operators?
29
Conclusion
IBBT: close interaction between:
Technical & User-OrientedR&D
Monitoring the RegulatoryFramework for ICT-Applications
30
IBBT Research Groups