Legal and regulatoryresearch

Jos Dumortier

2

Core Research Areas

The Networked Individual

Access To And Control Of Information

Information Security And Trust

Information Transport – Electronic Communications

The Electronic Society

3

1. The Networked Individual

The Citizen

The Patient

The Consumer

…

4

Example: the Citizen

E-Government: collect data onceand re-use them subsequentlyfor all government services

Data protection legislation: onlyuse personal data for specificpurpose for which they havebeen collected

5

Discussion: Legal limitations for the use of uniqueidentifiers

Belgium: prohibition to usenational number without specificpermission

Belgium: promotion of e-ID (withnational number) for privatetransactions

6

How to validate electronic signatureswithout “using” the national identifier?

Discussion:

7

Similar problems

The Patient

Legal principle: collect datadirectly from the patient

E-health platforms: sharinghealth data (BeHealth,Flemish Health InformationSystem)

The Consumer

Legal principle: no directmarketing without consent

Personalisation technologies:proposed legal framework forRFID

8

2. Information: Access & Control

Content Regulation

Intellectual Property Rights

Public Information: Access & Re-use

Geographical Information Systems

9

Example 1: New legislation on re-using publicinformation

European Directive: promote re-use of government-ownedinformation in commercial applications

Example: company register (KBO)

Belgium: no re-use of personal data withoutanonymisation

10

Example 2: Geographical information and personal data

ROP (DORO 18/05/99)

Discussion: Can we publish the list of building lots (bouwgronden) onthe Internet (without the land register number or the name of the landowner)

11

Opinion Privacy Commission 27/09/2006

Maps of building lots contain personal data!

• personal data: all data containinginformation on an identifiable person

• identifiable: every person who can beidentified directly or indirectly

• land owners are (very often) naturalpersons

• via a map or an aerial photograph the nameand address of the land owner can bediscovered

12

Conclusion Privacy Commission 27/09/2006

- the Register of Building Lots (ROP) has aspecific purpose (administration)

- publication of these data on the Internet is not compatible with this purpose

- OK for publication of aerial view but only on1/50,000 scale and without possibilities for interactive selection

13

3. Information Security & Trust

Electronic Signatures

Digital Preservation

Cybercrime

14

“Writing”

15

Example 1: Electronic employment contract

Draft law: possibility to concludewritten employment contracts inelectronic form Signature by means of e-ID Or by « equivalent » means

Employer should guarantee theelectronic archival of the contract viaan accredited trusted archivalservice provider (draft law)

16

Example 2: Trusted Third Parties

Draft law: Legal status of TTPs Electronic archiving Electronic time stamping Electronic registered mail

Legal value of documents ortransactions can be made dependentof quality conditions

Voluntary accreditation: independenttechnical auditors

Evaluation profile: to be drafted bytechnical working group (withinFedict)

Commission for Trusted Services:deals with complaints

17

Example 3: Preservation of invoices

In principle: 2 originals , 7 years(private consumer: 5 years)

Preservation in Belgium, orelsewhere in the EU (subject toon line access)

Authenticity and integrity mustremain guaranteed

18

Digital archiving of paper invoices

Permitted by law since January 2006

Also valid for (« old » invoices) Example: scan all my invoices of 2005

Only valid scans from original invoices (not from parallel files)

If invoice refers to order form: also scan the order form

Very important: scan results in a copy of the invoice

The authenticity and integrity of this copy should be guaranteed !!!

19

How to guarantee that a copy is « authentic »?

Authentic: copy = original

Not possible by technological means

VAT-Administration: keep your paper invoices for 6 months (after the date ofscanning)

Example: I scan all my (paper) invoices of 2005 on 20 January 2007 – Keeporiginal paper invoices until 20 June 2007

20

How to guarantee the integrity?

Scanning process: strict conditionsScanning software/configuration without edit/import possibilitiesScanning (always) recto/verso - If verso only contains General Terms (scan only

once)Keep original colors / Sufficient resolutionUnique identification number + date/time on the digital imageImmediately secure the digital image (advanced electronic signature or sealing

algorithm+WORM)Identification of the person who scansSecure scanning environment (protect access)Possibilty for immediate retrieval (ex. by unique number)Incoming invoices: first terminate the administrative process (or use OCR and keep

the data of the administrative process)Back upDocument the scanning process (describe company, hardware, software, security

measures, etc…)

21

First method: scanning + advanced electronic signature

Scan recto/verso Keep colors Minimum 300 dpi/24bit-colors/JPEG2000 Isolated scanning module (no edit/import facility) PDF or TIFF Automatically add unique id-number Add fields with id of operator, login name, date/time of creation, … Immediately secure with digital signature Outsourcing: certificate of outsourcer needed Retrieval using unique id-number of invoice Possibility to combine unique id-number with other identification data (needed to

process the result in ERP system) Minimum application: 1 subbook of incoming invoices for minimum 12 months

starting 1 January (or start accounting year).

22

2. Second method: scanning + sealing algorithm

Compose seal: seal of previous invoice, invoice date, invoice number,scanning date, sequential nr, VAT numbers of provider/client, VATamount, total amount

Generate seal (algorithm) Store seal in a separate record with other data Link record with previous record Scan invoice Write seal on the digital image Store result on WORM disk Keep disks on Belgian territory

23

4. Information Transport – e-Communications

access to communications networks and services

interconnection and interoperability

network integrity and security

radio spectrum allocation

universal service

24

Example: Wholesale Line Rental (WLR)

Fact: introduction of competition in the market of “accessto the telephone network from a fixed location” is very slow

Remedy 1: carrier selection / carrier pre-selection

Remedy 2: local loop unbundling

Proposed remedy 3 (intermediate): wholesale line rental(doorverkoop van abonnementen)

25

Convergence

26

Convergence

Who is competent to regulate“converged” e-communications?

27

5. The Information Society

e-Health e-Voting e-Business e-Government e-Learning e-Banking e-Justice …

28

Example: Proposed Directive on Payment Services

Europe: harmonisation of strict rules for payment service providers(banks, credit card companies, etc.)

New evolution: payment via mobile phone (mobile operator becomesa payment service provider)

Example: m-banxafe (Belgium)

Discussion: from which stage will we apply the strict rules for paymentservices to mobile operators?

29

Conclusion

IBBT: close interaction between:

Technical & User-OrientedR&D

Monitoring the RegulatoryFramework for ICT-Applications

30

IBBT Research Groups