Last updated: 
5 months 4 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Draft EU Regulation on eIdentities

Tuesday, June 12, 2012 - 09:30

The European Commission have proposed a draft eIdentity Regulation, to replace the current eSignatures Directive (99/93/EC). While the proposal is mostly concerned with inter-operability of national electronic IDs and improving the legal significance of digital signatures, timestamps, documents, etc. there are also some new requirements on “trust service providers”.

According to Article 3(12), Trust Services comprise “any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and  electronic certificates, including certificates for electronic signature and for electronic seals” and according to Art 3(14) a Trust Service Provider is “a natural or a legal person who provides one or more trust services”.

Art 15 requires all Trust Service Providers to “take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide”, which looks similar to the requirement of the current Data Protection Directive on anyone processing personal data. For those who fail to implement such measures, Art 9 makes them liable for “any direct damage caused to any natural or legal person” resulting from the failure, unless they can demonstrate that they did not act negligently. Art 15(2) also requires security breaches with a significant impact to be reported to the supervisory authority for trust services, the national body for information security, and the data protection authorities, on the same tight timescale as proposed in the new Data Protection Regulation, but to additional regulators.

What puzzles me about this is that, unless there's some hidden meaning in the word "service" (for example that it must be commercial, or must be provided to a separate third party), the definition of a trust service provider seems to cover anyone who issues a digital certificate, even if it’s only to members of the organisation to access services provided by the issuing organisation (for example I have a certificate issued by my employer to ensure that I only enter username and password when connected to genuine eduroam services). In most of the circumstances I can think of, a security breach of those certificates would only affect the organisation that issued them (so it would be unlikely to sue itself) and the breach would be unlikely to have a “significant impact”. But it seems to me there could still be some unexpected consequences (for the Commission, regulators and people who didn’t previously realise they were trust service providers) of legislating so widely. Unless someone can point out the limitation on scope that I've missed?


I've now spotted Article 2(2), which may provide the limitation I was looking for:

2. This Regulation does not apply to the provision of electronic trust services based on voluntary agreements under private law.

I think that means that the examples I was thinking of would be outside the breach requirement and liability requirements.