FIM and Data Protection Regulation

This blog post below has been written by Andrew Cormack (JISC).  Becasue of its relevance, it deserves as much visibility as possible. Please note that the original post is online at:

https://community.jisc.ac.uk/blogs/regulatory-developments/article/federated-access-management-and-gdpr

Andrew’s Blog

[this article is based on the draft text published by the European Council on 28th January 2016. Recital and article numbers, at least, will change before the final text]

When individuals register to access a website or other on-line service, it’s common to have to provide a significant amount of personal data. Some of this is to assure the service provider that you are entitled to access, some may be needed to deal with problems in future. Typically you are then issued with a unique password to access your account on that site in future.

Federated Access Management (FAM) (introductory animation) also provides service providers with assurances on entitlement and problem resolution, but with much less need to disclose personal data. Instead FAM introduces a third party, trusted by both the user and the site operator, to provide the assurances. This “identity provider” will often also handle user authentication – assuring the service provider that a valid username and password have been provided. For example a college may well act as identity provider for its students: having them login using their existing credentials and then confirming to the service provider both that their user has been authenticated and that they are a student, subject to the college’s disciplinary policies. This lets services significantly reduce the amount of personal data they collect and hold. If they need a unique account number for a user then this can be obtained from the identity provider: other information such as names or e-mail addresses need only be provided if the service actually requires them.

FAM under current law

Federated Access Management is recognised by regulators as a privacy enhancing tool. However the three-sided relationship between user, identity provider and service provider doesn’t obviously fit the models provided by European data protection law. Neither the identity provider nor the service provider satisfies the legal definition of a data processor. Where the user chooses which identity provider to use for a given service there may be no contract between the identity provider and service provider. Instead the arrangement is better viewed as an individual instructing two parties – each an independent data controller – to transfer personal data. This would normally fall within legal provisions for Consent (Data Protection Directive Article 7(a)), but if a student needs to access a particular service as part of their study then it is not clear that the consent can be freely-given, as the law requires. Conversely, although some authentication requests may be Necessary for the Performance of a Contract (Article 7(b)) this will not apply where an individual accesses resources that are not necessary for their course. One of the design goals of federated access was to prevent identity providers knowing which specific articles were being accessed and service providers knowing the identity of individual users. This means the only way identity and service providers could determine whether a particular request is “necessary” or “consensual” would be an additional exchange of information that both privacy technology and law were designed to prevent.

Instead, to avoid the complexities of applying different legal regimes to different requests, Research and Education federations in Europe have generally considered that both identity providers and service providers process personal data in their Legitimate Interest (Article 7(f)) of providing the service that an individual has requested of them. This allows each to focus on the relationship with their user, rather than having to collude to try to establish the appropriate legal regime for each individual request.

An additional benefit of this approach is that the Legitimate Interests justification requires additional safeguards for users, which are a natural match for the goals and practice of research and education federations. Federation rules generally require both purpose limitation and data minimisation: service providers may only request information they need to provide the service, and may not use it for any other purpose. Article 7(f) requires that personal data may only be processed if the legitimate interest is not overridden by the rights and interests of the individual. As explained by the Article 29 Working Party of national data protection supervisors, this requires a comparison of the benefits and risks of the processing. By configuring which user attributes are released to which service providers, identity providers can implement the necessary balancing test. In addition federations are developing guidance on service provider categories to help identity providers determine which services represent a high benefit and low risk to their users.

With many research collaborations being global in scope it is unfortunate that legitimate interests cannot, at present, be used as a justification for exporting personal data from the European Economic Area. Instead those identity providers that wish to provide federated authentication for their users to overseas services need to argue that these users have given consent. This is unsatisfactory both because the freedom of users to give such consent may be questioned and because the consent justification provides less guidance to responsible identity and service providers on the ways in which personal data may subsequently be used. Even with these legal issues, federated access management still provides significantly better privacy protection and policy enforcement than the alternative of individual users registering directly with overseas service or identity providers. For data protection regimes that encourage exporters to assess the risks and benefits of transferring personal data overseas, there is a strong argument in favour of federated access management as involving less risk to individuals’ rights than any of the alternatives.

FAM under the GDPR

The forthcoming General Data Protection Regulation appears likely to provide further support for Federated Access Management and the Research and Education community’s approach to it.

The Regulation further strengthens the requirements for valid consent, making it appear an even less appropriate justification for activities that affect an individual’s study or employment. For example “consent should not provide a valid legal ground for the processing of personal data in a specific case, where there is a clear imbalance between the data subject and the controller” (Recital 34) and “consent should not be regarded as freely-given if the data subject has no genuine and free choice and is unable to refuse or withdraw consent without detriment” (Recital 32).

However the legal requirements for the Legitimate Interests justification still appear a good match for the objectives and practices of federated access management in research and education. In particular the idea of a legitimate interest in “doing what users request” gains additional support from Recital 38 that the balancing test should “tak[e] into consideration the reasonable expectations of data subjects based on the relationship with the controller”: where an individual has asked their home organisation to authenticate them to a website, they will indeed expect the organisation to do so! The use of pseudonyms separated from the user’s personal identity – something that is greatly facilitated and widely used by federated systems – is recognised as both “reduc[ing] the risks for the data subjects concerned and help[ing] controllers and processors meet their data protection obligations” (Recital 23a). Recital 23c explicitly seeks to “create incentives for applying pseudonymisation”: something federation policies, recommendations and technologies have done for many years.

Using federated access management across borders should become legally simpler under the Regulation. Under the current Data Protection Directive different European countries have significantly different treatment of the Legitimate Interests justification: some have created additional restrictions, others appear not to recognise the justification at all. Such variations should be reduced by the new law being a directly-applicable Regulation, as well as by a recent European Court ruling (Case C-468/10) that consistent implementation is essential if the law is to achieve its purpose of removing unnecessary barriers to the single market across EU member states.

The Regulation also offers the possibility of using the same legal framework for all national and international federated access, since Legitimate Interests appears for the first time (in Article 44(1)(h)) as a justification for transferring personal data outside Europe. As with other uses of Legitimate Interests the exporter needs to have assessed the risks and ensured that adequate safeguards are provided. According to the Article, the justification may be used for non-repetitive transfers involving a limited number of data subjects and where there are “compelling interests” in the transfer taking place: conditions that appear to be met at least for FAM services, such as platforms supporting research collaborations, that are used by a small number of staff or students at each university or college. Where an educational organisation procures a service, such as access to online journals, for the majority of its users then access management arrangements are probably better addressed as part of that larger contract.

The Regulation adds one extra requirement when using Legitimate Interests to export data: that the “controller shall inform the supervisory authority of the transfer” (Article 41(1)(h)). This should be feasible provided an identity provider (or perhaps even its national federation) can inform the supervisory authority of the general conditions under which such transfers will take place. If, on the other hand, the text were to be interpreted as meaning that every login attempt must be notified then this impractical requirement (for both identity providers and regulators!) would force international access management to fall back on options with fewer safeguards: either consent or direct use of overseas services.

Using the Legitimate Interests justification entitles individuals to raise concerns if their particular circumstances mean the processing represents a higher risk than was considered in the balancing test (Article 19(1)). Educational organisations acting as data controllers should already have processes to deal with such concerns. However since federated services should, in any case, only be receiving the minimum personal data they require to provide the service, a successful objection further reducing the information released is likely to mean the individual will no longer be able to use that service and will need to find an alternative.

Whether using Legitimate Interests for national or international transfers, the Regulation requires users to be informed of the release of information and the interests that it serves (Article 14). Federated services and identity providers already use a number of different mechanisms to provide information to their users so any additional information requirement should not be onerous. Federation operators have developed recommendations for some aspects of user interfaces – as requirements under the new Regulation become clear there may be an opportunity for further work to develop standards in this area.

Finally, under the Regulation the current requirement for data controllers to register with their national regulator will be removed. Instead controllers will be expected to maintain documentation of all their processing that can be provided to regulators or individuals on request (e.g. Article 28). Guidance and information from national federations on the privacy-protecting features of federated access management may well be useful in developing and supporting such documentation.

Roles & Implications

The technology used by most Research and Education federations transfers authentication data and other personal information about users directly between the identity provider and service provider. The principal role of the federation operator is to maintain the list of member organisations and the common legal and technical agreements to which they subscribe: something that does not require the operator to handle any personal data other than contact details for those responsible for each organisation’s membership. The main impact of the new Regulation will therefore fall on the organisations that act as identity and service providers or manage the databases of users that are the basis for those services.

Since the Regulation generally confirms the approach that has been taken by Research and Education federations, its entry into force (expected in 2018) is unlikely to require major changes. Once requirements on process documentation are clear, identity and service providers will need to check that they can provide what is needed. The possibility of using a single legal approach to national, European and international federated access should make this simpler. Using entity categories, whose risks and benefits can be documented by the federation operators that develop them, should reduce the need for identity providers to make assessments of individual services.

Where education organisations enter into contracts, either to provide content services or to operate technical facilities such as identity providers, the terms of these agreements should be checked to ensure they meet the requirements under the Regulation. This will also affect those federation operators who provide central identity provider services – commonly known as “hub-and-spoke” federations – since these do involve processing users’ personal data.

Otherwise the main task for federation operators will continue to be to develop tools and guidance that help their member organisations provide services that respect privacy and the law. Documented entity categories have already been mentioned; other opportunities may include advice on how to provide users with information about federated access management and identifying national regulators’ requirements for notification of exports.