Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

The 54th session of UNCITRAL Working Group IV on Electronic Commerce brought to a close work on the regulation of “Electronic Transferable Records”, following which a new Working Group on Identity Management was formed.

During the last session in Vienna, Working Group IV on Electronic Commerce of the United Nations Commission on International Trade Law (UNCITRAL) produced a final version of the International Model Law on Electronic Transferable Records and invited the UNCITRAL Secretariat to forward the text to all Member States and international organisations for their opinions, after which the text will then be submitted to the UNCITRAL Commission in Vienna in July 2017.

Over the last five years the Working Group’s activity focused on the definition, the rules and the use of these particular electronic financial data. As its President, Giusella Finocchiaro chaired the Working Group from 2012 until the termination of its work.

In its activity concerning ETRs, the Working Group drew inspiration from a number of fundamental principles such as those of technology neutrality and of non-discrimination between paper and electronic documents, keeping the impact on national substantive legislation to a minimum.

At the same time as they brought to an end their analysis of Electronic Transferable Records, the Working Group initiated a discussion on the new Identity Management project assigned by the Commission, which is currently an issue of significant national and international interest.

The new Working Group will be required to focus both on Digital Identification systems with a diversity of subjects and on bilateral systems and will have to take into consideration the identities of both natural persons and legal persons, without at the moment excluding digital objects. There was a reminder that the Commission’s mandate also concerns “Trust Services” the detailed study of which will be made in the future, but which will immediately be taken into consideration working out their definitions.

Therefore a group of experts has been created for the elaboration of first drafts. Given that the European Regulation on this subject has recently come into force, the European approach, which the Commission strongly supports, will be most significant.

 

A recent judgment by the European Court of Justice stated that IP addresses can be considered as personal data in that they can be used to identify a user by turning to the authorities or ISP providers.

The point was raised in the context of a controversy between Mr Patrick Breyer and the Bundesrepublik Deutschland (Federal Republic of Germany) concerning the registration and storage of Mr Breyer’s IP address on the occasion of his consulting a number of Internet websites of the German federal services.

Every access to German Government websites is registered with the aim of thwarting cyber attacks and identifying hackers and at the end of each consultation session, a range of data is stored, such as the name of the website or file consulted, words typed in the search bars, date and time of consultation, volume of transferred data, outcome of the consultation and the IP address of the computer which has effected access.

Mr Breyer petitioned the German administrative judges, requesting them to prohibit the Federal Republic of Germany from storing IP addresses. His request was rejected at first instance trial, but the Appeal Judge partially accepted his petition, condemning the Federal Republic of Germany to refrain from storing IP addresses when these are collected together with the corresponding date of consultation and when users reveal their identity during the consultation session, even though in the form of an e-mail address.

Therefore, according to the German Court of Appeal, dynamic IP addresses associated with dates of consultation are only to be considered personal data in those cases when users have revealed their identity when surfing the web, whereas if users do not reveal their identity during a consultation session, IP addresses would not be considered as personal data as only Internet service providers could link those IP addresses to the names of their subscribers.

As both the Federal Republic of Germany and Mr Breyer opposed the Appeal Court’s decision, each petitioned the Bundesgerichtshof (Federal Court of Justice), Mr Breyer aiming at full approval of his injunction and the State requesting its rejection.

The Federal Court of Justice pointed out that the qualification of IP addresses as «personal» data depends on whether or not it is possible to identity users and raised a question of doctrine regarding the choice of «objective» or «relative» criteria in order to establish whether a person is identifiable. Applying «objective» criteria, IP addresses could be considered personal data even if only one third party were able to determine the identity of the person involved; the third party, who in this case would be an Internet access service provider. On the other hand, according to «relative» criteria, these data could only qualify as personal data in relation to a particular subject, such as the Internet access service provider, who was able to trace precise identification back to a specific user. On the contrary, IP addresses could not be considered personal data for other subjects such as Internet site administrators, since they are not in possession of the necessary information for identification without resorting to external sources, except for those cases in which users reveal their identities while browsing the web.

First of all the European Court of Justice observed that a dynamic IP address does not represent information referring to an «identified natural person», since it directly reveals neither the identity of a computer owner connected to an Internet website, nor that of another person who may be using the same computer. However, the Court stressed that the wording in art. 2, letter a) of directive 95/46 proves that a person is considered identifiable when they can be identified not only directly, but also indirectly. Moreover, recital 26 of directive 95/46 states that, to determine whether a person is identifiable, it is appropriate that the sum total of the means that may be reasonably used by a data processor or others to determine said person’s identity should be taken into consideration.

According to the Court, the fact that additional information necessary to identify users is not directly in the possession of website administrators, but rather in that of Internet access service providers, is not sufficient to exclude dynamic IP addresses from being considered as personal data in accordance with art. 2, letter a) of directive 95/46. Indeed, it needs to be established whether the possibility to match a dynamic IP address to the names in the possession of Internet access service providers constitutes an accessible means for website administrators. A situation that would not be conceivable if the identification of the person involved was prohibited by law or in practice unfeasible, for example due to the fact that it would imply an enormous amount of time, cost and labour.

Despite German national legislation not allowing ISP providers to directly transmit information that identifies a person starting from an IP address, the Court stressed that there are legal instruments which, especially in cases of cyber attacks, allow website administrators to turn to the appropriate authorities, in order that these authorities can obtain the relevant information from Internet access service providers and initiate criminal proceedings. It follows that there are means, which, with the help of other subjects, can be reasonably used to identify a person based on their IP address.

Therefore, the European Court of Justice has established that article 2, letter a) of directive 95/46 must be interpreted as meaning that a dynamic IP address registered by a website represents personal data, where website administrators are concerned, in the event that they are in possession of the legal means to allow the identification of the person involved by recourse to an Internet access service provider.

The European Court of Justice decision is available HERE.

 

 

posted by admin on maggio 9, 2016

digital identity

(No comments)

THE ITALIAN DPA HAS RULED IN FAVOUR OF THE APPEAL BY A USER, TO WHOM FACEBOOK HAD NOT GRANTED A BAN ON FAKE PROFILES CREATED TO HIS DETRIMENT

Facebook will be accountable for fake profiles created on its platform and offer full cooperation and transparency. In the last few days the Italian DPA has published a provision from last February concerning a dispute between a well-known doctor from Perugia and Facebook Ireland Ltd. The complaint presented in November 2015 and originated from an attempt at extortion carried out on the pages of the famous social network.

The doctor had been the victim of activities amounting to threats, attempts at extortion, impersonation and the unlawful breaking into a computer system by a Facebook user, who, after requesting online friendship and obtaining acceptance from the doctor, started an “electronic correspondence with him, which at first was of a confidential nature, but which subsequently aimed to pursue criminal ends”. The criminal had created a fake account using photos and personal data of the Perugia doctor and had attempted to blackmail him with threats of sending obscene photomontages showing child pornography material to friends, acquaintances and colleagues. The doctor, who had not given in to these blackmail attempts, asked Facebook to take appropriate steps to eliminate the fake profiles and to provide him with all the relevant information necessary to limit as quickly as possible the damage suffered by his image.

According to the doctor’s lawyers, Facebook did not take the appropriate action on the matter, not granting satisfactory and complete access to the required data. In particular, Facebook simply made available through its “download tool” service a set of data, which were not clearly intelligible as they only referred to code numbers. Furthermore, the data set was incomplete as it simply referred to data from the claimant’s valid Facebook account and did not include data processed by the fake account and shared on the social network.

Therefore, the DPA established that Facebook Ireland Ltd, which is in possession of the information required by the doctor, must communicate “to the claimant in an intelligible form all data relating to him that are held with regard to the Facebook profiles opened in his name”. The social network must close down the fake profile in order to facilitate any possible investigation into establishing the identity of those responsible for the attempt at extortion.

Following the expiry of the thirty day term to comply with the DPA’s provisions, Facebook will have about two weeks to file opposition before the Court of Perugia, failing which the penalty will consist of a fine and up to two years’ imprisonment.

 

 

Digital identity management and trust services will be the main themes discussed at the colloquium convened by the Secretariat of the United Nations Commission on International Trade Law (UNCITRAL), that will take place on the 21st and 22nd of April 2016 at the Vienna International Centre.

During the meeting, Working Group IV on Electronic Commerce will focus its activity on legal issues related to identity management and trust services with a view to compiling information on the scope and methodology of future work in that area. The session will be attended by Full Professor Giusella Finocchiaro as President of the Working Group and representative of the Italian Government at UNCITRAL.

For further information please consult the section covering Working Group activities on UNCITRAL website.

 

 

posted by admin on giugno 20, 2015

digital identity

(No comments)

On 10th June at the University of Bologna, a number of representatives of the UN Commission for International Trade Law (UNCITRAL) met with a group of academic experts and spokespersons representing the web corporations Google and AliBaba. The common goal of the meeting was to concentrate on identifying a basis for activating a shared process for defining global rules for online identification.

In her introduction, Giusella Finocchiaro, organizer of the event in her role as Full Professor at the University of Bologna and President of UNCITRAL Working Group lV on Electronic Commerce, emphasized that the “objective” aspect of identity was that which requires regulating first and foremost, namely what the law must guarantee in order to allow the formal recognition of individuals. A more detailed explanation on the difference between subjective and objective identity can be found in her presentation, which can be accessed HERE.

In Europe the problem of identification online has been solved with the European Regulation on electronic identification and trust services for electronic transactions in the internal market. So, a single law for the 28 Member States, which has achieved the legal and technical interoperability of the electronic tools for identification, authentication and signature (eIDAS) in the countries of the European Union. Andrea Servida, from DG CONNECT, European Commission, Head of the eIDAS Task Force, outlined the principles of how it works in his address. His presentation can be downloaded HERE.

Eric A. Caprioli, attorney at the Court of Paris and member of the French delegation to the UNCITRAL Working Group on Electronic Commerce, stressed that the aim must be a single global system and not harmonization of the existing systems. With this in mind, the Group’s work should focus on defining a “model law” which sets out the basic minimum requirements for authentication, as it were, a lowest common denominator compatible with individual national legislative frameworks. His address is summed up in the presentation which can be downloaded HERE.

As mentioned by Xue Hong, Full Professor of law at Beijing Normal University, director of the Institute for BNU Internet Policy & Law (IIPL), digital identification on a global scale will have to take into account the new requirements which have emerged from the web, such as the purchase and sale of property and rights of an entirely digital nature, such as mailboxes, websites, virtual objects, copyright and so on. Her address examined this point in depth in THIS presentation.

Andrea Stazi, the head of Public Policy and Government Relations of Google Italy, underlined the need to predict the difficulties in managing digital identity in relation to the protection of privacy. However, Ala Musi, the China Electronic Commerce Association Policy & Law Committee Deputy Director of AliBaba, emphasized the importance of establishing the limits of legal responsibility of e-commerce platforms that operate worldwide. His presentation can be downloaded HERE.

The summing up by the Secretary of the UNCITRAL Working Group on Electronic Commerce, Luca Castellani, brought the conference to a close.

The Bologna meeting marked the beginning of a process of sharing of ideas by international experts on the issue of the regulation of digital identity on a global scale. The task of finding guidelines for a single system will now be put in the hands of the UNCITRAL Working Group.

 

 

10 June 2015 >  9.00 a.m. – 1.30 p.m.

The United Nations Working Group on Electronic Commerce Organizes in Bologna the Workshop “Open Issues on Electronic Commerce: the Digital Identity”

A meeting of experts to discuss the open issues on electronic identification in the context of electronic commerce. Two giants of the web, Google e AliBaba will also be taking part in the Workshop.

Legal experts and international specialists will meet up to take part in a United Nations Commission on International Trade Law Workshop

The international meeting “Open Issues on Electronic Commerce: the Digital Identity UNCITRAL Workshop” will be held at the Bologna Law School in Palazzo Malvezzi on the 10th of June 2015.

The event is organized by Full Professor Giusella Finocchiaro, President of Uncitral Working Group IV on Electronic Commerce and representative of the Italian Government at Uncitral. Among the workshop participants there will also be representatives of Google, AliBaba (the largest Chinese e-commerce corporation) and the ABA (American Bar Association).

The Digital Identity in the Electronic Commerce Era, an Open Issue

How can a person’s identity be verified on the Internet? This is the real question in this new phase of digitalization of identification services. For example, how does one open a bank account, interact with Public Administration, or take part in an on line public tender?

Digital Identification is a centrally important theme for the Uncitral Working Group, whose job is to draft joint international rules on electronic commerce.

The aim of the workshop is to bring together experts from the economic, institutional and academic worlds to focus on the still open issues in the field of On Line Identification, which will be dealt with by the Working Group in future United Nations Commission work sessions.

A Full Day’s Work

The Workshop will get underway with an opening address from the Rector of the University of Bologna, Ivano Dionigi and an introduction by Giusella Finocchiaro, Full Professor of Private Law and Internet Law at the University of Bologna, President of Uncitral Working Group IV on Electronic Commerce and Representative of the Italian Government at Uncitral.

The Workshop is organized in three sessions. The first will deal with the theme of Digital Identity according to the European prospective. The second will deal with the same theme from an international point of view. Finally, the third session will focus on the open issues on electronic commerce from the business point of view. The discussion will be closed by Luca Castellani, Secretary of Working Group IV (Electronic Commerce).

The Workshop, which is open to the public, will occupy the whole morning. The afternoon will be dedicated to a closed meeting to discuss the relevant findings of the Workshop.

The legal issues raised by electronic commerce are nowadays mainly settled. The conference will focus only on some new and still open issues of electronic commerce, as the digital identity. The speakers will address the theme from different perspectives, with a speech of 20 minutes each.A space for the discussion will be left at the end of each session.

The workshop will take place at the University of Bologna, Via Zamboni 22, Sala Armi (Bologna, ITALY).

PROGRAMME

  • Registration
    h. 8.30 a.m.
  • Opening Addresses
    h. 9.00-9.30 a.m.
    Ivano Dionigi – Rector of the University of Bologna
    Giovanni Berti Arnoaldi Veli – President of the Bologna Bar Association (to be confirmed)
    Nicoletta Sarti - President of the Bologna University Law School
    Giovanni Luchetti - Director of the Bologna University Department of Legal Studies
    Massimo Franzoni - Director of the Specialization School for Legal Professions of Bologna
  • Introduction
    h. 9.30-10.00 a.m.
    Giusella Finocchiaro – Full Professor of Private Law and Internet Law at the University of Bologna, Chair of the UNCITRAL Working Group on Electronic Commerce
  • The Digital Identity: the European Prospective
    h. 10.00-11.00 a.m.
    Speakers:
    Eric A. Caprioli - Avocat à la Cour de Paris – Ph.D, Member of the French delegation at the UNCITRAL Working Group on Electronic Commerce
    Andrea Servida – Head of Task Force Legislation Team (eIDAS), European Commission
    Discussion
    Chair:
    Didier Gobert - Head of the Electronic commerce service, Public Federal Service Economy and trainer in ICT law – Belgium
  • The Digital Identity: the Global Prospective
    h. 11.00-12.00 a.m.
    Speakers:
    Thomas J. Smedinghoff – Of Counsel in the Privacy & Cybersecurity Practice Group in the Chicago office of Locke Lord LLP; Chair of the Identity Management Legal Task Force of the American Bar Association
    Hong Xue – Full Professor of Law at Beijing Normal University (BNU), Director of BNU Institute for Internet Policy & Law (IIPL) and Co-Director of UNCITRAL-BNU Joint Certificate Program on International E-Commerce Law (JCP)
    Discussion
    Chair:
    Francesco Delfini – Full Professor of Private Law at the University of Milan
  • Open Issues on Electronic Commerce
    h. 12.00 a.m.-1.00 p.m.
    Speakers
    Andrea Stazi – Public Policy and Government Relations Manager at Google
    Ala Musi - China Electronic Commerce Association Policy & Law Committee Deputy Director, Alibaba
    Discussion
    Chair:
    Alberto M. Gambino – President of the Italian Academy of the Internet Code (IAIC), Full Professor of Private Law at the European University of Rome
  • Closing remarks
    h. 1.00 p.m.-1.30 p.m.
    Luca Castellani – Secretary of the Working Group IV (Electronic Commerce) UNCITRAL

 

Scientific Organizing Committee:

Giusella Finocchiaro

Matilde Ratti

 

DOWNLOAD PDF HERE

 

As already announced, the Italian Data Protection Authority has approved a general normative provision on biometrics, which is in the process of being published in the Official Gazette.

Given the increasingly greater use of devices and technologies for the collection and processing of biometric data mainly for purposes of personal identification, control of access and signing of electronic documents, the Italian Data Protection Authority’s action aims to provide a uniform framework which can be used as the basis for recommending technological choices, adapting processing to the requirements of the Privacy Code and verifying compliance with safety standards.

Biometric data are by their very nature, directly and unequivocally related to an individual and are generally constant over time, which indicates the profound relationship between a person’s body, behaviour and identity. For this reason the adoption of biometric systems for the collection and processing of data may entail specific risks for fundamental rights and freedom as well as for an individual’s dignity.

However, within the varied landscape of technological biometric systems and with a view to simplifying legislation, the Italian Data Protection Authority has identified certain types of data processing which present less risk and which, unlike other types, do not require preliminary verification by the Authority. Exemption is granted on condition that all necessary measures and appropriate technical precautions are taken to achieve the security objectives identified by the measure and that the general requirements of legitimacy provided for by the Privacy Code are met.

There is no need to apply for preliminary verification for the following four types of processing:

In the signing of electronic documents, analysis of biometric data connected with applying a handwritten signature can be used for those graphometric signature systems which form the basis of a solution for advanced electronic signatures. Processing is only permitted with the express consent of the person concerned, which is given on signing up for a graphometric signature service and remains valid for all documents to be signed until it is annulled. Consent is not necessary in the public sphere, where specific institutional objectives are to be pursued. However, alternative systems will still have to be made available, such as paper or electronic forms of signature which do not involve the use of biometric data; in digital authentication the biometric characteristics of a person’s fingerprints or voiceprint can be used as credentials to also access databases and computer systems without the user’s consent; when controlling physical access, it will be possible to process the biometric characteristics of fingerprints or the topographical layout of the hand to allow access to areas considered” sensitive” or to only allow qualified operators access to dangerous machinery and equipment. It will also be possible for processing to be made without the consent of the user; to help facilitate processes, it will be possible to use fingerprints and the topographical layout of the hand to allow physical access for users to physical areas in the public domain (e.g. libraries) or the private sphere (e.g. reserved airport areas). Also in this case, use is only permitted with the consent of the parties concerned and alternative arrangements will in any case still have to be provided for those who refuse to provide their biometric data and refuse permission for the processing of biometric data.

In consideration of the complexity of the matter in relation to the regulations on the processing of personal data, the Italian Data Protection Authority has attached to its provision a document containing the “Guidelines on biometric recognition and graphometric signatures”, which has already been presented for public consultation and a special form to be used for communicating with the Authority in the event of violations of biometric systems. In fact, in order to prevent possible theft of biometric identity, all data breaches or cyber incidents that might impact significantly on biometric systems and the data collected must be communicated to the Italian Data Protection Authority within 24 hours of being discovered.

While awaiting publication of the provision in the Official Gazette, we invite you to browse through it and its relative attachments on the website of the Italian Data Protection Authority.

 

 

In Italy there is an ongoing and ever more widespread outcry on the part of traders and business people against TripAdvisor, from Federalberghi (the hoteliers’ association), which speaks of a “genuine emergency” caused by malpractice that through blackmail and the threat of fear severely disrupts the activity of Tour Operators, to the Sos albergatori association which uses the Pirtadvisor app in an attempt to flush out misleading reviews.

There are also those who have come out in open revolt against the American portal and display a decidedly blunt sign at the entrance to their premises plainly stating “TripAdvisor users not welcome”.

The problem is the subject of long-standing debate and is first and foremost legal: Decree Law 70/2003 (from the European directive 2000/31/Ce) orders that the owners of websites are not responsible for any information sent by users, unless said owners are aware that such activity or information is illegal or that although aware of such facts and following the request of the Judge they fail to act immediately to remove or to prevent access to such information.

It is for this precise reason why TripAdvisor and other similar sites are under no obligation to verify the identity of the writer or the information received. Consequently the only possible protection to be obtained is when the violation has already taken place; namely to demand removal of the review, either directly or through a lawyer and to ask for payment of damages or to sue in the case of defamation or the violation of the right to personal identity.

A recent decision by the Italian Data Protection Authority authorizes the use of the graphometric signature on tablets in the banking sector.

The system, which has been submitted for preliminary examination by the Italian D.P.A., is somewhat complex, split into different phases and involves a number of different parties.

The technology used is also able to detect the characteristics of a customer’s signature online by means of an analysis of certain criteria which can be deduced from the signature, such as the speed of the stroke, its pressure, acceleration, inclination and so on.

The system is intended to be used by financial promoters for customer authentication and for subsequent operations. There are two main phases in the process: firstly the collection of the specimen signature to be used as a tool for comparison in order to safeguard the customer, and secondly the signing of documents with the electronic signature.

As set out in the decision, the specimen signature together with the customer’s identification data is transmitted by the bank through secure encrypted channels to the certifier, who validates the request and issues the digital certificate associated to the applicant. All subsequent signings will thus be transmitted in encrypted mode to the certifier’s server which verifies the correspondence by means of the specimen signature and ensures that the tablet serial number is in fact listed.

This system would allow a reduction in the risk of cases of fraud, in particular those related to identity theft.

As usual the Authority draws attention to the adoption of special measures in order to protect personal data. With particular regard to the use of mobile devices, the D.P.A. recommends that the processing of biometric user data should be carried out adopting all appropriate security measures in order to reduce to a minimum the risk of unauthorised software installation or to avoid contact with malware.

According to the D.P.A. remote wiping must also be adopted, which would guarantee that in cases where tablets have been tampered with, lost or stolen, their content would be deleted remotely.

Moreover, processing of biometric data is subject to customer consent. The D.P.A. underlines the importance that consent, where required, must be free and responsible.

Finally, The D.P.A. draws attention to the need to ensure that biometric data is not preserved for a duration exceeding the purposes for which it was collected and subsequently processed. Any extension to the retention time may be justified by specific laws.

Further requirements under existing law are reaffirmed including notification of process and obligation to designate external parties as data processors.

On 3 April 2014 the Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (eIDAS) has been approved by the European Parliament.

Main principles of the Regulation are reported below (see also THIS POST).

One of the objectives of the Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States.

The principle of mutual recognition should apply if the notifying Member State’s electronic identification scheme meets the conditions of notification and the notification was published in the Official Journal of the European Union.

The Regulation reaffirms the principle that an electronic signature should not be denied legal effect on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic signature. However, it is for the national law to define the legal effect of electronic signatures, except for the requirement provided in the Regulation according to which a qualified electronic signature should have the equivalent legal effect of a handwritten signature.

The Regulation lays down conditions under which Member States shall recognise electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State, lays down rules for electronic trust services, in particular for electronic transactions and establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificates services for website authentication.

The Regulation shall apply from 1 July 2016 and the Directive 1999/93/EC on electronic signatures is repealed with effect from 1 July 2016.

  • Recent comments

  • Popular posts

    • None found