Deliverable DJ5.1.3: GÉANT2 Roaming Policy and Legal Framework - Part 1: Legislation Overview

09.09.
05
Deliverable DJ5.1.3:
GÉANT2 Roaming Policy and Legal
Framework - Part 1: Legislation Overview
Deliverable DJ5.1.3
Contractual Date: 31/05/05

Actual Date: 09/09/05
Contract Number: 511082
Instrument type: Integrated Infrastructure Initiative (I3)
Activity: JRA5
Work Item: 2 (Roaming)
Nature of Deliverable: R (Report)
Dissemination Level PU (Public)
Lead Partner SURFnet
Document Code GN2-05-163v3
Authors: D.Simonsen (UNI-C), S. Hjortgaard Christensen (UNI-C), E. Kassenaar (SURFnet), K. Wierenga (SURFnet),
N. Jeliazkova (IISTF), R. Paffrath (DFN), J. Rauschenbach (DFN), S. Papageorgiou (GRNET), J. Jandusova
(CESNET), J. Furman (CESNET), S. Winter (RESTENA), G. Massen (RESTENA), R. Marx (RESTENA), R.
Papež (ARNES), B. Esih (ARNES), M. Dias (FCCN), L. Guido (FCCN), C. Iglesias (RedIRIS), N.B. Zanon
(SWITCH)
Abstract: This deliverable provides an overview of the rules, national legislation etc. which influence the roaming activities of GÉANT2,
specifically regarding protection of personal data. The EU Data protection Directive provides the lowest common denominator. In addition
to this, eleven National Research and Educational Networks provided feedback on legislation relevant to roaming in their respective
countries. Based on this deliverable and the technical requirements for the roaming infrastructure, a policy for eduroam-ng will be provided
in a second part of the document in year 2 of the projects life time.
Table of Contents
0 Executive Summary iv
1 Roaming, Legal Rules and AUPs 5

1.1.1 Encryption of credentials 8
1.1.2 Further attribute exchange about the user 8
1.1.3 Storage of user data for logging and forensic purposes 8
1.1.4 Access to home and visited sites' Acceptable Use Policy (AUP) 9
2 Overview of relevant legislation 10

2.1 The EU Data protection Directive 10
2.2 Country specific regulation 12
2.2.1 ARNES, Slovenia 12
2.2.2 CARNet, Croatia 12
2.2.3 CESNET, Czech Republic 13
2.2.4 DFN, Germany 13
2.2.5 FCCN, Portugal 13
2.2.6 GRNET, Greece 13
2.2.7 ISTF, Bulgaria 13
2.2.8 RedIRIS, Spain 14
2.2.9 RESTENA, Luxembourg 14
2.2.10 SURFnet, The Netherlands 14
2.2.11 SWITCH, Switzerland 15
3 Towards a Common Policy for eduroam Federations 16

3.1 Protection of user credentials and further attributes 17
3.2 Logging and monitoring 18
3.3 Access to relevant AUPs 19
3.4 Eduroam federation document 19
4 Conclusion 21
Project: GN2
Deliverable Number: DJ5.1.3
Date of Issue: 09/09/05
EC Contract No.: 511082
Document Code: GN2-05-163v3 ii
Table of Figures
Figure 1: Access at the home institution................................................................................................................................ 6
Figure 2: Access at an institution from the same national RADIUS domain......................................................................... 7
Figure 3: Access at an institution from a different national RADIUS domain ...................................................................... 7
Project: GN2
Document Code: GN2-05-163v3 iii
0 Executive Summary
Part1 of the document gathers best effort descriptions of national legislation that should be taken into account
when implementing the GÉANT2 roaming activities. These descriptions should not be seen as an attempt to
provide full overview of all legal details. It should be noted that the field of investigation, technically and legally,
changes over time. The basis of the investigation is the existing eduroam federation, the starting point for the
GÉANT2 roaming infrastructure. The legal overviews were carried out by eleven JRA5 partners, based on
advices of legal consultants of the NRENs, and give a good indication of the spectrum of common legal ground
and differences within the GÉANT2 community.
Several levels of legislation are valid when mapping the present roaming activities (eduroam). EU directives,
national legislation, NREN-acceptable use policies, institutional rules as well as the policy for the eduroam
federation itself will all have to be considered. For the roaming user the visited institution's acceptable use
policy (AUP) will probably be the most relevant rules to abide to, as this always has to take all relevant
legislation and other relevant rules into account. The user must always abide by the legislation, AUPs etc. of
the institution where he is physically situated, even when using virtual private network (VPN) systems to
connect to his home institution.
All overviews of national legislation agree that the EU directive on data protection (see
http://europa.eu.int/comm/justice_home/fsj/privacy/) is of paramount importance. It has already been
implemented in all EU member states' legislation and thereby provides a widespread harmonization within the
GÉANT2 community. This document cannot be seen as exhaustive. Even if an attempt has been made to
take the relevant legislation documents into account it is not excluded that several other directives and
declarations might be of importance.
The institutions have the authority over their networks and always decide what resources to authorize the user
to use on the basis of appropriate authentication. It is a local decision. This is also valid for network access and
in turn means that the roaming user cannot expect services other than those established as the minimum
provided within the GÉANT2 community. This level of service has yet to be formally agreed upon as well as
level(s) of security provided by eduroam-ng. A clear definition of eduroam-ng is needed in the form of a policy
concerning the already mentioned topics as well as responsibilities, authority etc. This will be the subject of part
2 of this deliverable, that will be provided in year 2.
Project: GN2
Document Code: GN2-05-163v3 iv
1 Roaming, Legal Rules and AUPs
Users that roam between institutions within the GÉANT2 community will be able to use their credentials
provided by the home institution to get access to both network resources and network based services. This
means that communication between the visited institution (resource provider) and the home institution will occur.
This communication will cross both administrative domains and national borders. The user credentials are
generally perceived critical by both the institutions and the users as they often give access to email, course
management systems etc. via single sign on systems at the home institutions. They should be thought of as
referring to 'natural persons' and thereby as 'personal data'.
The first generation of eduroam was conceived and built in the pioneering spirit of the Internet: keep it simple,
let it grow. eduroam encompassed several fundamentally different approaches to roaming, in a time of
development and maturing of wireless technologies. The pioneering times are not over, but a need to simplify
the message about what eduroam is and what you can expect from it has emerged along with the expansion.
So far eduroam deals with authentication only (leaving a rudimentary authorisation decision to the network
provider that is purely based on the authentication information; but this will be changing looking at the
integration with AAI). Finally the eduroam-ng infrastructure should integrate with coming services and
applications (AAI and single sign on) that were not initially imagined in connection with eduroam. All this calls
for a clear and simple definition of eduroam-ng.
In practice, the user could authenticate using his email address (of his home institution) and password affiliated
with that address - at the resource institution. The credentials would be routed safely back to the home
institution which replies whether it acknowledges the user to be one of its own, or not. From then on it's up to
the visited institution to decide what the roaming user gets access to.
The business model in place is simple: An institution provides network access to visiting users and vice versa,
in case the own users travel to the other institution. To have trust in the eduroam set-up it is expected that all
participants follow common rules that will be formulated in a policy document, ensuring a certain level of trust
and that the overall system is safe by applying transitive security.
International meetings have revealed that the interest in eduroam is large and growing. It seems clear that
'eduroam regions' will emerge (Europe being only one of several possible) and hence the eduroam-ng policy
must interact with other regional policies to ensure that users' roaming is indeed possible across the many
country borders and administrative domains of the emerging eduroam-world.
Project: GN2
Document Code: GN2-05-163v3 5
GÉANT2 Roaming Policy and Legal Framework - Part 1: Legislation Overview
Roaming, Legal Rules and AUPs
The present solution for roaming, eduroam, has established a hierarchy of servers (institutional, national and
international) that route the user credentials to the home institution from anywhere in the federation (figure 1).
Because of the hierarchical set-up, trust is established between different domains without the need to know
everybody in the federation.
Figures 1 - 3 below show the flow of credentials in three scenarios, using eduroam as we know it today: 1) the
user being authenticated at the home institution, 2) the user being authenticated at a neighbouring institution in
the same country and 3) the user being authenticated at an institution abroad. The credentials consist in this
example of email address and password. The realm of the email address (@xyz.tld) makes it possible to route
the credentials back to the home institution. eduroam-ng might have a slightly different technical architecture,
but this will not change the general picture and the rules that should be observed.
Figure 1: Access at the home institution
The user is being authenticated at home, using the eduroam infrastructure. The top level domain, domain name
and user name of the email address are recognized locally and handled locally.
Project: GN2
Figure 2: Access at an institution from the same national RADIUS domain
The user is being authenticated at a next door institution (No 2), in the same country, using the eduroam
infrastructure. The domain name of the email address is not recognized locally and the request is transferred to
the national server that routes the request to the right institution (No 1).
Figure 3: Access at an institution from a different national RADIUS domain
Project: GN2
The user is being authenticated at an institution abroad (No 3, PT), using the eduroam infrastructure. The top
level domain name of the email address is not recognized locally nor at the national server (PT) and the
request is transferred to the international RADIUS server (EU1) that routes the request to the right country (DK),
where it is directed towards the right institution (No 1).
In order to promote eduroam from the pilot infrastructure that it is today towards the full service that JRA5 will
deliver, it is important to assure that current and future architectures respect the relevant legislation. Among the
issues that should be addressed building eduroam-ng is the data quality and proportionality principle: data
should be accurate and, where necessary, kept up to date. The data should be adequate, relevant and not
excessive in relation to the purposes for which they are transferred or further processed. The areas of particular
interest are:
1.1.1 Encryption of credentials
Since the user credentials (i.e. email address and password) typically give access to several systems such as
email, course management systems at the home institution etc. it is of paramount importance that the
credentials are kept private and are not exposed to untrustworthy parties. Handling and transfer of such data is
governed by the EU directive on data protection that has been implemented in all EU member states. This,
among other things, calls for end to end encryption between the client machine and the home institution so that
no 'man in the middle attack' can take place.
1.1.2 Further attribute exchange about the user
In order to provide the roaming user access to advanced services, more detailed information about the user will
often be required by the visited site. Before releasing such data the EU directive on data protection mandates
that the user must give his consent.
1.1.3 Storage of user data for logging and forensic purposes
Logging of roaming activities and user data must strictly follow the proportionality principle, to ensure both the
users' and the institutions' trust in eduroam-ng. One of the main anchors of trust on the institutional side of
eduroam is the possibility of tracking down misuse since each institution grants access to net based resources
to people from other institutions. Log files should/must be kept for as long as the national legislation
permits/mandates.
Project: GN2
1.1.4 Access to home and visited sites' Acceptable Use Policy (AUP)
The user should always abide to the AUP of his home institution. Further more, when roaming, he must always
abide to the rules of the place where he is physically situated. Therefore all participating institutions should
make their AUP easily available, both locally and at the national eduroam-ng website.
Project: GN2
2 Overview of relevant legislation
Roaming users in the context of JRA5 move between institutions and countries and will be authorized for
network access and network based services after successful authentication and authorization sessions. Just as
different countries have different traffic rules, so do they have different laws and rules governing the use of
network resources. Building a roaming infrastructure is therefore not only a question of technical solutions, but
also of potential conflicting legislation in the participating countries.
This deliverable draws up the legal landscape as background to a future roaming policy that does not conflict
with legislation and ensures that trust in the roaming infrastructure is maintained.
The legislative harmonization in EU certainly makes this field of investigation more transparent since the data
protection act has been implemented in all member states' national legislation. Nevertheless, national variation
exits and eleven countries from the JRA5 group have contributed with legislative overviews.
The following eleven JRA5 partners have provided best effort legal overviews of what legislation appears to be
relevant for existing and future roaming activities:
ARNES, CARNet, CESNET, DFN, FCCN, GRNET, ISTF, RedIRIS, RESTENA, SURFnet and SWITCH.
All parties found Directive 95/46/EC from the European Parliament and from the Council of 24 October 1995
(Data Protection Directive, DPD) to be most relevant. It ensures the protection of privacy and private life as well
as protection of personal data with regard to fundamental rights and freedom of natural persons. The directive
regulates the processing of personal data and formulates the legal framework on the protection of the data
subjects. All EU countries have implemented the directive, whilst Luxembourg has gone even further than
required ( see below).
2.1 The EU Data protection Directive
The protection of privacy is ensured by Article 8 of the European Convention for the protection of Human Rights
and Fundamental Freedoms (see http://europa.eu.int/comm/justice_home/fsj/rights/fsj_rights_intro_en.htm). It
should be underlined that all Member States and the European Union are bound by the provisions of this
Convention.
Project: GN2
Overview of relevant legislation
Furthermore, the Convention for the protection of individuals with regard to automatic processing of personal
data (No 108/1981) was the first legally binding instrument in the data protection field. The Charter of
Fundamental Rights of the European Union (see
http://europa.eu.int/comm/justice_home/fsj/rights/charter/fsj_rights_charter_en.htm), signed and proclaimed in
Nice on 7 December 2000, provides in Article 7 for the protection of private and family life, home and
communication and in Article 8 for the protection of personal data. The new European Constitution contains
also articles specifically devoted to data protection and privacy (e.g. I-51), and there are strong indications that
the European Union may promote further development in the very near future. This being said, the results of
the referendums in France and Holland introduce some uncertainty as to the status of these initiatives.
Over the past decade, the European Commission has promoted and/or adopted a number of Directives and
Decisions intended to create a legal framework within the European Union that provides strong protection to
citizens against the non-consensual, excessive collection, processing or communication of their personal data.
In particular, Directive 95/46/EC from the European Parliament and from the Council of 24 October 1995 (the
Data Protection Directive), more info under http://europa.eu.int/comm/justice_home/fsj/privacy/index_en.htm)
ensures the protection of privacy and private life as well as the protection of personal data with regard to
fundamental rights and freedoms of natural persons (Article 1, para. 1). It makes reference to specificity and
sensitivity of processing of sound and image data (Articles 2(a) and 33 and recitals 14 and 26). It deals in detail
with issues linked to data quality (Article 6), criteria for making data processing legitimate (Article 7), processing
of special categories of data (Article 8), information to be given to data subjects (Articles 10 and 11), data
subject’s right of access to data and right to object to the processing (Articles 12, 14 and 15), safeguards
applying in relation to automated individual decisions (Article 15), confidentiality and security of processing
operations (Articles 16 and 17), notification of processing operations (Articles 18 and 19), and prior checking of
processing operations likely to present specific risks to the rights and freedoms of data subjects (Article 20).
In addition to the general Directive 95/46/EC, the Directive 2002/58/EC of the European Parliament and of the
Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the
electronic communications sector (replacing Directive 97/66/EC) is also relevant.
The universities involved could also take adequate measures in order to implement the so-called principle of
moderation in the use of personal data which is aimed at preventing or reducing, to the greatest possible
degree, the processing of personal data.
One possible goal is to take additional steps in order to develop privacy-enhancing technologies (PETs). From
a regulatory point of view, it could be stressed that the framework principles behind the concept of PETs are
laid in Directive 95/46/EC and especially in Articles 6(1), 17 and Recital 46 of the preamble to the Directive. In
particular, Article 6(1) refers to the principle of data minimisation by stating that the processing of personal data
should be limited to data that are adequate, relevant and not excessive.
This principle is strengthened by the reference that data should only be kept in a form that permits identification
of data subjects for no longer than is necessary for the purposes for which the data were collected or for which
they are further processed. Article 17 of the Directive in question requires that controllers implement security
measures which are appropriate to the risks presented for personal data in storage or transmission, with a view
Project: GN2
to protecting personal data against accidental loss, alteration, unauthorised access, in particular where the
processing involves the transmission of data over a network, and against all other unlawful forms of processing.
And Recital 46 of the preamble to the Directive underlines the fact that the protection of the rights and freedoms
of the individuals with regard to the processing of personal data requires that appropriate technical and
organisational measures should be taken, both at the time of the design of the processing system and at the
time of the processing itself.
In the following pieces of text eleven countries point out legislation that either might be of general interest for
the roaming infrastructure or specific for that particular country. The list is ordered by country to illustrate how
the different NRENs view the field of interest. The results are not harmonised and most likely incomplete.
2.2 Country specific regulation
In all countries, there exists national legislation which is largely an implementation of the EU Data Protection
Directive. In addition, further specific legislation may impose additional requirements. This chapter provides an
overview of some of these additional requirements. Links to the appropriate documents are provided in full
versions of these contributions in the appendix.
2.2.1 ARNES, Slovenia
Slovenia mentions the relevance of the national laws: Personal Data Protection Act (harmonised with EU
directives) and the Electronic Communications Act. ARNES claims to be operating a 'closed network' and
hence the national law (Data Communications Act) doesn't apply to ARNES. They do their best to work in
accord with all provisions of the acts which forbids the collection of personal registration numbers. ARNES is
considering stopping collecting these data.
2.2.2 CARNet, Croatia
Croatia points out that The Data Protection Act states that personal data filing systems or personal data
contained in personal filing systems may be transferred abroad for further processing only if the state or
international organisation to whom the personal data is being transferred to have adequately regulated the legal
protection of personal data and have ensured an adequate level of protection. This will have to be taken into
account if eduroam should be chosen as the infrastructure to pass further attributes for authorization purposes,
as envisioned in the plans for AAI and SSO. Prior to transferring personal data abroad, the personal data filing
system controller shall, in case of reasonable doubt regarding the existence of an adequate personal data
protection system, obtain an opinion regarding this issue from The Personal Data Protection Agency in his
country.
Project: GN2
2.2.3 CESNET, Czech Republic
The Czechs mention Act No 151/2000 Coll. On telecommunications according to which all personal data as
well as data that are subject to the telecommunication secret have to be deleted or made anonymous after a
maximum period of 2 months except where this information is used for identification or investigation of network
abuse. Persons operating telecommunication services are obliged to notify the relevant authorized bodies of
information being telecommunication secret or personal data.
2.2.4 DFN, Germany
Germany emphasizes that there is no obligation to note and keep communications and traffic data preventively.
Only if a judicial resolution directed toward future communication procedures of a participant is present, the
data must then be stored in the context of the resolution and handed over to the public prosecutors office.
2.2.5 FCCN, Portugal
Portugal points our attention to the Computer Criminal Law based on the guiding principles contained in the
report of the European Committee on Crime Problems of the Council of Europe. The offences therein punished
are i.e. damage to data and programmes, compute related sabotage, illegitimate access, illegitimate
interception of computer systems or networks, illegitimate reproduction of computer programmes.
Mentioned as potentially relevant are also the Access Directive (2002/19/EC), the Authorisation Directive
(2002/20/EC) and the Framework Directive (2002/21/EC) as is the Decree-Law nr. 7/2204 which deals with
legal aspect connected with the services of the information society like electronic contracts, ISP liability and
unsolicited commercial e-mails.
2.2.6 GRNET, Greece
Greece points to the fact that personal data protection and privacy is ensured by Article 8 of the European
Convention on the protection of Human Rights and Fundamental Freedoms. All member states of the European
Union are bound by the provisions of this Convention.
2.2.7 ISTF, Bulgaria
According to the Constitution of The Republic of Bulgaria the privacy of citizens is inviolable. Everyone is
entitled to protection against any illegal interference in his private or family affairs and against encroachments
on his honour, dignity and reputation. Everyone is entitled to seek, obtain and disseminate information but this
right shall not be exercised to the detriment of the rights and reputation or others, or to the detriment of national
security, public order, public health and morality.
Project: GN2
2.2.8 RedIRIS, Spain
SPAIN refers to Spanish Personal Data Protection Act (LOPD), to Information Society Services and Electronic
Commerce Act(LSSICE), to Regulation of Security Measures of automate Personal data Files (RMD) and to
Report 327/2003 of the Spanish Agency of Data Protection on whether IP addresses are personal data.
There are two different sets of data in the roaming system that may contain personal data: on one hand the
information provided by the home institution and contained in the credentials and, on the other hand, the logs
that must be kept on authenticated sessions and network access sessions.
In either case, the guest user must express consent to the use of the personal data(art. 6 LOPD). The guest
user must be provided with information about the personal data file (art. 5 LOPD): data to be processed,
purpose of the processing, controller of the file, persons to whom the data will be provided, whether the data is
compulsory, the consequences of not providing the data.
Besides the users' policy of the home and visited universities, the guest user must we aware that the LSSICE
regulates certain activities related the provision of Information Society Services and electronic commerce, such
as electronic contracting.
Furthermore, the Spanish Penal code sets out a number of punishable conducts related to computer and
network usage, for example: illegitimate access to a telecommunications terminal when this causes a harm to
the owner (art. 256 Penal Code), discovering secrets (art. 197 Penal Code), infringement of copyright for a
commercial purpose and when it harms a third party (arts. 270 et ss.)
2.2.9 RESTENA, Luxembourg
Luxembourg has implemented European Union directive 95/46/EG and has gone even further than the directive
suggests. The usage of any information that can be associated with a person must be reported to the national
data protection committee. The customer must declare consent before any personally related data may be
stored.
2.2.10 SURFnet, The Netherlands
The Netherlands points out that traffic data is a subject of concern due to certain user storage regulations
(Directive 2002/58/EC in reflexion 15): "A communication may include any naming, numbering or addressing
information provided by the sender of a communication or the user of a connection to carry out the
communication. Traffic data may include any translation of this information by the network over which the
communication is transmitted for the purpose of carrying out the transmission. Traffic data may, inter alia,
consist of data referring to the routing, duration, time or volume of a communication, to the protocol used, to the
location of the terminal equipment of the sender or recipient, to the network on which the communication
originates or terminates, to the beginning, end or duration of a connection. They may also consist of the format
in which the communication is conveyed by the network".
Project: GN2
Regarding data transfers to third countries an independent body in which all European data protection
authorities are represented (The Article 29 Working Party) has made a paper about acceptable level of
protection (Transfers of personal data to third countries; Applying Articles 25 and 26 of the EU data protection
directive).
2.2.11 SWITCH, Switzerland
For the data protection issues the Federal data protection Act and the different cantonal data protection acts
apply. For civil liability issues, the relevant cantonal legislation applies and for lawful interception topics the
Federal law of interception in the telecom traffic applies.
Switzerland is not a member of the EU and follows therefore not the respective EU data protection directive
(see Appendix A). Swiss data protection law is none the less very similar to EU data protection law. As data
protection is not a federal duty, the cantons have their own data protection law, which applies to the respective
universities, except the Federal Polytechnic Schools that underlies Federal data protection law. Anyhow the
principle of what is personal data and how you are allowed to process data are more or less the same.
If you do not get consent of the user you need in Switzerland a legal basis for the processing of the data. This
legal basis may be already given by cantonal law but has to be checked by the Institutions themselves.
Project: GN2
3 Towards a Common Policy for eduroam
Federations
Traffic data is a subject of concern due to certain user storage regulations as can be seen in the previous
chapter. This has implication for the roaming service that is being built, mainly with respect to the transport of
user credentials and the storage of log information.
In Directive 2002/58/EC in reflection 15 is stated: "A communication may include any naming, numbering or
addressing information provided by the sender of a communication or the user of a connection to carry out the
The requirements for the security level of the Radius infrastructure must be in accordance with the national
data protection law (The Dutch Wbp or its local equivalent based on the EU Directive 95/46/EC) and other
relevant legislation and regulation.1
The term “transfer of personal data to a third country” refers to making personal data available to a person that
is outside the legal jurisdiction of one of the countries of the European Union. There are specific provisions for
the movement of data to countries outside the European Union, the third countries. The primary rule is that
personal data may only be transferred to a third country if the third country ensures an adequate level of data
protection. For a number of countries, the European Commission has adopted decisions regarding the
adequacy of the level of protection.2
authorities are represented (The Article 29 Working Party) has written a paper about acceptable level of
directive). Basic contents are:
1
KPMG Rapport on Security criteria Radius infrastructure page 4 (pdf)
2
Commission decisions on the adequacy of the protection of personal data in third countries. (html)
Project: GN2
Towards a Common Policy for eduroam Federations
• Purpose limitation principle: data should be processed for a specific purpose and subsequently used or
further communicated only insofar as this is not incompatible with the purpose of the transfer.
• Data quality and proportionality principle: data should be accurate and, where necessary, kept up to
date. The data should be adequate, relevant and not excessive in relation to the purposes for which
they are transferred or further processed.
• Transparency principle: individuals should be provided with information as to the purpose of the
processing and the identity of the data controller in the third country and other information insofar as
this is necessary to ensure fairness.
• Security principle: technical and organizational measures should be taken by the data controller that
are appropriate to the risks presented by the processing.
• Rights of access, rectification and opposition: the data subject should have the right to obtain a copy of
all data relating to him/her that are processed and a right to rectification of those data that are shown to
be inaccurate. In certain circumstances he/she should also be able to object to the processing of the
data relating to him/her.
• Restrictions on onwards transfers to non-parties to the contract: further transfers of the personal data
by the recipient of the original data transfer should be permitted only where the second recipient (the
recipient of the onward transfer) is subject to rules affording an adequate level of protection
The US and Australia can be seen as countries with adequate protection for those institution that are following
the Safe Harbour Principles. A list of these institutions can be found at the website of the U.S. Department of
Commerce.3
3.1 Protection of user credentials and further attributes
As the Working Party already stated in its Recommendation 2/99 on the respect of privacy in the context of
interception of telecommunications adopted on the 3 of May 1999, the fact that a third party acquires
knowledge of traffic data concerning the use of telecommunication services has generally been considered as
a telecommunication interception and constitutes therefore a violation of the individuals’ right to privacy and of
the confidentiality of correspondence as guaranteed by Article 5 of directive 97/66/EC. In addition, such
disclosure of traffic data is incompatible with Article 6 of that directive.
Any violation of these rights and obligations is unacceptable unless it fulfils three fundamental criteria, in
accordance with Article 8 (2) of the European Convention for the Protection of Human Rights and Fundamental
Freedoms of 4 November 1950, and the European Court of Human Rights’ interpretation of this provision: a
legal basis, the need for the measure in a democratic society and conformity with one of the legitimate aims
listed in the Convention. The legal basis must precisely define the limits and the means of applying the
3
http://www.export.gov/safeharbor/
Project: GN2
measure: the purposes for which the data may be processed, the length of time they may be kept (if at all) and
access to them must be strictly limited. Large-scale exploratory or general surveillance must be forbidden. It
follows that public authorities may be granted access to traffic data only on a case-by–case basis and never
proactively and as a general rule.
Using encryption it is today possible to pass user credentials (typically email address and password) through
the eduroam (RADIUS) infrastructure to the home institution for authentication purposes. If more attributes
should later be exchanged it can either happen using the same eduroam system ('in band') or a separate set of
applications ('out-of-band') that come in to play only after the initial successful authentication.
Two principally different ways of obtaining further information on a given user are: 1) sending attribute
describing a given user to the visited site or 2) answering questions about the user posed by the visited site.
The latter method will disclose less information about the user as Boolean answers tend to be less informative.
All of the above mentioned rules should be observed as well as the principle of 'proportionality' (see above).
The SCHema for Academia group (SCHAC), that works on international attribute harmonization is being
followed closely as the common and proper understanding of attributes is of course crucial.
3.2 Logging and monitoring
The recent political developments in the area of traffic data retention indicate that a proactive storage of log and
traffic data, not mandatory today, may be a reality in the near future.
There might be situations when retention is necessary even today. An actual decision should be made on the
retention of data processed and stored in connection with the provision of available electronic communications
services or data on public communications networks for the purpose of investigation, detection and prosecution
of crime and criminal offences (in these it can be requested by governmental bodies).
Therefore guidelines can be developed in GN2-JRA5 for the storage and logging of data and for the use of this
data.
‘The electronic privacy information center’ (EPIC is a public interest research center in Washington, D.C. It was
established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First
Amendment, and constitutional values) closely follows the legal development of data retention at:
http://www.epic.org/privacy/intl/data_retention.html
The procedures of defining the rules are still not completed. So recently a vote in the European Parliament
turned down a proposal on data retention (put forward by the member states and therefore not within the
jurisdiction of the Parliament) which will most likely now be taken up by the Commission to get formally
scrutinized by the Parliament. More can be found at:
http://www.theregister.co.uk/2005/06/08/data_retention_quandry/
Project: GN2
3.3 Access to relevant AUPs
Both the AUP of the visited institution as well as the AUP of the home institution must always be obeyed. In
case of overlapping rules the stricter rule will apply. It is therefore necessary that the AUPs are easily
accessible to the user, who must be informed about which rules apply where. Each NREN will be asked to
make available a list of all the AUPs of the participating institutions in that particular country and an overview
will be made available on the eduroam website.
In Figure 1 – 3 institutions should always make their AUP easily available to the users. Perhaps it should even
be required to accept it before further use of the network is granted.
National eduroam web sites should list all participating institutions AUPs and point to the institutions eduroam
web sites.
The Greek participant GRNET has indicated in the legal survey that they assume that before a user visits
another University, they have signed a relevant form in which they state that they shall behave according to the
provisions and regulations of the University that they intends to visit and are informed that they are subjected to
the laws of that country. Therefore, the user obtains access only if they have been informed of and has
accepted the AUP.
3.4 Eduroam federation document
The purpose of the roaming activity in JRA5 is to build the European network roaming service. The federation
of eduroam-ng sites is implemented as a combination of technical and legal components. The legal
components build the trust between the members of the federation by specifying the responsibilities, obligations
and liability of the respective members. This set of agreements between the members of the federation is
commonly called the federation document. As a separate deliverable a federation document will be produced
that contains the following items:
• Purpose of the federation
• Federation scope
• Joining requirements
• eduroam-ng policy authority, policy change procedures and possible sanctions
• Minimal security requirements
• Minimal service for all levels of the infrastructure
Project: GN2
The federation document will be published in a separate document/deliverable.
Project: GN2
4 Conclusion
The "Roaming Policy and legal Framework Document Part 1" provides the legislation overview for 11 countries
and some basic rules to be obeyed when providing a roaming service. The national contributions in the
appendix have been provided taking into account legal advices in the NRENs. But even when lawyers have
been involved by collecting input for this document it must be stated, that the majority of the people contributing
stem from a technical background and are not experts in the legal area. Therefore it might be wise to update
this paper after some time permitting more feedback from experts to these issues. We also see the necessity to
provide a more detailed description and guidelines for the involved partners, service specifications and other
technical recommendations. This will be done in the Part 2 of this document that is planned to be provided in
the year 2 of the project. We expect that both document parts together will give a sufficient umbrella for a
roaming service and a good platform for the harmonisation with "eduroamers" around the world. The described
problems can projected from the roaming infrastructures to eduGAIN and should be reflected in a later stage
when the AAI is approaching a more service-oriented level.
Project: GN2
Appendix A National Contributions (full versions)
A.1 ARNES, Slovenia
DATA PROTECTION AND PRIVACY REGULATIONS
Protection of Personal Data is listed among Human Rights and Fundamental Freedoms in the Constitution of
the Republic of Slovenia.
The 38th Article of The Constitution of the Republic of Slovenia [1] states:
The protection of personal data shall be guaranteed. The use of personal data contrary to the purpose for
which it was collected is prohibited.
The collection, processing, designated use, supervision and protection of the confidentiality of personal data
shall be provided by law. Everyone has the right of access to the collected personal data that relates to him and
the right to judicial protection in the event of any abuse of such data. The Personal Data Protection Act of the
Republic of Slovenia [2] has been enforced on the 1st of January 2005 and has been harmonized with EU
Directive 95/46EC.
This Act determines the rights, responsibilities, principles and measures to prevent unconstitutional, unlawful
and unjustified encroachments on the privacy and dignity of an individual (hereinafter: individual) in the
processing of personal data. It also defines the National Supervisory Body for Protection of Personal Data.
The Personal Data Protection Act of the Republic of Slovenia follows three main principles:
1. Principle of lawfulness and fairness which determines that Personal data shall be processed lawfully
and fairly.
2. Principle of proportionality which states that, personal data that is being processed must be adequate
and in their extent appropriate in relation to the purposes for which they are collected and further
processed
Project: GN2
National Contributions (full versions)
3. Prohibition of discrimination which states that the protection of personal data shall be guaranteed to
every individual irrespective of nationality, race, colour, religious belief, ethnicity, sex, language,
political or other belief, sexual orientation, material standing, birth, education, social position,
citizenship, place or type of residence or any other personal circumstance.
Personal data according to the Personal Data Protection Act this is any data relating to an individual,
irrespective of the form in which it is expressed. Personal data may only be processed if there is a provision for
this by statute, or if the personal consent of the individual has been given for the processing of certain personal
data.
This rule is even more restrictive for sensitive personal data, as it may only be processed if the individual has
given explicit personal consent for this. Such consent as a rule must be in writing, and for the organisations in
the public sector provided by statute. There are only a few exemptions from this rule. Arnes is considered as
part of the public sector but does not collect any sensitive personal data.
Sensitive personal data is data on racial, national or ethnic origin, political, religious or philosophical beliefs,
trade union membership, health status, sexual life, the entry in or removal from criminal record or records of
minor offences that are kept on the basis of a statute that regulates minor offences (hereinafter: minor offence
records). Biometric characteristics are also sensitive personal data if their use makes it possible to identify an
individual in connection with any of the aforementioned circumstances.
Sensitive personal data must, during processing, be specially marked and protected, such that access to it by
unauthorised persons is prevented. In my opinion, for the Personal Data Protection Act to be effective it will
need some changing for the future.
Another Act that considers data protection and privacy regulations is the Electronic Communications Act [3].
This Act refers only to an “Operator” which provides a public communications network or publicly available
communications services. Since Arnes is a closed network operator, it doesn't classify as an “Operator” and
this law doesn't apply to us. However we do our best to work in accord with all the provisions of this Act.
We collect the following data on our users:
1. full name or title of user and their organisational form;
2. personal registration number (EMSO);
3. phone number;
4. address of the user;
5. user name of the user;
6. affiliation of the user;
7. tax number for natural persons, and tax and registration numbers for legal entities.
Project: GN2
The new modification of the Electronic Communications Act forbids the collection of personal registration
numbers, so Arnes will probably stop requiring this data. The Data collected may only be used for the purposes
described in the Arnes' internal policies, which are based on the relevant laws. Our internal policy also dictates
that personal data must be stored only as long as it is needed for the fulfilment of the purpose for which they
were collected. At the end I would like to stress the fact that – at the moment Arnes only establishes eduroam
connections between organisations and they are the ones that collect and store any personal data. This
however will be changed in the future.
Reference:
[1] http://www.oefre.unibe.ch/law/icl/si00000_.html
[2] Unofficial translation can be obtained by request from rok.papez@arnes.si
[3]
http://mid.gov.si/mid/mid.nsf/V/KA0E6FADE1BF5BBFAC1256EA50054D399/$file/Electronic_Communicatios_A
ct_May04.pdf
A.2 CARNET, Croatia
At this moment CARNet doesn't have an explicit roaming policy, but we have an internal act about Acceptable
Use of CARNet Network (http://www.carnet.hr/crepozitorij/CDA0035.pdf - at this moment we have only Croatian
version of this document, but we will have English translation very soon).
The laws of the Republic of Croatia are published in Narodne novine (www.nn.hr - Croatian only), the official
journal of the Republic of Croatia. For the JRA5 relevant laws are:
1. Personal Data Protection Act (Zakon o zaštiti osobnih podataka), 18.06.2003. -

http://www.nn.hr/clanci/sluzbeno/2003/1364.htm - in Croatian
2. Electronic Signature Act (Zakon o elektroni?kom potpisu), 24.01.2002. -

3. The Telecomunicaton Act (Zakon o telekomunikacijama), 21.07.2003. -

4. Public Information Access Act (Zakon o pravu pristupa infromacijama), 21.10.2003. -

5. Eletronic Commerce Act (Zakon o elektroni?koj trgovini), 21.10.2003. -

http://www.nn.hr/clanci/sluzbeno/2003/2504.htm - in Croatian,
http://www.azop.hr/DOWNLOAD/2005/02/16/Croatian_Act_on_Personal_Data_Protection.pdf in
English
Project: GN2
The most important law for the JRA5 is the Personal Data Protection Act of the Republic of Croatia.
Fundamentals of Personal Data Protection Act have come from the Constitution of Republic of Croatia and the
Act is harmonized with EU Directive 95/46/EC.
The 37th Article of The Constitution of the Republic of Croatia state

(http://www.sabor.hr/DOWNLOAD/2003/05/19/Constitution.pdf - in English):
"Everyone shall be guaranteed the safety and secrecy of personal data. Without consent from the person
concerned, personal data may be collected, processed and used only under conditions specified by law.
Protection of data and supervision of the work of information systems in the State shall be regulated by law.
The use of personal data contrary to the purpose of their collection shall be prohibited."
The Personal Data Protection Act determines supervision of collecting, processing and using of personal data
in the Republic of Croatia where the personal data is any data relating to an individual. The Act establishes
Croatian Personal Data Protection Agency (http://www.azop.hr/). The Activity of the Agency is carrying out
administrative and professional tasks regarding to personal data protection. In the framework of public tasks of
the Agency are the following tasks:
• supervises implementation of personal data protection,
• indicates the violations noted during personal data collecting
• compiles a list of national and international organizations which have adequately regulated personal
data protection,
• resolves requests to determine possible violations of rights guaranteed by the Act and maintains the
Central Register.
The Act also defines:
Personal data processing means any operation or set of operations which is performed upon personal data,
whether or not by automatic means, such as collection, recording, organization, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, blocking, erasure or destruction, as well as the implementation of logical,
mathematical and other operations on such data.
Personal data filing system - means any set of personal data which are accessible according to specific criteria,
centralized, decentralized or dispersed on a functional or geographical basis, regardless of whether it has been
stored in computer personal data bases, in any other form of technical tools or manually.
Personal data filing system controller - means a natural or legal person, state or other body that determines the
purposes and means of the processing of personal data. Where the purposes and means of processing have
been regulated by law, the same law shall designate the personal data filing system controller.
Project: GN2
In Croatia we (CARNet and Srce) are currently running the national project aimed to establish and maintain the
AAI for academic and research community (AAI@EduHr; http://www.aaiedu.hr). Currently home institutions (e.g.
CARNet members) are Personal data filing system controllers and they collect individual personal data.
In our opinion, for the JRA5 the most important is part VI of the Act "Personal Data transfer abroad from the
Republic of Croatia" described in the Article13th:
"Personal data filing systems or personal data contained in personal data filing systems may be transferred
abroad from the Republic of Croatia for further processing only if the state or the international organization the
personal data is being transferred to have adequately regulated the legal protection of personal data and have
ensured an adequate level of protection.
Prior to transferring personal data abroad from the Republic of Croatia, the personal data filing system
controller shall, in case of reasonable doubt regarding the existence of adequate personal data protection
system, obtain an opinion regarding this issue from the Personal Data Protection Agency."
Project: GN2
A.3 CESNET, Czech Republic
Overview of Czech national legislation relevant to data protection
Data protection in the Czech Republic is governed in particular by the Act No. 101/2000 Coll., on the protection
of personal data and partially by the Act No. 151/2000 Coll., on telecommunications. Personal data are also
protected by Penal Code (Act No. 140/1961 Coll.).
The Act No. 101/2000 Coll., on the protection of personal data governs the rights and obligations during
personal data processing and sets out the conditions for transfer of personal data to third countries. Personal
data, as defined by the Act (sec. 4 letter a)), is any information concerning an identified or identifiable data
subject. As a general rule, the processing must be always carried out with the consent of the data subject (sec.
5 par.2). An exception is permitted solely in cases defined by the Act (e.g. when processing is necessary for
compliance with a legal obligation to which the controller is subject, when processing is necessary in order to
protect the vital interests of the data subject or when processing is carried out solely for archive purposes). The
controller determines the purposes and means of the processing of personal data; he may process only
accurate personal data and the data must be adequate, relevant and not excessive in relation to the purposes
for which they are processed (sec. 5 par. 1). Furthermore the Act sets out measures that must be taken in order
to secure the processed personal data.
As for transfer of personal data to third countries, transfer of personal data to the EU countries cannot be
limited (sec. 27 par. 1). The Office for Personal Data Protection supervises the observance of legally mandated
responsibilities in the processing of personal data. A breach of the legally mandated responsibilities may
constitute an offence or an administrative offence, for which a fine up to 10 mil. Kc may be imposed.
According to the Act No. 151/2000 Coll., on telecommunications, all personal data as well as data that are
subject to telecommunication secret have to be deleted or made anonymous after a maximum period of 2
months except where this information is used for identification or investigation of network abuse (sec. 84 par. 7).
Furthermore, persons operating telecommunication services are obliged to notify the relevant authorized bodies
(e.g. bodies responsible for penal proceedings or other bodies authorized by law) of information being
telecommunication secret or personal data (sec. 86 par. 1). For breach of telecommunication secret or duties
concerning the protection of personal or transfer data a fine up to 5 mil. Kc may be imposed, for natural
persons the fine may amount up to 100 000 Kc. The Czech Telecommunication Office supervises the
observance of the above mentioned duties.
Personal data and telecommunication secret are also protected by Penal Code. A person that makes
unauthorized use (tells, makes accessible, processes or appropriates) of personal data in connection with the
execution of public administration may be sentenced to imprisonment of up to 3 years or with a fine or
prohibition of activity (sec.178). A breach of telecommunication secret may constitute a criminal offence
punished by imprisonment of up to 2 years or prohibition of activity (sec.239). A person that gains access to
data carrier and makes unauthorized use of the information carried or destroys, damages, changes or makes
the information unusable or perverts technical or program equipment of a computer or another
Project: GN2
telecommunication facility may be sentenced to imprisonment of up to 1 year or with a fine or prohibition of

activity or criminal forfeiture (sec. 257a).
A.4 DFN, Germany
DFN has provided a so called FAQ list on legal issues for DFNRoaming sites. Answers are based on the
feedback from the "Forschungsstelle Recht (Münster)" according to the Germany's telecommunication law.
Which data may a computing centre keep considering the regulations of the relevant data protection acts?
Regulations for the protection of personal data are in a multiplicity of regulations, among other things in the
Federal Law for Data Protection, in the national data protection acts as well as in range-specific regulations.
For the DFNRoaming service in particular also the data protection legal regulations from the
telecommunications law (TKG) in §§ the 91 FF and the Teledienstedatenschutzgesetzes (TDDSG) are to be
consulted. According to this any collection, processing and use of personal data is permitted only if the
concerned person consented to the procedures or a legal permission exists (appropriate regulations to find
itself finally in §§ 91 FF. TKG, §§ 5 FF. TDDSG).
Inventory data (contract data) may be raised after the TK Datenschutzregelungen in § 95 TKG and § 5
Teledienstedatenschutzgesetz (TDDSG) without consent only to that extent, as it is necessary for the purpose
of the ground, content arrangement, change or completion of a contractual relation.
The law permits the collection and use of traffic data (data over the closer circumstances of communication
such as beginning, duration, end, goal or transferred volume of data) so far it is necessary for certain purposes
to the operational completion of the telecommunication service achievement (§ 96 Abs. 2 TKG with reference to
§§ 97, 99, 100, 101 TKG). The range of the cognizance for the collection and use is here substantially more
restrictively regulated than with the inventory data.
A consent can take place in writing, alternatively in addition, electronically (§ 94 TKG), if it is guaranteed that it
is based on a clear and conscious action of the participant, is logged, at any time be called up and the
participant can recall the consent at any time with effect for the future. The participants must be informed first
about kind, range, place and purpose of the data acquisition and processing. The explanation must take place
voluntarily; so the contribution of TK services may not be done dependent in principle on the indication of
personal data, which are not necessary for the execution of the services and account. Special additional
requirements to the consent are defined in relation to traffic data in § 96 Abs. 4 TKG.
The data must be deleted, at the latest, at the expiration of the respective maximum storage period. The length
is a result from the respective authorities standards or from the content of the consent.
Which data a computing centre must or may keep for purposes of a possible prosecution?
Project: GN2
There is in principle no obligation to note and keep communication contents and traffic data preventively.
Something else applies only if a judicial resolution directed toward future communication procedures of a
participant is present according to §§ 100a, 100b StPO (communication contents) or §§ 100g, 100h StPO
(traffic data). The data must be recorded, stored in the context of the resolution and handed over to the public
prosecutor's office (investigation authority).
Information on traffic data of the past must be provided, if an appropriate judicial resolution is present in
accordance with §§ 100g, 100h code of criminal procedure (StPO) and the data is actually available. The data
might be not available due to the absence of legal permission to store them (§ § 96 FF. TKG) or due to a
missing consent and therefore for the fulfilment of the information request is not possible.
If a computing centre states or get knowledge on the fact that a user used the means of the centre in a criminal
way, it is not advisable to investigate the incident on own responsibility, because the unauthorized collection
and storage of data can represent a criminal offence or infringement of the regulations as well.
Instead as promptly as possible the police or the public prosecutor's office should be informed so that those
can accumulate evidence or determine the further steps of the investigations.
Which changes at the aforementioned principles result from the circumstance that in the case of DFNRoaming
a user is identified by an IP address from the address area of a guest-giving location or a user is identified by
an IP address from the address area from his home institution?
The Roaming provider acts towards these participants as an ACCESS Provider. The same principles apply as
in the case of ACCESS Providing to "own" participants.
A.5 FCCN, Portugal
FCCN, NREN-PT; February, 2005, RELEVANT NATIONAL LEGISLATION CONCERNING ROAMING POLICY
Law nr. 67/98, October 26, 1998 (this act implements the Directive 95/46/EC of the European Parliament and of
the Council of 24 October 1995), regulates the processing of personal data and states the legal framework on
the protection of the data subjects. Law 67/98, October 26, is the main source of Personal Data Protection Law
(according to article 10.º of the Law n. 67/98, the controller or his representative shall provide the data subject
with the following information:
(a) The identity of the controller and of his representative, if any;
(b) The purposes of the processing;
(c) The data to be processed;
(d) Other information such as:
Project: GN2
(i) the recipients or categories of recipients;
(ii) whether replies are obligatory or voluntary, as well as the possible consequences of failure to reply;
(iii) The existence and conditions of the right of access and the right to rectify, provided they are
necessary, taking account of the specific circumstances of collection of the data in order to
guarantee the data subject that they will be processed fairly.
In addition, the documents supporting the collection of personal data shall contain the information above
referred). However, when dealing with data protection, we must also consider the following acts or regulations:
article 35.º of the Portuguese Constitution; Law nr. 68/98, October 26 (determines that the National
Commission for the Protection of Personal Data (.CNPD.) is the Portuguese representative in EU, for
participation at EUROPOL);
• Law 41/2004, August 16 (personal data and privacy protection in the telecommunications
sector . corresponds to Directive 2002/58/CE, July 12);
• Law nr. 109/91, August 17 (Computer Criminal Law), the Portuguese legislator based this law
on the guiding principles (minimum list) contained in the Report of the European Committee on
Crime Problems of the Council of Europe (1990).
• Law nr. 109/91 prescribes that corporate bodies shall be held criminally liable.
The offences therein punished are, for example: damage to data and programmes, computer-related sabotage,
illegitimate access, illegitimate interception of computer systems or networks, illegitimate reproduction of
computer programmes. Considering that Internet use may lead to the diffusion of defamatory or libellous
content, ours Civil and Penal Codes also regulate it. The Penal Code contains the following offences:
• penetrating into privacy (Art. 193),
• computer related swindle (Art. 221),
• improper use of guarantee or credit cards (art. 225) and
• guarantee or credit cards levelled to currency (Art. 267, No. 1, subparagraph c)), concerning eventual
offences against ones private life or right of image, Arts. 79 and 80 of the Civil Code, see also Art. 8 of
the European Charter of Human Rights.
Although the Portuguese procedural law already permits the interception of communications from and to a
computer or between computers, Portugal´s ratification of the Convention of the Council of Europe on Cyber-
crime will require not only that the legally prescribed cyber-offences be revised, but also that procedural
measures concerning the powers and means necessary to investigate and find the facts about such infractions
be developed, especially those referring to evidence.
Project: GN2
Law nr. 5/2004, February, 2004 - Law on Electronic Communications.
This law is aimed at setting up a legal regime applicable to electronic communications networks and services,
and to the related resources and services, determining the competences of the corresponding national
regulating authority. This law results of the process of transposition of Directives Nos. 2002/19/CE ( access and
interconnection of electronic communications networks and related resources - access directive), 2002/20/CE
(authorisation of electronic communications services and networks FCCN, NREN-PT; February, 2005 -
authorisation directive), 2002/21/CE (common regulating framework for electronic communications services
and networks - framework directive), all of the European Parliament and of the Council, of 7 March, and of
Directive No. 2002/77/CE of the Commission, of 16 September.
Decree-Law nr. 7/2004, January, 2004, - Portuguese legal framework on electronic commerce (e-commerce).
This decree-law is the result of the transposition of the Directive No. 2000/31/EC of the European Parliament
and of the Council, of 8 June 2000, and it deals with legal aspects connected with the services of the
information society like, for instance, electronic contracts, ISP liability and unsolicited commercial emails.
Decree-Law nr. 7/2004, also reproduces the basic content of Arts. 12-13 of the Directive 2002/58/CE of the
European Parliament . Directive on privacy and electronic communications . but only those two articles, which
are about unsolicited communications (Spam), the remaining articles of the directive were not yet transposed.
Basically, Decree-Law nr. 7/2004 establish that the intermediary service providers do not have the general duty
to monitor all the information they transmit, store or provide the access to. A final note for Chapter III (Arts. 11-
19) - ‘Liability of intermediary service providers., in special Arts. 14, 15 and 16 that corresponds, respectively, to
Arts. 12, 13 and 14 of the Directive: ‘mere conduit´ (art. 12), ‘caching´ (Art. 13) and ‘hosting´ (Art. 14). These
are fundamental provisions that cannot be overlooked, however, FCCN is not an ISP, so we are not completely
sure that Decree- Law nr. 7/2004 is applicable to our network.
A.6 GRNET, Greece
NTUA/GRNET, Greek legislation synopsis
This document was written for NTUA on behalf of GRNET for their participation in GN2-JRA5 GN2-JRA5
participant: Spiros Papageorgiou (papage@noc.ntua.gr)
European dimension
The protection of privacy is ensured by Article 8 of the European Convention for the protection of Human Rights
and Fundamental Freedoms. It should be underlined that all Member States and
the European Union are bound by the provisions of this Convention. Furthermore, the Convention for the
protection of individuals with regard to automatic processing of personal data (No 108/1981) was the first legal
binding instrument in the data protection field. The Charter of Fundamental Rights of the European Union,
signed and proclaimed in Nice on 7 December 2000, provides in Article 7 for the protection of private and family
life, home and communication and in Article 8 for the protection of personal data. Whereas the new European
Project: GN2
Constitution contains also articles specifically devoted to data protection and privacy (e.g. I-51), and there are
strong indications that the European Union may promote further development in the very near future.
Over the past decade, the European Commission has promoted and/or adopted a number of Directives and
Decisions intended to create a legal framework within the European Union that
provides strong protection to citizens against the non-consensual, excessive collection, processing or
communication of their personal information. In particular, Directive 95/46/EC of the European Parliament and
of the Council of 24 October 1995 (the Data Protection Directive ensures the protection of privacy and private
life as well as the protection of personal data with regard to fundamental rights and freedoms of natural persons
(Article 1, para. 1), makes reference to specificity and sensitivity of processing of sound and image data
(Articles 2(a) and 33 and recitals 14 and 26), and deals in detail with issues linked to data quality (Article 6),
criteria for making data processing legitimate (Article 7), processing of special categories of data (Article 8),
information to be given to data subjects (Articles 10 and 11), data subject’s right of access to data and right to
object to the processing (Articles 12, 14 and 15), safeguards applying in relation to automated individual
decisions (Article 15), confidentiality and security of processing operations (Articles 16 and 17), notification of
processing operations (Articles 18 and 19), and prior checking of processing operations likely to present
specific risks to the rights and freedoms of data subjects (Article 20).
In addition to the general Directive 95/46/EC, the Directive 2002/58/EC of the European Parliament and of the
Council of 12 July 2002 concerning the processing of personal data and the
protection of privacy in the electronic communications sector (replacing Directive 97/66/EC) is also relevant.
The Universities involved could also take adequate measures in order to implement the so-called principle of
moderation in the use of personal data (which is aimed at preventing or reducing, to the greatest possible
degree, the processing of personal data). One possible goal is to take additional steps in order to develop
privay-enhancing technologies (PETs). From a regulatory point of view, it could be stressed that the framework
principles behind the concept of PETs are laid in Directive 95/46/EC and especially in Articles 6(1), 17 and
Recital 46 of the preamble to the Directive. In particular, Article 6(1) refers to the principle of data minimisation
by stating that the processing of personal data should be limited to data that are adequate, relevant and not
excessive. This principle is strengthened by the reference that data should only be kept in a form that permits
identification of data subjects for no longer than is necessary for the purposes for which the data were collected
or for which they are further processed. Article 17 of the Directive in question requires that controllers
implement security measures which are appropriate to the risks presented for personal data in storage or
transmission, with a view to protecting personal data against accidental loss, alteration, unathorised access, in
particular where the processing involves the transmission of data over a network, and against all other unlawful
forms of processing. And Recital 46 of the preamble to the Directive underlines the fact that the protection of
the rights and freedoms of the individuals with regard to the processing of personal data requires that
appropriate technical and organisation measures should be taken, both at the time of the design of the
processing system and at the time of the processing itself.
National Data Protection Legislation
The Hellenic Constitution of 1975, as revised in April 2001, contains a set of fundamental rules covering privacy
and the broader right to personality. Furthermore, Greece has constitutional provisions, which deal with respect
Project: GN2
for, and the protection of, human value that cannot be waived by the individual. In particular, according to
Article 9A of the Hellenic Constitution, «every individual has the right to be protected from the collection,
processing and use, particularly by electronic means, of personal data, as stipulated by the law». Furthermore,
Article 19 para. 1 of the Constitution provides that «the secrecy of letters and of free correspondence or
communication by any other means is absolutely inviolable (…)». Two are the competent regulatory authorities
in Greece, the Hellenic Data Protection Authority and the Hellenic Authority for the Information and
Communication Security and Privacy (ADAE). The mission of the Hellenic Data Protection Authority (which has
the status of an Independent Administrative Authority) is to supervise the implementation of Law 2472/97 and
the totality of regulations pertaining to the protection of the individual with respect to the processing of personal
data. The Authority’s aim is to promote: respect of and protection as regards the rights of the individual and the
state of democracy; mutual cooperation between the individual and public administration/private enterprises;
action of preventive, suppressive and corrective character in the field of personal data protection. The Hellenic
Authority for the Information and Communication Security and Privacy (ADAE) has been established under
article 1 of the law 3115/2003, following the guidelines set in paragraph 2 of the article 19 of the Greek
Constitution, in order to protect the secrecy of mailing, the free correspondence or communication in any
possible way as well as the security of networks and information. The concept of privacy encompasses the
control of observing and regulating the terms and processes of waiving of privacy protection rights as foreseen
by the law. The main legal instrument of national law relating to data protection issues is Law 2472/97 on the
protection of individuals with respect to the processing of personal data. This Law implements Directive
95/46/EC.
• Law 2225/94, as amended by Law 3115/2003, covers mainly the procedures that have to be followed
concerning the security and privacy of communication.
• Law 2774/99 relates to the processing and the protection of personal data in the telecommunications
sector (implementing Directive 97/66/EC, as amended by Directive 2002/58/EC).
The relevant law on electronic communications (which implements the Framework, Access, Authorisation, and
Data Protection Directives in the electronic communications sector) is not yet into force. For the purposes of
Law 2472/97, and in particular article 2, processing of personal data" ("processing") shall mean any operation
or set of operations which is performed upon personal data by Public Administration or by a public law entity or
private law entity or an association or a natural person, whether or not by automatic means, such as collection,
recording, organisation, preservation or storage, modification, retrieval, use, disclosure by transmission,
dissemination or otherwise making available, correlation or combination, interconnection, blocking (locking),
erasure or destruction.
Furthermore, according to article 4 para. 1 of Law 2472/97, personal data, in order to be lawfully processed,
must be, inter alia, collected fairly and lawfully for specific, explicit and legitimate
purposes and fairly and lawfully processed in view of such purposes; adequate, relevant and not excessive in
relation to the purposes for which they are processed at any given time; accurate and, where necessary, kept
up to date. Moreover, in line with article 5 para. 1 of Law 2472/97, processing of personal data will be permitted
only when the data subject has given his/her consent. Exceptionally, as mentioned below, data may be
processed even without such consent, only under the conditions of article 5 para. 2 of Law 2472/97. In addition,
with regard to administrative sanctions, article 21 para. 1 of Law 2472/97 providesthat the Data Protection
Project: GN2
Authority may impose on the Controllers or on their representatives, if any, the following administrative
sanctions for breach of their duties arising from this law as well as from any other regulation on the protection of
individuals from the processing of personal data: a warning with an order for the violation to cease within a
specified time limit; a fine amounting between three hundred thousand Drachmas (around 900 euros) and fifty
million Drachmas (around 150,000 euros); a temporary revocation of the permit; a definitive revocation of the
permit; the destruction of the file or a ban of the processing and the destruction of the relevant data.
According to the Data Protection Authority of Greece, the monitoring and registration of websites visited by
users and the access to data saved on their computers constitutes processing of personal data in the sense of
article 2 paragraph (d) of Law 2472/97. This processing cannot be considered to be lawful in case it takes place
without the consent of the data subject and does not fall under any of the exemptions laid down in article 5,
para. 2 of this Law.
Indeed, processing of personal data can be permitted only when the data subject has given his/her consent, as
provided in article 5 para. 1 of Law 2472/97. Exceptionally, data may be processed even without such consent,
only if, in accordance with article 5 para. 2 of Law 2472/97, processing is necessary for the execution of a
contract to which the data subject is party or in order to take steps at the request of the data subject prior to
entering into a contract; processing is necessary for the compliance with a legal obligation to which the
Controller is subject; processing is necessary in order to protect the vital interests of the data subject, if he is
physically or legally incapable of giving his consent; processing is necessary for the performance of a task
carried out in the public interest or a project carried out in the exercise of public function by a public authority or
assigned by it to the Controller or a third party to whom such data are communicated; processing is absolutely
necessary for the purposes of a legitimate interest pursued by the Controller or a third party or third parties to
whom the data are communicated and on condition that such a legitimate interest evidently prevails over the
rights and interests of the persons to whom the data refer and that their fundamental freedoms are not affected.
Furthermore, as already mentioned, and in line with article 4 of Law 2472/97, personal data, in order to be
lawfully processed, must be adequate, relevant and not excessive in relation to the purposes for which they are
processed at any given time.
In those cases where data collection and processing related to users’ visits to websites occurs, even if it is
performed exclusively for statistical purposes, it constitutes a violation of the principle of proportionality, as
established in article 4 para.1(b) of Law 2472/97, in cases where the data collected is more than required for
the intended purpose. Besides, in accordance with article E para. 5 of the Directive 115/2001 of the Data
Protection Authority, the principles of purpose and proportionality, as these are established by law and
interpreted by the Authority, permit only a case by case and exceptional collection and processing of such data
and on the condition that such acts are founded on an evidently superior lawful interest of the controller (article.
5 para. 2e of Law 2472/97).
The principle of proportionality also results to the prohibition of the general, systematic and preemptive
collection and registration of data related to the usage of the Internet. In particular, according to article E para. 4
of the directive 115/2001 of the Data Protection Authority of Greece, general communication, including
electronic mail, data collection and processing is allowed only when it is absolutely necessary for the
organization and control toward performing a specific task or a work cycle and, especially, expenditure control.
Communication data recorded have to be limited to those absolutely necessary and relevant for the
achievement of these purposes. In no case is it permitted to record nor process the whole number called or the
Project: GN2
totality of communication data or their content information. It should be stressed that content information may
only be collected following permission of a judicial authority and on the condition that collection is imposed for
reasons of national security or for verifying particularly serious crimes (Article 19 of the Greek Constitution, Law
2225/1994 as amended by Law 3115/2003).
In general, therefore, the access and registration of websites and/or other elements of electronic
communication (e.g. email) is illegal, and such data may not be used for the control of the behaviour of users.
As far as declassification is concerned, it should be noted that the provisions of article 19 of the Greek
Constitution, in combination with the provisions of article 3 and 4 of Law 2225/94, lead to the conclusion that
the only competent bodies for declassification of communications performed in any manner are the Judicial
Council or the Prosecutor (in case of extreme emergency) and only in order to ascertain particularly serious
crimes expressly stipulated by law or for reasons of national security. Therefore, a prior Order of the Prosecutor
is required.
In addition, in line with article 7.2 (c) of Law 2472/97, exceptionally, the collection and processing of sensitive
data, as well as the establishment and operation of the relevant file, will be permitted by the Personal Data
Protection Authority of Greece, when processing is necessary for the establishment or exercise or defence of
his/her rights in court or disciplinary body.
In this case, it is reasonable that the permit from the competent Authority may only be given to the controller,
the only person entitled to ask for the permit. In case that the complainant is not the controller, the Data
Protection Authority encourages him to submit a request to the corresponding controller in order for the lawful
procedure to be followed. In any other case, the Authority does not issue a permit but an opinion concerning
whether data transfer is lawful or not. On the basis of the principle of proportionality, provisions of article 7.2 (c)
apply in proportion to non-sensitive personal data, the only difference being that, in this case, a permit from the
Data Protection Authority is not required, but it is possible to ask for a decision or a relevant opinion.
That is, exceptionally, the collection and processing of non-sensitive data is permitted by the Authority for the
establishment or exercise or defence of a right in court. The corresponding controller is responsible to decide
whether law requirements are met and, more specifically, whether data are indeed asked for in order to be
used in court and whether they are relevant to the case under dispute. In this case, the controller may ask for
the Personal Data Protection Authority’s opinion. If the complainant is not the controller, the Authority in
question encourages him to submit a request to the corresponding controller who, in turn, is under the
obligation to justify the transfer of data as well as his/her possible refusal to grant the request.
When personal data are produced before a judicial or public prosecutor’s authority and are included in the case
file or constitute part of a pre-trial or formal investigation are dealt with according to the following differences:
• Concerning personal data included in the case file or concerning material of a pre-trial/formal
investigation, the Personal Data Protection Authority is not competent because the case file of
apending trial and, by proportion, material of a pre-trial/formal investigation, does not constitute a file
according to the provisions of Law 2472/97.
• Concerning the legitimacy of personal data collection and their use when a trial is pending or when a
pre-trial/formal investigation is taking place, the judicial officer or the public prosecutor is competent to
Project: GN2
judge, within the evaluation framework of the evidence or the investigation material, especially given
that the right to protection of the individual’s personal data is now also constitutionally consolidated in
Article 9 A of the Greek Constitution.
The above also applies in the case of a public prosecutor’s order, in which the competent public prosecutor
applies the relevant law provisions in order for the order to be issued. In consequence, the person to whom the
public prosecutor is addressed to has to comply with the said order. The addressing of all the above issues
requires careful examination of the policy to be finally adopted. It is recommended to draft a relevant agreement
to be signed by all universities that will participate in the said program, for the purpose of the efficient operation
of the whole project.
This is useful especially for those cases where divergences exist between the relevant national laws, i.e. there
is a difference in levels of data protection afforded in the countries that participate in this project due to the
existence of a wide variety of national laws, regulations and administrative provisions.
We also assume that before a user visits another University, he has signed a relevant form in which he states
that he shall behave according to the provisions and regulations of the University that he intends to visit and is
informed that he is subjected to the laws of that country. Therefore, the user obtains access only if he has been
informed on and has accepted the “Policy of Accepted Use and Internet Use Security Policy”. This document
must be clear and the Universities have to exchange views and comments on such drafts for the purpose of
legal security. Furthermore the Universities should define in this document the consequences for users in case
of non-compliance with the relevant provisions.
Additionally, Universities should not collect and process data that are generally related to electronic
communications (which include, inter alia, emails), unless this is absolutely necessary. More specifically, the
registered data of communication should be limited to those which are absolutely necessary and appropriate for
the aim pursued. Under no circumstances the processing of the total number or the total data of communication
or part of their content should be allowed.
A.7 ISTF, Bulgaria

We don’t have an explicit roaming policy. A general Acceptable Use Policy is available at
http://www.ist.bg/en/aup.htm
Relevant Laws:
1. Personal Data Protection Act of Bulgaria, effective as of January 1, 2002
http://grao.government.bg/zakoni/zzld-1.html (in Bulgarian)
2. The Telecommunication Act, effective as of October 7, 2003,
http://www.mrrb.government.bg/docs/doc_319.doc (in Bulgarian)
3. Electronic Documents and Electronic Signature Act, effective as of October 7, 2001,
http://www.mi.government.bg/norm/laws.html?id=23237 (in Bulgarian)
4. Classified Information Protection Act, effective as of April, 2002
5. Public Information Access Act, effective as of January 1, 2002,
http://www.mi.government.bg/norm/laws.html?id=42854 (in Bulgarian)
6. Some texts from the Constitution http://www.parliament.bg/?page=const&lng=en (in English)
Project: GN2
We think the most relevant to JRA5 is the Personal Data Protection Act. According to it, only registered
“Personal data administrators” could gather, record and process personal data. For more details please see
below.
An excerpt from the Constitution:
“According to the CONSTITUTION OF THE REPUBLIC OF BULGARIA from. SG. 56/13 Jul 1991, amend. SG.
85/26 Sep 2003 in C h a p t e r T w o FUNDAMENTAL RIGHTS AND OBLIGATIONS OF CITIZENS the privacy
of citizens is inviolable. Everyone is entitled to protection against any illegal interference in his private or family
affairs and against encroachments on his honor, dignity and reputation. Everyone is entitled to seek, obtain and
disseminate information but this right shall not be exercised to the detriment of the rights and reputation of
others, or to the detriment of national security, public order, public health and morality.”
Personal Data Protection Act
"Personal data" means any information for an individual, disclosing his/her physical, psychological, mental,
family, financial, cultural, or public identity.
Personal data administrator is a public authority or natural or legal person authorized to specify the type of the
data processed, the purpose of processing, and the methods of processing and of protection. The process of
protection of individuals with regard to the processing of personal data and the access to such data is regulated
by the Personal Data Protection Act of Bulgaria, which is effective as of 1 January 2002.
The purpose of the Act is to ensure the inviolability of person and personal life, by protecting the individuals
from illegal processing of their personal data, and regulates the access to such data, while being collected and
processed. The protection of personal data is provided through the implementation of the rights of the citizens,
as laid down by the Personal data protection act. Every individual has the following rights:
• the right of consent for the processing of personal data that relate to him/her;
• the right of information about the purposes and means of processing, the recipients to whom the data
may be disclosed, the scope of data usage, the name and address of the administrator;
• the right to require access, correction and updating of the gathered data that relate to him/her;
• the right to require from the personal data administrator to confirm the existence of personal data
related to him/her;
• the right to require from the personal data administrator to delete, to transfer into anonymous data or to
block data processing where it is illegitimately done, and where the data are not necessary for the
purposes for which they are processed;
• the right to object before the administrator against unlawful processing of personal data that relate to
him/her;
• the right to prohibit the entire or partial disclosure of his/her personal data to the administrator, which
are meant to be used for purposes of trade, advertising, or marketing;
• the right of grievance in cases of violation of his/her rights by approaching the Commission for the
protection of personal data.
A.8 REDIRIS, Spain
This report is an outline of the main legal concepts and regulation that RedIRIS should take into account when
setting up a roaming service in the context of the eduroam and GÉANT2 projects.
Project: GN2
PERSONAL DATA PROTECTION
References:
- Ley Orgánica 15/1999, de 13 de diciembre, de Protección de datos de carácter personal (LOPD),

Spanish Personal Data Protection Act.
- Ley 34/2002, de , de Servicios de la Sociedad de la Información y de Comercio Electrónico (LSSICE),

Information Society Services and Electronic Commerce Act.
- R.D. 994/1999, de 11 de junio, por el que se aprueba el Reglamento de Medidas de Seguridad de los
ficheros automatizados que contengan datos de carácter personal (RMD),
Regulation of Security Measures of automated Personal Data files.
- Report 327/2003 of the Spanish Agency of Data Protection on whether IP addresses are personal data.
There are two different sets of data in the roaming system that may contain personal data: on one hand the
information provided by the home institution and contained in the credentials and, on the other hand, the logs
that must be kept on authenticated sessions and network access sessions.
In either case, the guest user must provide express consent to the use of the personal data(art. 6 LOPD).
Besides, the guest user must be provided with information about the personal data file (art. 5 LOPD): data to be
processed, purpose of the processing, controller of the file, persons to whom the data will be provided, whether
the data is compulsory, the consequences of not providing the data and the rights
Furthermore, the files must be protected with security measures, which are set out in detail in RMD. The data
included in the credentials should require only basic security measures (art. 4.1 RMD).
However, the logs of authenticated and network access session may require different security measures.
According to Report 327/2003, the controller of a file must treat IP addresses as personal data when there is a
possibility to link the IP address with a certain person. Therefore, the access logs must be considered personal
data files.
Besides, the Report 327/2003 explains that if the IP address is related to certain data, such as the web pages
accessed from that IP address, that allow to create a profile of a certain person, the data should be protected
by higher security measures (art. 4.4 RMD). This extra security measures can be costly (for example, they
include an audit every two years). Therefore, unless there is a clear reason to record data about the activities of
an IP address, it should not be done.
On top of the regulation of personal data files, LSSICE requires ISPs to maintain a log of the traffic data (art. 12
LSSICE) for 12 months. This log should be handed to Judges, the prosecutor office upon request and to the
Police in certain circumstances. This duty requires further regulation which is still not forthcoming, therefore the
extent of this requirement is still unclear. It is also debatable whether Universities are to be considered ISPs.
Project: GN2
LOPD also provides a list of authorities who can request access to personal data (art. 11.2 LOPD).
NETWORK SERVICES
Whether a guest user can use certain services provided by the visited University or by third-parties through the
local network (such as access to electronic magazines) will depend on the nature of the service and the
existing contracts with third-parties.
USE OF NETWORK ACCESS
References:
- Ley Orgánica 10/1995, de 23 noviembre, que aprueba el Código Penal (Penal code).
- LSSICE
Besides the users' policy of the home and visited universities, the guest user must we aware that the LSSICE
regulates certain activities related the provision of Information Society Services and electronic commerce, such
as electronic contracting.
Furthermore, the Spanish Penal code sets out a number of punishable conducts related to computer and
network usage, for example:
- Illegitimate access to a telecommunications terminal when this causes a harm to the owner (art. 256
Penal Code)
- Discovering secrets (art. 197 Penal Code).
- Infringement of copyright for a commercial purpose and when it harms a third party (arts. 270 et ss.)
A.9 RESTENA, Luxembourg
Overview over national data protection legislation in Luxembourg
The current data protection law is an implementation of European Union directive 95/46/EG. It is called
“Protection des personnes à l'égard du traitement des données à charactere personnel” [1], issued at August, 2,
2002. A non-official English translation is available at the data protection committee's home page [2]. Although
it implements the aforementioned directive, its content goes a lot farther than what is required by the directive.
The most outstanding feature is the requirement of reporting the usage of all information that can be associated
with a person: whenever a company wants to store information that can be uniquely traced back to a person it
first needs to register which type of data it wants to collect to the national data protection committee [3]. The
committee will register and file the request (it does, however, not actively check if the data that is gathered by
Project: GN2
the company really is required by them). In any case the company is required to inform its customer about the
type, purpose and amount of data that is stored and the customer must declare consent before the data may
actually be stored. In case of a suspected misuse of collected data the committee will get active and investigate
the issue.
The reporting requirement generates a significant work overhead for both this committee and all companies
that handle personal data. Luckily, the law enables to ease this stringent policy. After a by-law of the Grand
Duke in December 2004 that enables article 12 (3)(a) and 40 of the law from August, 2, 2002 it is now possible
that companies declare an external person or entity as data protection officer. This person needs to have
special qualifications as defined in article 40 and must be approved by the committee. After that, he is the sole
responsible person for the handling of data. This person or entity still needs to report the usage of data to the
committee.
EU directive 2002/58/CE, which deals with data protection in electronic communication, is not yet implemented
but in a draft state. The current draft is publicly available [4]. It is expected that this new law will further ease the
burden by leaving out the requirement to report the usage of all data to the committee. However, there is no
specific date by which this law should be finished (the current draft is from 2003). A law that regulates the terms
open vs. closed network does not exist yet but is in a late draft state and is expected to be finished in May 2005.
The current state-of-the-law is that RESTENA is classified as a communications operator (this term is more or
less equal to the commonly used term “telco”), mainly because we are communicating via fiber lines with
external entities and because we are operating the Luxembourg Internet Exchange for commercial providers.
[1] http://www.etat.lu/memorial/memorial/a/2002/a0911308.pdf
[2] http://www.cnpd.lu/loi_langue_anglaise.pdf
[3] http://www.cnpd.lu/
[4] http://www.cnpd.lu/projet_de_loi_5181.pdf
A.10 SURFnet, The Netherlands
The Netherlands points out that traffic data is a subject of concern due to certain user storage regulations
(Directive 2002/58/EC in reflexion 15): "A communication may include any naming, numbering or addressing
information provided by the sender of a communication or the user of a connection to carry out the
Project: GN2
authorities are represented (The Article 29 Working Party) has made a paper about acceptable level of
directive). Basic contents are:
• Purpose limitation principle: data should be processed for a specific purpose and subsequently used or
further communicated only insofar as this is not incompatible with the purpose of the transfer.
• Data quality and proportionality principle: data should be accurate and, where necessary, kept up to
date. The data should be adequate, relevant and not excessive in relation to the purposes for which
they are transferred or further processed.
• Transparency principle: individuals should be provided with information as to the purpose of the
processing and the identity of the data controller in the third country and other information insofar as
this is necessary to ensure fairness.
• Security principle: technical and organizational measures should be taken by the data controller that
are appropriate to the risks presented by the processing.
• Rights of access, rectification and opposition: the data subject should have the right to obtain a copy of
all data relating to him/her that are processed and a right to rectification of those data that are shown to
be inaccurate. In certain circumstances he/she should also be able to object to the processing of the
data relating to him/her.
• Restrictions on onwards transfers to non-parties to the contract: further transfers of the personal data
by the recipient of the original data transfer should be permitted only where the second recipient (the
recipient of the onward transfer) is subject to rules affording an adequate level of protection
A.11 SWITCH, Switzerland
Switzerland's legal framework
1. Summary
1.1. Overview of relevant legislation
For the data protection issues the Federal data protection Act and the different cantonal data protection acts
apply. For civil liability issues, the relevant cantonal legislation applies and for lawful interception topics the
Federal law of interception in the telecom traffic applies.
1.2. Open versus closed networks
Project: GN2
Though SWITCH is a different legal entity to the Institutions, SWITCH provides not a service to a third party
and qualifies therefore not as a TSP
2. Introduction and facts of case
The following legal opinion is based on the facts of case as defined in the Documentation on the GÉANT2
Roaming Requirements (Deliverable DJ5.1.2, Version dated 14.6.2005). It is understood that the Home
Institution (HI) does deliver only a YES/NO answer, whether the user belongs to the HI or not, but no attributes
(option 1). If attributes were delivered this would be an option 2.
3. Overview of relevant legislation
3.1. Main legal issues
The facts of case concern three legal issues: data protection (i), civil liability in case of abuse (ii) and lawful
interception (iii).
i) When transferring an answer from the HI to the Resource Institution (RI) data protection is an issue.
The question is, weather a yes/no answer (option 1) or an answer with attributes (option 2) are to be qualified
as personal data according Swiss data protection law and if yes, what are the legal conditions that the transfer
can be done.
ii) If the user which is logged in the resource of the RI abuses the resources, who is liable for the damage
if the user can not be caught? The RI or the HI?
iii) When the general prosecutor requests data or real-time interception the question is what data has to
be logged by whom.
3.2. Data protection
Switzerland is not a member of the EU and follows therefore not the respective EU data protection directive
(see Appendix A). Swiss data protection law is none the less very similar to EU data protection law. As data
protection is not a federal duty, the cantons have their own data protection law, which applies to the respective
universities, except the Federal Polytechnic Schools that underlies Federal data protection law. Anyhow the
principle of what is personal data and how you are allowed to process data are more or less the same.
If the credential is an anonymous one such as a matriculation number, the credential itself is no personal data.
If a personalised e-mail address is used as a credential (as it is planed for RADIUS), they are qualified as
personal data as such and can be processed according to Swiss law only as long as necessary (e.g. a Swiss
Institution is RI). The authentification of a user by his HI by yes/no (option 1) is no personal data as such and
therefore data protection law is irrelevant. But when the Swiss HI sends attributes together with a personalized
e-mail address (option 2) to the RI, Swiss data protection law applies. Then the export of personal data to
Project: GN2
foreign countries is only allowed when the protection of personal data is equivalent to the Swiss regulation. This
is the case for most EU-Member-states, except for company's personal data (e.g. scientific spin-off-companies).
Nonetheless transparency and consent of the user would provide any further problems. It would be therefore
wise to inform the user which data are transferred and processed about him from his HI to the RI and to ask his
consent.
If you do not get consent of the user you need in Switzerland a legal basis for the processing of the data. This
legal basis may be already given by cantonal law but has to be checked by the Institutions themselves.
3.3. Civil liability in case of abuse
The Institutions should regulate who will be liable of misuse of the resource if the user can not be identified. As
it is not feasible that all Institutions conclude for this purpose agreements with other Institutions, but they could
agree to stick to a common policy.
3.4. Lawful interception
Lawful interception is for the Institutions in Switzerland only a topic, if they provide e-mail-account-services or
mobile telephone services to third parties. Providing network connectivity or access to resources does in
general not oblige the Institutions to make real-time interception available to the general prosecutor. None the
less, Institutions have to grant access to the general prosecutor that he can intercept in real-time.
As long as the Institution does not qualify as Telecom Service Provider (TSP), law requires no data logs. See
the qualification as TSP under para. 4.
4. Open versus closed networks
When an Institution provides telecom services to third parties then it qualifies as TSP. (Exchange-) students,
employees, scholars, visitors are not third parties respectively are a closed user group why most Institutions are
not a TSP. But e.g. alumni's and spin-off-companies are qualified under Swiss telecommunication law as third
parties, why Institutions have to be careful not to open their user group.
From the point of view of SWITCH, which is a foundation under private law of the Swiss Federation and the
eight university cantons, the NREN-services SWITCH provides is limited to the Institutions. Though SWITCH is
a different legal entity to the Institutions, SWITCH provides not a service to a third party and qualifies therefore
not as a TSP.
Nicole Beranek Zanon, Legal Counsel SWITCH, Attorney-at-Law, June 29, 2005
Project: GN2

Deliverable DJ5.1.3: GÉANT2 Roaming Policy and Legal Framework - Part 1: Legislation Overview

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deliverable DJ5.1.3: GÉANT2 Roaming Policy and Legal Framework - Part 1: Legislation Overview

Uploaded by

Copyright:

Available Formats

09.09.

Contractual Date: 31/05/05

1 Roaming, Legal Rules and AUPs 5

2 Overview of relevant legislation 10

3 Towards a Common Policy for eduroam Federations 16

Figure 1: Access at the home institution

Figure 2: Access at an institution from the same national RADIUS domain

Figure 3: Access at an institution from a different national RADIUS domain

1.1.1 Encryption of credentials

1.1.2 Further attribute exchange about the user

1.1.3 Storage of user data for logging and forensic purposes

2.1 The EU Data protection Directive

2.2 Country specific regulation

2.2.1 ARNES, Slovenia

2.2.2 CARNet, Croatia

2.2.3 CESNET, Czech Republic

2.2.4 DFN, Germany

2.2.5 FCCN, Portugal

2.2.6 GRNET, Greece

2.2.7 ISTF, Bulgaria

2.2.8 RedIRIS, Spain

2.2.9 RESTENA, Luxembourg

2.2.10 SURFnet, The Netherlands

2.2.11 SWITCH, Switzerland

3.1 Protection of user credentials and further attributes

3.2 Logging and monitoring

3.3 Access to relevant AUPs

3.4 Eduroam federation document

• Purpose of the federation

• eduroam-ng policy authority, policy change procedures and possible sanctions

• Minimal security requirements

• Minimal service for all levels of the infrastructure

The federation document will be published in a separate document/deliverable.

A.1 ARNES, Slovenia

DATA PROTECTION AND PRIVACY REGULATIONS

We collect the following data on our users:

1. full name or title of user and their organisational form;

2. personal registration number (EMSO);

4. address of the user;

5. user name of the user;

6. affiliation of the user;

[2] Unofficial translation can be obtained by request from rok.papez@arnes.si

A.2 CARNET, Croatia

1. Personal Data Protection Act (Zakon o zaštiti osobnih podataka), 18.06.2003. -

2. Electronic Signature Act (Zakon o elektroni?kom potpisu), 24.01.2002. -

3. The Telecomunicaton Act (Zakon o telekomunikacijama), 21.07.2003. -

4. Public Information Access Act (Zakon o pravu pristupa infromacijama), 21.10.2003. -

5. Eletronic Commerce Act (Zakon o elektroni?koj trgovini), 21.10.2003. -

The 37th Article of The Constitution of the Republic of Croatia state

• supervises implementation of personal data protection,

• indicates the violations noted during personal data collecting

The Act also defines:

A.3 CESNET, Czech Republic

Overview of Czech national legislation relevant to data protection

telecommunication facility may be sentenced to imprisonment of up to 1 year or with a fine or prohibition of

A.4 DFN, Germany

A.5 FCCN, Portugal

(a) The identity of the controller and of his representative, if any;

(b) The purposes of the processing;

(c) The data to be processed;

(d) Other information such as:

(i) the recipients or categories of recipients;