[Owasp-leaders] 6 things you need to know about the new EU privacy framework

Ludovic Petit ludovic.petit at owasp.org
Mon Feb 11 08:53:31 UTC 2013


Hi All,

More inputs further to my initial post about EU Cybersecurity available at:
http://www.donneespersonnelles.fr/6-things-you-need-to-know-about-the-new-eu-privacy-framework


The European Commission announced a new proposal for the Directive 95/46 on
“the protection of individuals with regard to the processing of personal
data“.
...

These challenges led *the European Commission *to *propose a new
legislative framework*.

6 things you need to know about the new EU privacy
framework<http://www.donneespersonnelles.fr/6-things-you-need-to-know-about-the-new-eu-privacy-framework>
http://www.donneespersonnelles.fr/6-things-you-need-to-know-about-the-new-eu-privacy-framework

Commission proposes a comprehensive reform of the data protection
rules<http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm>
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

The EU Data Protection Reform
2012<http://europa.eu/rapid/press-release_SPEECH-12-26_en.htm?locale=en>
http://europa.eu/rapid/press-release_SPEECH-12-26_en.htm?locale=en

Last but not least, the 2% annual tornover fine (slide 59 below) mentioned
in the Art.79-Penalties of the upcoming European Decree, was mentioned at
5% in the first draft... and the information I have into the legal
ecosystem via lawyers say that it is not excluded that the final document
should mention 5% again.


Ludovic

---------- Forwarded message ----------
From: Ludovic Petit <ludovic.petit at owasp.org>
Date: 9 February 2013 18:33
Subject: Developers, Software makers held liable for code?
To: Owasp Leaders <owasp-leaders at lists.owasp.org>


Hey, I'm back on stage

After having thrown a stone in the water, I'll try to surf the waves ;-)

Well, in order for you to have a better understanding of what I'm talking
about, I would suggest to take a look at a couple of slides in my
presentation introduced at our Chapter Meeting. On the wiki, page OWASP
France, section Chapter Meeting 2013.

https://www.owasp.org/images/2/2a/Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf

See slides 57-60, and 62-67 as reference.

Talking about *Evolution of the Legal Framework - Developers, Software
makers held liable for code?*, and the *Draft European regulation*:

Notify the national supervisory authority of violations of personal data
(Art. 30):
- everyone is concerned
- without undue delay
- if possible within 24 hours at the latest
- justification if more than 24 hours

Caution: The obligation also applies to subcontractors
- The contractor must notify the controller of any violation he knows

The notification describes:
- nature of the data, number of people involved
- point of contact (person, contact details)
- mitigations
- consequences of the violation
- measures that have been taken to remedy

This was also argumented at the Chapter Meeting by/with a friend of mine,
Thiébaut Devergranne, Lawyer.
the slide deck (in French, sorry) is available on his web site:

*Données personnelles : le nouveau projet de règlement européen*
http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen

I have discussed the topic with other lawyers specialized in ICT, and all
of them are saying that developpers and Software makers are liable for
code, and could be (really) held liable in case of hacking via an
application they've coded / supplied.

That's why, although legal aspects are neither the specialty nor the
purpose of the Foundation, it seemed important and interessant to me to do
this post, just for information for my peers at the OWASP.

Indeed, and I personnally fully agree in advance with all of you guys about
this first feeling, I do not think the developer as a person should be
responsible for, but from a legal standpoint, when hacking occurs, the
developer's responsibility is engaged because he is recognized, again from
a legal standpoint, as a subject-matter expert, and as such has a duty to
advise as well.

As we can see, this is a hot and complex topic, and I do not wish to be the
devil's advocate, so don't shoot the pianist please ;-)

Anyway, to keep it short - and this is my initial intent through this
(boring?) post - Regulators tend to reinforce most legal frameworks to
focus on data Privacy... through existing and evolving regulation, and this
is why I would modestly suggest to keep in the loop of such evolution of
legal because nowadays, the legal framework rules the technical means
required to be compliant.

Last but not least, take a look at the Call for Presentations: SnowFROC
2013 from Mark Major, a pity I can't make it:

*Legal track*

   - Liability related to web application security
   - Data ownership and privacy laws within the cloud
   - Cybersecurity and privacy legislation and regulation
   - Electronic discovery considerations, both traditional and in the cloud
   - Cybersecurity considerations related to law enforcement

I hope this helps anyway, and any comments are welcome.

Salut à tous!

-- 
Ludovic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130211/e0961617/attachment.html>


More information about the OWASP-Leaders mailing list