[Owasp-leaders] 6 things you need to know about the new EU privacy framework

Paweł Krawczyk pawel.krawczyk at hush.com
Mon Feb 11 12:04:35 UTC 2013



Fully agree as for boundaries within EU, but note what the original author wrote: 


This will have a huge impact for US SaaS, Paas, IaaS providers, as well as social networks, search engines


US is not part of EU!



From: Ludovic Petit [mailto:ludovic.petit at owasp.org] 
Sent: Monday, February 11, 2013 1:00 PM
To: Paweł Krawczyk
Cc: Owasp Leaders
Subject: RE: [Owasp-leaders] 6 things you need to know about the new EU privacy framework


Hi Pawel,

don't misunderstand me / the european decree:

the perspective of the european decree (reminder: same content immediately applicable by ALL members states) abolish the (local) boundaries in the EU about Privacy.

Ask a lawyer / a legal counsel, you'll see.


Le 11 févr. 2013 12:40, "Paweł Krawczyk" <pawel.krawczyk at hush.com> a écrit :

Sorry but this part cited below is just not true – no local regulation cares about “geographical boundaries”, because any local law by definition is limited to the area for which it was established. In this case – European Union:


"anyone processing personal data of any EU citizen will fall under this legislation. It simply abolishes any geographical boundaries ! This will have a huge impact for US SaaS, Paas, IaaS providers, as well as social networks, search engines… The choice will be, either to accept the obligations set by the regulation, or refuse access to their services to EU citizen"


And it’s only because 27 member countries have signed a treaty, where they have agreed that they will actually obey EU law. United States or Russia have no obligations to care about EU directives, much like EU does not care about US patent law.


This regulation may still impact foreign companies like Google or Facebook, because most of them do have legal representation in the EU for collecting revenues (e.g. Google Ireland etc), but it’s definitely not even similar to a situation, where US company has to restrict their services to comply with EU law. To be perfectly clear, I consider most of the EU privacy laws paranoid and overregulated, but let’s not spread panic.



From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Ludovic Petit
Sent: Monday, February 11, 2013 9:54 AM
To: Owasp Leaders
Subject: [Owasp-leaders] 6 things you need to know about the new EU privacy framework


Hi All,


More inputs further to my initial post about EU Cybersecurity available at:




The European Commission announced a new proposal for the Directive 95/46 on “the protection of individuals with regard to the processing of personal data“.



These challenges led the European Commission to propose a new legislative framework.


6 things you need to know about the new EU privacy framework <http://www.donneespersonnelles.fr/6-things-you-need-to-know-about-the-new-eu-privacy-framework> 



Commission proposes a comprehensive reform of the data protection rules <http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm> 



The EU Data Protection Reform 2012 <http://europa.eu/rapid/press-release_SPEECH-12-26_en.htm?locale=en> 



Last but not least, the 2% annual tornover fine (slide 59 below) mentioned in the Art.79-Penalties of the upcoming European Decree, was mentioned at 5% in the first draft... and the information I have into the legal ecosystem via lawyers say that it is not excluded that the final document should mention 5% again.





---------- Forwarded message ----------
From: Ludovic Petit <ludovic.petit at owasp.org>
Date: 9 February 2013 18:33
Subject: Developers, Software makers held liable for code?
To: Owasp Leaders <owasp-leaders at lists.owasp.org>

Hey, I'm back on stage


After having thrown a stone in the water, I'll try to surf the waves ;-)


Well, in order for you to have a better understanding of what I'm talking about, I would suggest to take a look at a couple of slides in my presentation introduced at our Chapter Meeting. On the wiki, page OWASP France, section Chapter Meeting 2013.




See slides 57-60, and 62-67 as reference.


Talking about Evolution of the Legal Framework - Developers, Software makers held liable for code?, and the Draft European regulation:


Notify the national supervisory authority of violations of personal data (Art. 30):

- everyone is concerned

- without undue delay

- if possible within 24 hours at the latest

- justification if more than 24 hours


Caution: The obligation also applies to subcontractors

- The contractor must notify the controller of any violation he knows


The notification describes:

- nature of the data, number of people involved

- point of contact (person, contact details)

- mitigations

- consequences of the violation

- measures that have been taken to remedy


This was also argumented at the Chapter Meeting by/with a friend of mine, Thiébaut Devergranne, Lawyer.

the slide deck (in French, sorry) is available on his web site:


Données personnelles : le nouveau projet de règlement européen



I have discussed the topic with other lawyers specialized in ICT, and all of them are saying that developpers and Software makers are liable for code, and could be (really) held liable in case of hacking via an application they've coded / supplied.


That's why, although legal aspects are neither the specialty nor the purpose of the Foundation, it seemed important and interessant to me to do this post, just for information for my peers at the OWASP.


Indeed, and I personnally fully agree in advance with all of you guys about this first feeling, I do not think the developer as a person should be responsible for, but from a legal standpoint, when hacking occurs, the developer's responsibility is engaged because he is recognized, again from a legal standpoint, as a subject-matter expert, and as such has a duty to advise as well.


As we can see, this is a hot and complex topic, and I do not wish to be the devil's advocate, so don't shoot the pianist please ;-)


Anyway, to keep it short - and this is my initial intent through this (boring?) post - Regulators tend to reinforce most legal frameworks to focus on data Privacy... through existing and evolving regulation, and this is why I would modestly suggest to keep in the loop of such evolution of legal because nowadays, the legal framework rules the technical means required to be compliant.


Last but not least, take a look at the Call for Presentations: SnowFROC 2013 from Mark Major, a pity I can't make it:


Legal track

·  Liability related to web application security

·  Data ownership and privacy laws within the cloud

·  Cybersecurity and privacy legislation and regulation

·  Electronic discovery considerations, both traditional and in the cloud

·  Cybersecurity considerations related to law enforcement

I hope this helps anyway, and any comments are welcome.


Salut à tous!




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130211/e57fd98e/attachment-0001.html>

More information about the OWASP-Leaders mailing list