[Owasp-leaders] 6 things you need to know about the new EU privacy framework

Ludovic Petit ludovic.petit at owasp.org
Mon Feb 11 12:09:25 UTC 2013


Agree, but I guess we have to bear in mind that it will also, somehow,
impact the business of non-EU players as well.

intetesting debate anyway.
 Le 11 févr. 2013 13:04, "Paweł Krawczyk" <pawel.krawczyk at hush.com> a
écrit :

> Ludovic,****
>
> ** **
>
> Fully agree as for boundaries *within* EU, but note what the original
> author wrote: ****
>
> ** **
>
> *This will have a huge impact for US SaaS, Paas, IaaS providers, as well
> as social networks, search engines*
>
> ** **
>
> US is not part of EU!****
>
> ** **
>
> ** **
>
> *From:* Ludovic Petit [mailto:ludovic.petit at owasp.org]
> *Sent:* Monday, February 11, 2013 1:00 PM
> *To:* Paweł Krawczyk
> *Cc:* Owasp Leaders
> *Subject:* RE: [Owasp-leaders] 6 things you need to know about the new EU
> privacy framework****
>
> ** **
>
> Hi Pawel,****
>
> don't misunderstand me / the european decree:****
>
> the perspective of the european decree (reminder: same content immediately
> applicable by ALL members states) abolish the (local) boundaries in the EU
> about Privacy.****
>
> Ask a lawyer / a legal counsel, you'll see.****
>
> Cheers
> Ludovic****
>
> Le 11 févr. 2013 12:40, "Paweł Krawczyk" <pawel.krawczyk at hush.com> a
> écrit :****
>
> *Sorry but this part cited below is just not true – no local regulation
> cares about “geographical boundaries”, because any local law by definition
> is limited to the area for which it was established. In this case –
> European Union:*****
>
> * *****
>
> *"anyone processing personal data of any EU citizen will fall under this
> legislation. It simply abolishes any geographical boundaries ! This will
> have a huge impact for US SaaS, Paas, IaaS providers, as well as social
> networks, search engines… The choice will be, either to accept the
> obligations set by the regulation, or refuse access to their services to EU
> citizen"*****
>
> * *****
>
> *And it’s only because 27 member countries have signed a treaty, where
> they have agreed that they will actually obey EU law. United States or
> Russia have no obligations to care about EU directives, much like EU does
> not care about US patent law.*****
>
> * *****
>
> *This regulation may still impact foreign companies like Google or
> Facebook, because most of them do have legal representation in the EU for
> collecting revenues (e.g. Google Ireland etc), but it’s definitely not even
> similar to a situation, where US company has to restrict their services to
> comply with EU law. To be perfectly clear, I consider most of the EU
> privacy laws paranoid and overregulated, but let’s not spread panic.*****
>
> * *****
>
>  ****
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Ludovic Petit
> *Sent:* Monday, February 11, 2013 9:54 AM
> *To:* Owasp Leaders
> *Subject:* [Owasp-leaders] 6 things you need to know about the new EU
> privacy framework****
>
>  ****
>
> Hi All,****
>
>  ****
>
> More inputs further to my initial post about EU Cybersecurity available at:
> ****
>
>
> http://www.donneespersonnelles.fr/6-things-you-need-to-know-about-the-new-eu-privacy-framework
> ****
>
>  ****
>
>  ****
>
> The European Commission announced a new proposal for the Directive 95/46
> on “the protection of individuals with regard to the processing of personal
> data“.****
>
> ...****
>
>  ****
>
> These challenges led *the European Commission *to *propose a new
> legislative framework*.****
>
>  ****
>
> 6 things you need to know about the new EU privacy framework<http://www.donneespersonnelles.fr/6-things-you-need-to-know-about-the-new-eu-privacy-framework>
> ****
>
>
> http://www.donneespersonnelles.fr/6-things-you-need-to-know-about-the-new-eu-privacy-framework
> ****
>
>  ****
>
> Commission proposes a comprehensive reform of the data protection rules<http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm>
> ****
>
> http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm***
> *
>
>  ****
>
> The EU Data Protection Reform 2012<http://europa.eu/rapid/press-release_SPEECH-12-26_en.htm?locale=en>
> ****
>
> http://europa.eu/rapid/press-release_SPEECH-12-26_en.htm?locale=en****
>
>  ****
>
> Last but not least, the 2% annual tornover fine (slide 59 below) mentioned
> in the Art.79-Penalties of the upcoming European Decree, was mentioned at
> 5% in the first draft... and the information I have into the legal
> ecosystem via lawyers say that it is not excluded that the final document
> should mention 5% again.****
>
>  ****
>
>  ****
>
> Ludovic****
>
>  ****
>
> ---------- Forwarded message ----------
> From: *Ludovic Petit* <ludovic.petit at owasp.org>
> Date: 9 February 2013 18:33
> Subject: Developers, Software makers held liable for code?
> To: Owasp Leaders <owasp-leaders at lists.owasp.org>
>
>
> Hey, I'm back on stage****
>
>  ****
>
> After having thrown a stone in the water, I'll try to surf the waves ;-)**
> **
>
>  ****
>
> Well, in order for you to have a better understanding of what I'm talking
> about, I would suggest to take a look at a couple of slides in my
> presentation introduced at our Chapter Meeting. On the wiki, page OWASP
> France, section Chapter Meeting 2013.****
>
>  ****
>
>
> https://www.owasp.org/images/2/2a/Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf
> ****
>
>  ****
>
> See slides 57-60, and 62-67 as reference.****
>
>  ****
>
> Talking about *Evolution of the Legal Framework - Developers, Software
> makers held liable for code?*, and the *Draft European regulation*:****
>
>  ****
>
> Notify the national supervisory authority of violations of personal data
> (Art. 30):****
>
> - everyone is concerned****
>
> - without undue delay****
>
> - if possible within 24 hours at the latest****
>
> - justification if more than 24 hours****
>
>  ****
>
> Caution: The obligation also applies to subcontractors****
>
> - The contractor must notify the controller of any violation he knows****
>
>  ****
>
> The notification describes:****
>
> - nature of the data, number of people involved****
>
> - point of contact (person, contact details)****
>
> - mitigations****
>
> - consequences of the violation****
>
> - measures that have been taken to remedy****
>
>  ****
>
> This was also argumented at the Chapter Meeting by/with a friend of mine,
> Thiébaut Devergranne, Lawyer.****
>
> the slide deck (in French, sorry) is available on his web site:****
>
>  ****
>
> *Données personnelles : le nouveau projet de règlement européen*****
>
>
> http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen
> ****
>
>  ****
>
> I have discussed the topic with other lawyers specialized in ICT, and all
> of them are saying that developpers and Software makers are liable for
> code, and could be (really) held liable in case of hacking via an
> application they've coded / supplied.****
>
>  ****
>
> That's why, although legal aspects are neither the specialty nor the
> purpose of the Foundation, it seemed important and interessant to me to do
> this post, just for information for my peers at the OWASP.****
>
>  ****
>
> Indeed, and I personnally fully agree in advance with all of you guys
> about this first feeling, I do not think the developer as a person should
> be responsible for, but from a legal standpoint, when hacking occurs, the
> developer's responsibility is engaged because he is recognized, again from
> a legal standpoint, as a subject-matter expert, and as such has a duty to
> advise as well.****
>
>  ****
>
> As we can see, this is a hot and complex topic, and I do not wish to be
> the devil's advocate, so don't shoot the pianist please ;-)
> ****
>
>  ****
>
> Anyway, to keep it short - and this is my initial intent through this
> (boring?) post - Regulators tend to reinforce most legal frameworks to
> focus on data Privacy... through existing and evolving regulation, and this
> is why I would modestly suggest to keep in the loop of such evolution of
> legal because nowadays, the legal framework rules the technical means
> required to be compliant.****
>
>  ****
>
> Last but not least, take a look at the Call for Presentations: SnowFROC
> 2013 from Mark Major, a pity I can't make it:****
>
>  ****
>
> *Legal track*****
>
> ·  Liability related to web application security****
>
> ·  Data ownership and privacy laws within the cloud****
>
> ·  Cybersecurity and privacy legislation and regulation****
>
> ·  Electronic discovery considerations, both traditional and in the cloud*
> ***
>
> ·  Cybersecurity considerations related to law enforcement****
>
> I hope this helps anyway, and any comments are welcome.****
>
>  ****
>
> Salut à tous!****
>
>  ****
>
> --
> Ludovic****
>
>  ****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130211/aeb469fb/attachment-0001.html>


More information about the OWASP-Leaders mailing list