LEGAL-ETHICAL FRAMEWORK

ICT-32-2014: Cybersecurity, Trustworthy ICT
WITDOM
"empoWering prIvacy and securiTy in non-trusteD envirOnMents"
D6.1 – Legal and Ethical framework and privacy and security
principles
Due date of deliverable: 30-06-2015
Actual submission date: 30-06-2015
Grant agreement number: 644371 Lead contractor: Atos Spain sae (Atos)
Start date of project: 1 January 2015 Duration: 36 months
Revision 1.0
Project co-funded by the European Commission within the EU Framework Programme for Research
and Innovation HORIZON 2020
Dissemination Level
PU = Public, fully open, e.g. web 
CO = Confidential, restricted under conditions set out in Model Grant Agreement
CI = Classified, information as referred to in Commission Decision 2001/844/EC.

D2.1 Requirements analysis for un-trusted environments
The work described in this document has been conducted within the Research & Innovation action WITDOM
(project no. 644371), started in January 2015, and co-funded by the European Commission under the Information
and Communication Technologies (ICT) theme of the H2020 framework programme (H2020-ICT-2014-1).
Copyright by the WITDOM Consortium.
D6.1 – Legal and Ethical framework and privacy and security
principles
Editor
Griet Verhenneman (KU Leuven), Anton Vedder (KU Leuven)
Contributors
Griet Verhenneman (KU Leuven), Anton Vedder (KU Leuven), Francesco Alberti
(FCSR), Lisa Catanzaro (FCSR), Stefano Grassi (FCSR)
Reviewers
Alberto Crespo (ATOS),
Liza Catanzaro, Francesco Alberti (FCSR)
30-06-2015
Revision 1.0

D2.1 Requirements analysis for un-trusted environments
The work described in this document has been conducted within the Research & Innovation action WITDOM
(project no. 644371), started in January 2015, and co-funded by the European Commission under the Information
and Communication Technologies (ICT) theme of the H2020 framework programme (H2020-ICT-2014-1).
Copyright by the WITDOM Consortium.
Document History
Version Date Author(s) Description/Comments
1 29/01/15 Griet Verhenneman (KU
Leuven)
Draft TOC
Leuven)
Stefano Grassi (FCSR)
Revised TOC and first draft
document
3 22/04/15 Anton Vedder (KU Leuven) Review Applicable ethical
framework
Leuven)
Input for section Network
Security
5 20/05/15 Francesco Alberti (FCSR)
Lisa Catanzaro (FCSR)
Input for section applicable
ethical guidelines
framework
7 27/05/15 Francesco Alberti (FCSR)
Lisa Catanzaro (FCSR)
Input for Applicable ethical
guidelines
Leuven), Anton Vedder (KU
Leuven)
Candidate version sent out
for internal review
Leuven)
Incorporate comments
review FCSR
framework
11 26/06/15 Francesco Alberti (FCSR) Incorporate comments
review Anton Vedder
Leuven)
Incorporate comments
review ATOS and final
editing
13 30/06/15 Elsa Prieto (ATOS) Final review

D6.1 – Legal and Ethical framework and privacy and security principles
Page 4
Executive Summary
The present deliverable provides an overview and analysis of the legal and ethical framework
applicable to the WITDOM project.
First it discusses the application of the European legal framework on privacy enhancing technologies,
in particular the data protection and cybersecurity package. It focuses on the extent to which data
protection and cybersecurity legislation applies to the manipulation of (encrypted) personal data in
untrusted environments such as the cloud, and the interaction between the basic stakeholders (data
controller/processor/subject) in the context of processing personal data in these new environments.
Following the Privacy-By-Design principles the deliverable identifies a first set of legal issues and
principles to identify possible requirements or barriers to data management and protection. This
deliverable takes a general approach and answers to cross-domain issues. It needs to be completed
with sector specific requirements for WITDOM health and financial services scenarios, which will be
subject of research in D6.2. D6.1. defines the applicable legal framework for privacy enhancing
technologies and more specifically the manipulation of encrypted data in untrusted domains. Within
this area the European Commission launched two highly relevant legislative proposals: Proposal for a
Regulation of the European Parliament and of the Council on the Protection of Individuals with
regard to the Processing of their Personal Data 2012/0011 and Proposal for Network and Information
Security Directive 2013/0027. Nevertheless the “old” 1995 Data Protection Directive remains
important since the fundamental principles are kept also in the upcoming frameworks. Therefore it is
discussed extensively picturing especially the essential concepts such as data processing, data
controller, data subject and essential principles such as the transparency and finality principles.
Second the deliverable assesses ethical guidelines to support stakeholders in the advancement of
central human values such as freedom, security and justice. the interaction between law, which
provides formal regulatory settings, and ethical guidelines, which provide normative recourses for the
interpretation of the law, is an important consideration. In order to avoid negative impacts on
fundamental rights within the chosen WITDOM scenario’s the methodology for ethical impact
assessment combines an ethical risk assessment with the SPACE methodology developed in D2.1.
Formal risk analysis methods are used to have a formal definition of ethical assets and propose
countermeasures to the WITDOM strategy. To this end a distinction is made between 1) ethical
issues addressed through the legal framework and 2) ethical issues addressing harms and benefits
which are not already included in the law.
Applicable legal framework
When the storage and computation of personal data – sometimes sensitive data – is outsourced to
untrusted environments and third-party providers are entering the picture, it is no surprise that the
most crucial set of regulations concerns privacy and data protection. As the Article 29 Working
Party indicated, the wide scale deployment of cloud computing services triggers “a number of data
protection risks (mainly a lack of control over personal data as well as insufficient information with
regard to how, where and by whom the data is being processed/sub-processed)”. Core of the
discussion are three documents: 1) the European Data Protection Directive 95/46 and its proposal for
revision, 2) the Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data, commonly referred to as Convention 108 and its proposal for modernisation and 3)
the 2013 OECD privacy principles. These three documents are closely interconnected, but they are
not equal. Convention 108 has binding legal character while the OECD Privacy Principles have not.
The European Data Protection Regulation is limited to the EU while Convention 108 is a broader
international treaty. The Data Protection Directive contrasts with the two other documents in its more
concrete requirements. Important to note is that all three of the regulations are applicable to third-
party providers who are processing personal data as much as they are to in-house data processing

Page 5
operations. It is also important to know that these regulations are technology neutral and applicable to
all sectors with some exceptions for Law enforcement. However, as we will learn in D6.2, it is in
their application to different scenarios that distinctions will have to be made. A second set of highly
important regulations concerns cybersecurity, network and information security. Cybersecurity
incidents ranging from technical failures to malicious attacks have increased substantially over the
last decade. Although data security is partly incorporated in the legal framework on data protection, a
clear need was felt to adopt more specific regulations in this area. Two important documents are
addressed in this deliverable: the European Cybersecurity strategy and the Proposal for a Directive
concerning measures to ensure a high common level of network and information security across the
Union, also called the 2013 proposal for NIS Directive.
Privacy and data protection in Europe
Under the 1995 Data Protection Directive national data protection laws were harmonized to
safeguard an equivalent data protection in all European member states, to remove the obstacles to
flows of personal data in the internal market and to ensure that the transfer of personal data outside
the EU (e.g. cross-border flow) is regulated in a consistent manner. Central in its protection are 4
principles, the so called Data Quality principles:
 Transparency principle which should allow for the data subject to be empowered in his rights;
 Proportionality principle which should protect against excessive processing of personal data;
 Finality principle which establishes boundaries to the processing of personal data for primary
and secondary purposes;
 Lawfulness principle which ensures data processing is legitimate and lawful.
All four of these principles remain equally important under the proposed General Data Protection
Regulation, but they are updated and completed with new principles. As such extra weight is for
example given to the transparency principle as a mean to strengthen the data subject’s rights. The
right to access for example has proven to be crucial in the data subject’s chances to enforce his
fundamental rights to data protection, non-discrimination and others. The finality and proportionality
principle are further updated through the (partly new) data minimisation principle. Another partly
new principle is the Data Security principle. While data security had always been an important item
under the Data Protection Directive, the proposal for a General Data Protection Regulation devotes
extra attention to it. This is no surprise as data security and cybersecurity are very high on the
European agenda. This can be noticed in multiple legislative proposals, amongst which also the
Proposal for a Network and Information Security directive. The proposal for General Data Protection
Regulation introduces the concepts of data protection by design and data protection by default to
ensure an adequate level of data security. Following these principles data protection safeguards
should be built into the technical architecture, services and products from the earliest stages of
development and privacy-friendly default settings should be the norm. Additionally the proposal for
General Data Protection Regulation introduces further specifications on data processor and data
controller responsibilities and liabilities, which is accompanied by the introduction of another new
principle: the accountability principle.
However, if adopted, the switch in regulatory instrument from a Directive to a Regulation is probably
one of the most significant changes. The instrument of Regulation is considered to be the most
appropriate European legal instrument to increase harmonisation and decrease legal fragmentation. In
the information package released by the European Commission it is exemplified that: “By
implementing a single set of rules on data protection, valid across the EU, thereby replacing the
current patchwork of national rules in 27 Member States, increasing legal certainty and making it
easier to trade and do business in Europe's Single Market. This will lead to a net saving for
companies estimated to amount to €2.3 billion a year. By simplifying the regulatory environment by

Page 6
cutting red tape and abolishing formalities such as general notification requirements for companies,
saving businesses around €130 million a year”. For WITDOM it is encouraging that the legal
framework would become more harmonised over Europe as this simplifies the adoption of the
WITDOM system in different Member States. Currently the applicability of the EU Data Protection
Directive depends on the location of the controller. Under the proposal for a General Data Protection
Regulation this might shift to the location of the consumer, but provisions in this regard are still
under discussions.
For cross-border data transfers the situation however is likely to remain complicated and in light of
WITDOM’s cloud based or otherwise distribution based scenarios this is troublesome. The goal of
the DPD is to stimulate the free flow of personal data, but with the right protection. The transfer of
data for internal market purposes within the EEA is free. All Member States are bound by the same
minimum rules, specified in the DPD. When transferring data to countries outside of the EEA
following EU law WITDOM solutions will have to take into account an additional set of legal
requirements. In such a case the current Data Protection Directive distinct three legal bases: 1)
transfer to a country that has been recognized by the EU as to offer “adequate protection” which
currently includes Switzerland but excludes the US; 2) transfer under Binding Corporate Rules
which requires the sender and the recipient of personal data, to lay down certain contractual clauses;
and 3) a series of specific exceptions amongst which the unambiguous consent of the data subject.
Given the importance of third country data transfer in cloud based scenarios, this topic will be subject
of further analysis in D6.3. Opinions of the Article 29 Working Party, together with progress in the
reform of the data protection legal framework in the EU, including General Data Protection
Regulation, Convention 108, but for example also Umbrella agreements and FAIR principles, are
deemed to be of crucial importance in this regard.
As such the modernization of Convention 108 constitutes another important element for WITDOM
legal compliance. On 10 March 2010 the Council of Europe Committee of Ministers first encouraged
the modernisation of Convention 108 to: “deal with challenges for privacy resulting from the use of
new information and communication technologies” and “strengthen the Convention’s follow-up
mechanism”. On 3 December 2014 the ad hoc committee on Data Protection (CAHDATA) released
the draft amending protocol for transmission to the Committee of Ministers. Because the
modernisation of the Convention is closely linked to the review of the EU Data Protection Directive,
final adoptions of an amending protocol is only expected after adoption of the adoption of an EU
Regulation. Characterising for the Convention is its broad approach, applying to all personal data
whether processed for law enforcement or not. Similarly to the proposal for the General Data
Protection Regulation, the CAHDATA proposal puts stronger emphasis on human rights. It wants to
reflect a positive approach in its manifestation of the right to informational self-determination. In line
with the revised OECD guidelines and the new European Data Protection Package, the 2014 proposal
introduces a set of “new” obligations to promote the application of data protection rules in practice,
namely: accountability, privacy impact assessments and privacy by design. But above all the proposal
seems to aim to promote Convention 108 as the new global privacy standard. Discussions were
opened to third countries and regional organisations, the Convention Committee is strengthened and
a DPA network is created.
Lastly the 2013 OECD privacy principles are discussed. Although not legally binding, they do have a
high esteem as for example proven by the Madrid Declaration which affirms with over 100
signatories over the world the support for the fair information principles as set out by the OECD. The
eight Fair Information Principles remained unchanged in the 2013 revision. Here too, the focus was
on the need for a practical, risk management-based approach to the implementation of protection on

Page 7
the one hand and the need for enhancement to improve the interoperability of privacy protection
globally on the other hand. Overall the OECD placed a greater emphasis on management, transborder
data flows, security breach notification, enforcement and management, and international cooperation.
Cybersecurity – network and information security in Europe
Trust is absolutely essential for the WITDOM project to succeed, especially because WITDOM is
focusing on usually untrusted digital environments. Cybersecurity is one of the biggest issues
currently faced by governments and businesses in the EU and globally. In response to that threat the
European Commission launched in 2013 its Cyber Security Strategy. The two most important
documents constituting the Strategy are 1) the Joint Communication to the European Parliament, the
Council, the European Economics and Social Committee and the Committee of the Regions on An
Open, Safe and Secure Cyberspace and 2) the Proposal for a Directive of the European Parliament
and of the Council concerning measures to ensure a high common level of network and information
security across the Union, also referred to as the NIS-Directive. Crucial to this market is that, in order
for it to remain open and free, the same norms, principles and values the EU upholds offline, should
apply online. “Fundamental rights, democracy and the rule of law need to be protected in
cyberspace”. Currently there is no overarching obligations for Member States to implement a
uniform cybersecurity strategy. The proposed NIS Directive aims to coordinate Member States’
actions to improve cybersecurity and to develop a common and consistent approach in order to allow
for a level playing field across Europe. In its current form the NIS Directive aims to address all
network and information systems of operators of critical infrastructures including health and financial
services. The proposal for Directive not only imposes obligations on Member States, also on ‘market
operators’, which includes 1) the use of standards and/or specifications relevant to networks and
information security; 2) the implementation of the appropriate technical and organisational measures;
3) incident notification and 4) network and information security audit. Especially the data breach
notification foreseen in the proposal for NIS Directive is closely linked to the data breach notification
foreseen in the General Data Protection Regulation. Essential to the WITDOM scenarios is the notice
of the Article 29 Working Party that data breaches may have an adverse effect even if it concerns
encrypted data. The Working Party states: “However, even when data is encrypted, a loss or
alteration can have negative effects for data subjects when the data controller has no adequate
backups. In this case notification to data subjects should still be required even with encryption
protection measures in place”.
Applicable Ethical Guidelines
Ethical guidelines can support stakeholders to ensure the protection and advancement of central
human values such as freedom, well-being in the form of individual and public interests such as
individual and public health and security. Ethical considerations can play a part in system governance
by shaping the actions of people, imposing constraints and providing guidelines for the development
and design of technology. The law provides the formal regulatory setting in which individuals, third
parties, and institutions carry out their activities. However, ethical guidelines provide a basis for the
law, normative resources for the interpretation of the law and guidance that is sometimes additional
to what the law requires. Furthermore these ethical guidelines have an important impact for the
societal acceptance of WITDOM solutions. WITDOM will use a framework made up of different
principles pertaining to several ethical subdomains from business, finance, and public sectors such as
health care. Principlism is a practical approach for ethical decision-making that focuses on four
broadly shared moral principles:
 Respect for Persons and Autonomy. All persons have a fundamental right to self-
determination. Incorporates at least two ethical convictions: first, that individuals should be
treated as autonomous agents, and second, that persons with diminished autonomy are entitled

Page 8
to protection. In its new formulation Personal autonomy refers to self-governance, to “self-
rule that is free from both controlling interference by others and from limitations, such as
inadequate understanding, that prevent meaningful choice.”
 Principle of Justice. All persons are equally entitled to a same degree of moral concern and
attention. This does not mean that they should be treated completely equally as they may have
different needs and vulnerabilities. It means however that they at least should be treated with
the same procedural fairness.
 Principle of Non-Maleficence. All persons have a duty to prevent harm to other persons
insofar as it lies within their power to do so without undue harm to themselves, their vital
health and security interests. It underlies the Hippocratic maxim of the Primum non nocere:
“Above all [or first] do no harm”. This principle refers to the duty to refrain from causing
harm: “One ought not to inflict evil or harm” where a harm is defined as an adverse effect on
one’s interest.
 Principle of Beneficence. All persons have a duty to advance the good of others and of
themselves where the nature of this good, such as their vital health and security interests, is in
keeping with the fundamental and ethically defensible values of the affected party and where
advancing their good does not entail disproportionate harm to oneself.
A secondary principle derived from these four moral principles is Responsibility. Whoever has an
obligation on the basis of basic moral principles or originated from a specific social or professional
role or function, has a duty to fulfil that obligation to the best of her or his ability. This principle
attributes responsibilities for actions or consequences of actions to agents.
Ethical Impact Assessment
The ethical impact assessment framework by Wright and Mordini can be used as a way to ensure
ethical implications are adequately examined by stakeholders before deployment of the system. A
distinction can be made between ethical issues addressed through the legal framework and other
ethical issues going beyond the legal framework.
Informational privacy for example can be defined as an individual’s right to determine whether,
what, when, by whom and for what purpose personal information is collected, accessed, used or
disclosed. The Universal Declaration of Human Rights, the European Charter for Human Rights, the
current European Data Protection Directive 95/46/EC, the ePrivacy Directive 2002/58/EC but also
many other EU member state laws ensure a high level of protection for the individuals’ privacy and
personal data. As good and comprehensive as the protections offered by this legal framework may be,
they will never be able to fully protect personal information and persons in all of the relevant
respects. Moreover, network and Information Security Requirements that are ethically grounded can
be defined as set of administrative, physical and technical actions used or taken to protect the
confidentiality, availability and integrity of personal data. Best practice has involved the use of
information technology mechanisms such as firewalls, encryption, passwords, and security
compliance as well as the restriction of access to raw data that could directly identify an individual.
The conceptions of autonomy for example are closely connected to those of individuality and
identity. With new techniques to data processing it is possible to link data from multiple sources for
the purpose of providing more complete, anonymized datasets. Data sharing is becoming common in
many industries from research. Re-identification is becoming more powerful than de-identification,
while focusing on protection of personal data is important, this may no longer be sufficient to protect
personal privacy. Laws do not protect individuals once their identity, individuality and personally
identifiable information has become aggregated, for example in the data mining process. Thus, a new
normative category of privacy protection based on privacy and ethical considerations must be
established to protect individuals from misuses of their personal data in aggregated form (Vedder,
Responsibilities for Information on the Internet, 2008).

Page 9
Other ethical guidelines can increase the level of protection and alleviate public fears around some of
these infringements of human rights. Matters such as these belong to social concerns, not legal issues,
which are either extremely difficult to quantify or to implement as an articulate requirement
specification. Protections must be established to ensure that that personal information is not
disclosed, handled, or used in a way that could cause material or immaterial damage. Ethical
principles can also be applied to assess the risks and benefits of tangible forms of harm such as harm
to health, harm to life, or financial harm. In the context of data privacy, security trusted environments
ICT services owned by third party providers can prevent harm and have ethical responsibilities to
securely move data through a network and provide high quality data. By way of example the
principle of justice could be violated with the public disclosure of information. An extreme example
would be that data is disclosed on an individual or on a group of individuals that has a statistical
probability of acquiring a certain disease demonstrated by data analysis. This could result in an
individual being charged higher insurance premium, refusal of coverage or result in an individual
being denied a job. This infringement of privacy can cause economic harm and or reduce
opportunity.
When data collection involves the processing of sensitive personal data such as health, sexual
lifestyle, ethnicity, political opinion, or religious affinity, finally a high level of trust and
responsibility is needed. The EU Data Protection Directive says that the data controller should be
accountable for complying with principles and enforcing standards, but the principle of responsibility
will be effective in building trust and responsibility for multiple stakeholders. Due to the
interconnectedness of technology systems it may be problematic to ascribe responsibility to any
single stakeholder or actor therefore reviewing ethical codes of conduct with a focus on ethical
relationships and responsibilities irrespective of jurisdiction in an international setting could be
beneficial.
Ethical Risk Assessment
It turns out that the works of Wright et al. can be gainfully combined with our proposed SPACE
methodology described in D1.3 in a natural way, obtaining a twofold goal: First, SPACE gets
enriched (and validated) by an ethics-oriented side, increasing its value. Second, the Ethical Impact
Assessment framework of Wright et al. gains practical and engineering-oriented tools that can be
used to effectively translate ethical issues into technological requirements (if possible), filling the gap
that could exists between engineers and ethics committee. The SPACE methodology, detailed in
Chapter 3 of D2.1, comprises four phases: scenario description, input Data Identification,
stakeholders’ Goals and Data of Interest Analysis, threats and Feared Events investigation. SPACE,
being parameterized in terms of the set of properties/issues determining the Feared Events, can be
applied also with the purpose of obtaining an Ethical Impact Assessment. The questions Wright et al.
described in their works already target the identification of possible issues. We notice that the
outcome of the SPACE process could provide a solid proof accounting the work done towards the
analysis of possible ethical issues, and the resulted decisions taken in order to avoid them. An ethical
committee could also benefit from the outcome of SPACE, as it will provide a tool allowing to
establish the thoroughness by which the Ethical Impact Assessment of the project has been carried
out, along with possible solutions and requirements.
But, beside the many similarities and synergies that we identified so far between privacy/security and
ethics principles and the relative SPACE outcome, there could be also some relevant differences. The
biggest difference is that requirements and countermeasures for ethical principles are not necessarily
technical requirements. Refactoring of the business processes or high-level requirements constraining
them could be expected output of the execution of SPACE in this setting. Furthermore, requirements
or countermeasure could also not exist, especially when analyzing soft ethical issues which impact
cannot be quantified. In this case, we argue that SPACE still provides some help to the

Page 10
researchers/engineers designing the system, starting anyhow a debate proving, at least, that such
issues although not quantifiable have been taken into account and analyzed. In this perspective, it
would be extremely beneficial to have a tool providing clear evidence of the risks that cannot be
taken into consideration and fixed with technological methods.
Conclusions
When considering the legal and ethical framework for privacy and security, we cannot but notice that
long standing legal principles as well as broadly shared ethical principles are highly valued. In the
current reforms they are complemented with increased attention for controller-processor
responsibilities, transparency in (transborder) data processing operations and high-end security
measures. When for example storing data in the cloud – a still very much untrusted domain – it is
emphasised by the while the cloud provider has an obligation to be transparent towards his client and
to refrain from processing operations other than stipulated in the contracts with the client, it is the
cloud client who is considered data controller and who should assess the trustworthiness of the cloud
provider. Nevertheless the cloud provider – processor is considered to be open and transparent about
the characteristics of the services he offers, about the data flows and about possible third country
transfers. It is up to the client to assess the provider, but the client can only do so if provided with
sufficient and truthful information. The same line of thinking can actually be found in the
relationship of the controller with a data subject, and in the relationship of the controller with data
protection and data security authorities. Between the controller and the data subject is seems to
become increasingly important to ensure the data subject is well informed in order to allow him to
better exercise his rights.

Page 11
Contents
Executive Summary............................................................................................................................... 4
1 Introduction ................................................................................................................................ 13
1.1 Purpose of the document........................................................................................................ 13
1.2 Relation to other project work ............................................................................................... 14
1.3 Structure of the document...................................................................................................... 15
1.4 Acronyms used in this document........................................................................................... 15
2 Applicable legal framework ....................................................................................................... 17
2.1 Privacy and data protection in Europe................................................................................... 18
2.1.1 Data Protection Directive 1995 and its review process................................................ 19
2.1.2 Convention 108 ............................................................................................................ 29
2.1.3 The OECD.................................................................................................................... 32
2.2 Cybersecurity – network and information security................................................................ 34
2.2.1 European Cybersecurity Strategy................................................................................. 34
2.2.2 Proposal for Network and Information Security (NIS) Directive ................................ 35
3 Applicable Ethical Guidelines.................................................................................................... 39
3.1 Introduction............................................................................................................................ 39
3.1.1 Ethical Approach and Principles .................................................................................. 39
3.1.2 Ethical Impact Assessment........................................................................................... 40
3.2 Ethical Issues addressed through the legal framework.......................................................... 41
3.2.1 Autonomy 1.................................................................................................................. 41
3.2.2 Autonomy 2.................................................................................................................. 42
3.2.3 Dignity.......................................................................................................................... 42
3.3 Ethical requirements going beyond the law........................................................................... 42
3.3.1 Justice 1 ........................................................................................................................ 43
3.3.2 Justice 2 ........................................................................................................................ 43
3.3.3 Justice 3 ........................................................................................................................ 43
3.3.4 Non-Maleficence.......................................................................................................... 44
3.3.5 Beneficence .................................................................................................................. 44
3.3.6 Responsibility............................................................................................................... 44
3.4 Ethical Risk Assessment........................................................................................................ 45
3.4.1 Introduction .................................................................................................................. 45
3.4.2 Methodology ................................................................................................................ 46
4 Conclusions ................................................................................................................................ 49
5 References .................................................................................................................................. 51
6 Bibliography............................................................................................................................... 53
List of Tables
Table 1. The “Stakeholders’ Goals table” template, used for analyzing stakeholders’ goals and data of
interests. ............................................................................................................................................... 46
Table 2. The “Feared Events table” template used for investigating Threats and Feared events........ 46
Table 3. Ethical risk assessment .......................................................................................................... 47
Table 4. Example of issue addressed through legal framework .......................................................... 50
Table 5. Example of ethical issue ........................................................................................................ 50

Page 12

Page 13
1 Introduction
Compliance of technological developments with legal requirements and ethical considerations is
important for creating user trust, positive business models and sound innovation. To the WITDOM
project legal requirements and ethical considerations stemming from data protection and data security
are especially important since the project’s focus in on the secure storage and computation of
personal data in untrusted environments. Included in the project are special categories of data
(sensitive data) and encrypted data. The technological innovation in the WITDOM project therefore
needs to be performed under the complex conditions established by law and ethics. Only the
reconciliation of technological innovation, legal guidelines and ethical values can safeguard citizen’s
rights.
This deliverable presents a first group of legal and ethical requirements derived from current
European legislation, pending European legislative proposals, interpretations of the European
legislation by bodies such and the Article 29 Working Party and broadly shared ethical principles. As
such, this deliverable contributes to the incorporation of the Privacy-by-Design methodology into the
WITDOM project. Privacy-By-Design is a term that refers to requirements and measures that should
be taken into account during the design of Information and Communication Technologies (ICT)
based applications and their whole life cycle, in order to ensure respect for individuals’ privacy
(Cavoukian & Chanliau, 2013). The main objective of the concept of Privacy-by-Design is to
integrate privacy-requirements and privacy-preserving solutions in the engineering of products and
services. This way law becomes an important element in the determination of technological
innovations and other developments. But we should on the other hand acknowledge that technology
can also help in delivering pragmatic solutions to resolve legal issues and as such be a driving force
itself. In other words, the goal of Privacy-by-Design and the goal of this deliverable is to embrace
privacy from within the WITDOM system designs.
1.1 Purpose of the document
The objective of this document is to outline and analyse the applicable ethical and legal framework
and principles concerning the processing of encrypted data in untrusted domains. It provides initial
guidance to the adopters of WITDOM outcomes when applying the referred technological
developments in their own domain. This analysis is important for the compliance of the technological
developments of the WITDOM project and of the WITDOM adopters with the ethical and legal
principles it is subject to. As such the deliverable reports on the work performed under task 6.1:
Applicable ethical and legal framework and principles.
To this purpose the present deliverable first discusses the data protection and security legislation
applicable to the manipulation of encrypted data in an untrusted environment, such as the cloud. The
deliverable takes a general approach identifying cross-domain issues and principles, but keeps in
mind the two specific environments the project’s pilots and their peculiarities: genomic data on the
one hand and financial services data on the other hand.
Secondly the deliverable discusses ethical guidelines to support stakeholders in the advancement of
central human values such as freedom, security and justice. While within the WITDOM project no
real personal data will be used but only dummy / fake data, the WITDOM solution eventually needs
to be ready to avoid negative impacts on fundamental rights and foster positive mechanisms for
protection. Ethical clearance was obtained to this end.1
A production environment that should use
WITDOM results in the future and in which real data are being outsourced to untrusted environments
1
Ethics Screening Report. ICT-32-2014 - WITDOM - 644371 - EthSR Report, Ref. Ares(2014)3114951- 23/09/2014

Page 14
it is possible that fundamental rights may come into play. To this end the interaction between law,
which provides formal regulatory settings, and ethical guidelines, which provide normative recourses
for the interpretation of the law, is an important consideration. In order to avoid negative impacts on
fundamental rights within the chosen WITDOM scenario’s the methodology for ethical impact
assessment combines an ethical risk assessment with the SPACE methodology developed in D2.1.
Finally the goal of this ethical analysis is also to exclude that any other less obvious fundamental
rights are impacted.
1.2 Relation to other project work
D6.1 presents the first results of WP6: legal requirements and validation.
The legal requirements formulated within this document are addressing cross-domain issues and
principles and mainly concern Data Protection and Security. Two short comments should be taken
into account when reading this deliverable. First it should be clear that these requirements will be
further refined and applied to the WITDOM scenarios – genomic health record and financial services
– in D6.2. Sector specific requirements are therefore not formulated in D6.1, but will be part of D6.2.
Secondly it is important to remember that the legislative framework applicable to the WITDOM
project is currently being reviewed. The pending legislative proposals are taken into account in this
document, but discussions are limited to the wording of the original proposals. When these proposals
get approved during the later stages of the project or when important changes are announced, this will
be taken up in later deliverables such as D6.2 and D6.3. For example with regard to the review of the
European Data Protection Directive, schedules announced by the European Commission, Council and
Parliament show important progress in the second half of 20152
.
WITDOM will implement compliant systems based on the legal framework and ensure that these
systems take into account the ethical considerations which in part lie at the basis of that legal
framework and in part go beyond the requirements of the legal framework. This section will be
considered, in conjunction with D2.1, D2.2, and D6.2, as the basis for designing and developing the
WITDOM project. In Deliverable D6.2 that follows, a detailed level of ethical governance will be
proposed to support the unique context of the electronic Genomic Record and the Financial Services
scenario.
D6.1 furthermore connects with other work packages. The requirements formulated by D6.1 will be
combined with the user requirements formulated in D2.1 using the SPACE methodology. Together
they will feed into WP2, WP3 and WP4.
 In WP2 the input from D6.1 will aid to refine the scenarios in D2.2. and will contribute to the
prototype evaluations from a multidisciplinary perspective towards the end of the project.
 WP3 will receive a list of legal requirements. Analyses in D6.1. are the first step towards the
formulation of these requirements. Together with the requirements formulated in WP2 the
legal requirements will be taken as the foundation for the production of tangible modular
building blocks.
 For WP4 the legal requirements are an important element for the architecture design.
Following the privacy-by-design methodology they will be taken into consideration especially
in the early design phase addressed by T4.1.
Finally KU Leuven provides the ethical manager who will be instrumental in ensuring legal
compliance during the implementation phase.
2
For up-to-data information see: http://www.consilium.europa.eu/en/policies/data-protection-reform/data-protection-
regulation/

Page 15
1.3 Structure of the document
In the first section the deliverable defines the applicable legal framework for privacy enhancing
technologies and more specifically the manipulation of encrypted data in untrusted domains. Mostly
relevant in this context are European Data Protection laws and European Security requirements.
Within this area the European Commission launched two highly relevant legislative proposals:
Proposal for a Regulation of the European Parliament and of the Council on the Protection of
Individuals with regard to the Processing of their Personal Data 2012/0011 and Proposal for Network
and Information Security Directive 2013/0027.
Within these two fields the legal framework is thus being adapted to technological changes and new
societal needs. Unfortunately the legislative progress is often not as fast as technological progress.
The review of the European Data Protection Directive 95/46 for example is progressing, but has
suffered some set-backs and has not yet come to its final approval. On June 15th
another very
important step was taken towards the finalisation of the review when the European Council
announced its agreement on the general approach. As indicated above, negotiations with the EU
Parliament are foreseen for the second half of 2015. Also the proposal for a new Network and
Security Directive (NIS Directive) has been launched a couple of years ago, but has not yet reached
the final steps of the legislative process. Therefore this deliverable deals with both the currently
applicable European legal framework and the legislative proposals in the pipeline.
In the second section the deliverable provides an analysis of the ethical issues which may have a
bearing on data management and protection. Formal risk analysis methods are used to have a formal
definition of ethical assets and propose countermeasures to the WITDOM strategy. A distinction is
made between 1) ethical issues addressed through the legal framework and 2) ethical issues
addressing harms and benefits which are not already included in the law.
The International Law of Human Rights is a common approach in business ethics for guiding
implementation of human rights such as non-discrimination and equality, access to information,
accountability, and good governance. The International Declaration of Human Genetic Data sets up
an international structure and states that data practices shall be consistent with the International Law
of Human Rights. Therefore we recommend that ethical governance tools should take into
consideration international instruments for regulation of human rights and recognize that different
cultures and languages may not share similar conceptions of informational privacy and data
protection. Focused considerations are the right to information, the right to privacy, data protection
and confidentiality.
The three main human rights principles to consider in relation to data-collection processes are self-
identification, participation and data protection (Nations, 2012), but Article 2 also mentions Equality
& Non-discrimination as cross cutting principles. The Universal Declaration of Human Rights
Indicators is a useful guide to measurement and implementation. It can be used as an operational tool
to promote comprehensive human rights assessments. We will consider this tool in relationship to
data-collection processes sections.
By choosing this structure it is our intention to clearly distinct three types of requirements
 Requirements stemming from European legislation and addressing clear and well-defined
issues;
 Considerations stemming from unquantifiable ethical issues.
 Requirements stemming from quantifiable ethical considerations through risk-analysis;
1.4 Acronyms used in this document
Article 29 WP Article 29 Data Protection Working Party as set up under the Directive
95/46/EC of the European Parliament and of the Council of 24 October 1995

Page 16
BCR Binding Corporate Rules
Convention 108 Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data
DPD Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the protection of individuals with regard to the processing of
personal data and on the free movement of such data
DPR Proposal for a Regulation of the European Parliament and of the Council on
the protection of individuals with regard to the processing of personal data
and on the free movement of such data (General Data Protection Regulation)
COM(2012)0011 final – 25/01/2012
ECHR European Convention for the Protection of Human Rights and Fundamental
Freedoms
ECtHR European Court of Human Rights
ePrivacy Directive Directive 2002/58/EC of the European Parliament and of the Council of 12
July 2002 concerning the processing of personal data and the protection of
privacy in the electronic communications sector (Directive on privacy and
electronic communications)
HIPAA Health Insurance Portability and Accountability Act
ICT Information and communications technology
LINDDUN Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of
information, Unawareness, and Non-compliance
NIS Proposal for a Directive of the European Parliament and of the Council
concerning measures to ensure a high common level of network and
information security across the Union - COM(2013) 48 final - 7/2/2013 - EN
OECD Organisation for Economic Co-operation and Development
PbD Privacy-by-Design
RFID Radio Frequency IDentification
SPACE Security and PrivAcy CodEsign
STRIDE Spoofing, Tampering, Repudiation, (Information) Disclosure, Denial of
Service, and Elevation of Privilege
UDHR Universal Declaration of Human Rights

Page 17
2 Applicable legal framework
When the storage and computation of personal data – sometimes sensitive data – is outsourced to
untrusted environments and third-party providers are entering the picture, it is no surprise that the
most crucial set of regulations concerns privacy and data protection. As the Article 29 Working
Party indicated, the wide scale deployment of cloud computing services triggers “a number of data
protection risks (mainly a lack of control over personal data as well as insufficient information with
regard to how, where and by whom the data is being processed/sub-processed)” [18]. Next to cloud
providers third party actors could also include subcontracted chains of data processors who provide
their services to data controllers. An essential part of the WITDOM solution is to provide its users
with the assurance that privacy and data protection risks are minimalized.
In legal literature distinctions are being made between a to privacy and a right to data protection.
When considering the concept of privacy diachronically we notice an evolution from a right to be left
alone which should allow diversity in society to – intentionally exaggerated - a right to control one’s
data. Especially in the early seventies, the concept of privacy tended to be reduced to privacy in
informatics or even computer privacy. Today it turned out that “the computer” was only the herald
for a variety of information technology applications collecting ever huger amounts of personal data.
Has the right to privacy now become a protection mechanism against third parties who could acquire
a substantial power over us through our electronically processed personal data (Dommering, Van
Eijk, Nijhof, & Verberne, 1999)? Yes, but it is not limited to just electronically processed personal
data. The right to privacy also protects my home and my family-life. On the other hand the right to
data protection protects personal data and this may be broader than just private data. When
overviewing the discussion whether or not the right to privacy encompasses a right data protection, it
seems that two important elements contributed to the debate.
 First of all the codifications of the fundamental rights to privacy and to data protection are
inconsistent. Whereas the Universal Declaration of Human Rights (UDHR) and the European
Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) do not
mention a fundamental right to data protection separately. But, separate articles are included
in other international treaties such as the Charter of the Fundamental Rights of the European
Union and the Treaty on the functioning of the European Union, but also European Council
Convention for the Protection of Individuals with regard to Automatic Processing of Personal
Data (Convention 108). This debate has been so important in Western doctrine not in the least
because fundamental rights are to jurists as a king to its knights. The hierarchal structure of
law invites jurists, independent of their cultural background to start with fundamental rights
(Burket, 2008).
 A second important element contributing to his debate is concerns the European Court of
Human Rights’ (ECtHR) case law. The ECtHR has contributed heavily to the broad
interpretation of the fundamental right to privacy by interpreting Article 8 ‘Right to respect
for private and family life’ widely and generously (Fuster, 2014).
While this discussion has shown to be highly relevant for legal theoretical purposes, it does not seem
to affect development in ICT innovation project like WITOM where a pragmatic approach to law
prevails. Therefore the protection of the right to privacy and the protection of the right to data
protection are considered of an equal importance.
Because of their practical guidelines and specific implications for the WITDOM project we discuss
the following three documents extensively:
 the European Data Protection Directive 95/46 [2];

Page 18
 the Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data, commonly referred to as Convention 108 [3];
 and the OECD privacy principles [4].
In this regard it is important to realise that these regulations are applicable to third-party providers
who are processing personal data as much as they are to in-house data processing operations. It is
also important to know that these regulations are technology neutral and applicable to all sectors with
some exceptions for Law enforcement. However, as we will learn in D6.2, it is in their application to
different scenarios that distinctions will have to be made. The implications of these regulations for
the Health scenario may in second instance prove completely different from the implications for the
Financial Services scenario. It should also be noted that in the US for example this vision was not
shared. With the publication of HIPAA a specific regulatory framework was installed for the
protection of health data.
A second set of highly important regulations concerns cybersecurity, network and information
security. Cybersecurity incidents ranging from technical failures to malicious attacks have increased
substantially over the last decade. Currently cybersecurity is one of the biggest issues faced by
governments and businesses in the EU and globally. Although data security is partly incorporated in
the legal framework on data protection, a clear need was felt to adopt more specific regulations in
this area. This set of regulations is still emerging, but, following the PbD principle, we consider it of
high importance for future-proof WITDOM results. This deliverable therefore already builds on two
high level documents: the European Cybersecurity strategy and the yet to be discussed and approved
Proposal for a Directive concerning measures to ensure a high common level of network and
information security across the Union, also called the 2013 proposal for NIS Directive.
2.1 Privacy and data protection in Europe
Over the last three decades technology and its effect on our society has changed dramatically. The
legal instruments governing the right to data protection however settled. The OEDC privacy
principles [4], the European Data Protection Directive [2] and the Convention 108 [3] proved their
strength and gained importance. In 2010 – 30 years after their date of birth – modernisations and
review processes were announced. Very quickly in these review processes it was generally agreed
that dramatic changes one might expect given the turnaround in technology, proved unnecessary. The
baseline principles enacted at times the Internet was emerging are - on the contrary - confirmed in the
revisions presented today. This is the case for all three documents: 1) the proposal for a General Data
Protection Regulation first presented in 2012 [5], 2) the OECD Guidelines governing the Protection
of Privacy and Transborder Flows of Personal Data revision approved in 2013 and 3) the draft
amending protocol to Convention 108 accepted by the ad hoc committee on data protection
(CAHDATA) on 3 December 2014 [6]. Nevertheless meaningful wordings have been changed,
influential rights have been introduced and last but not least, the international context gained
importance.
These three documents are closely interconnected, but they are not equal. Convention 108 differs
from the OECD Privacy Principles in its binding character. Contrary to the European Data Protection
Regulation the Convention is an international treaty. Convention 108 is in fact the only legally
binding international treaty dealing with privacy and data protection covering both private and public
activities by both regular and law enforcement agencies and applying to all personal data
(Kierkegaard & et.al, 2011) (Greenleaf, 2013) (de Hert & Papakanstantinou, 2014). The Data
Protection Directive however contrasts with the two other documents in its more concrete
requirements and obligations and the limitation of its scope to the EU Member States. The following
sections take a closer look at each of these documents and the accompanying proposals for reform.

Page 19
2.1.1 Data Protection Directive 1995 and its review process
2.1.1.1 The 1995 Data Protection Directive
2.1.1.1.1 Introduction
National data protection laws in Europe are harmonized by the EU Data Protection Directive of 24
October 1995. The main purposes of this Directive are
(1) to safeguard an equivalent data protection in all European member states,
(2) to remove the obstacles to flows of personal data in the internal market and
(3) to ensure that the transfer of personal data outside the EU (e.g. cross-border flow) is regulated in
a consistent manner.
Important for the WITDOM project is that as a general rule data transfers outside the EU are only
allowed when the third country ensures a so called “adequate level of protection”. Before studying
what it means to provide “adequate” protection and how third country transfers can be organized, this
chapter first focusses on data transfers inside the EU.
2.1.1.1.2 Applicability of the EU Data Protection Directive
The applicability of the EU Data Protection Directive (hereinafter: “DPD”) depends on the location
of the “controller”. The controller is “the natural or legal person, public authority, agency or any
other body which alone or jointly with others determines the purposes and means of the processing of
personal data”. In more and more data processing and storage scenarios – research project scenarios
and business plan scenarios – the idea of one single controller that determines the purposes and
means of the data processing is no longer realistic. More and more members of a research project or
business partners act as a consortium and share responsibilities and act as “joint controllers” [22].
EU member states shall apply their national data protection provisions (harmonized by the DPD) to
the processing of personal data (for exact definitions see below section: 2.1.1.1.3) where:
(a) the data processing is carried out in the context of the activities of an establishment of the
controller on the territory of an EU member state;
(b) or the controller is not established on an EU member state's territory, but in a place where its
national law applies by virtue of international public law;
(c) or the controller is not established on Community territory and, for purposes of processing
personal data makes use of equipment, automated or otherwise, situated on the territory of the
said Member State, unless such equipment is used only for purposes of transit through the
territory of the Community. In this case, the controller has to designate a representative
established in the territory of that member state.
2.1.1.1.3 Basic legal concepts of the EU Data Protection Directive
The DPD applies to the “processing” of “personal data”.
“Processing” is defined in article 2 (b) of the DPD as “any operation or set of operations which is
performed on personal data whether or not by automatic means such as collection, recording,
organization, storage, adaptation or alternation, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, blocking,
erasure or destruction”. This definition is very broad and includes both “the processing of personal
data wholly or partly by automatic means”, as […] “the processing otherwise than by automatic
means of personal data which form part of a filing system or are intended to form part of a filing

Page 20
system”. This means that any processing of personal data in a genetic record or financial record –
electronically or not - must comply with the rules set out in the DPD. This is the case for in-house
storage, but also for third-party storage, such as cloud based solutions. It must be noted that cloud
solutions are much more dynamic than traditional data processing solutions. As indicated in the
Sopot Memorandum: “The location where data processing takes place can change dramatically. The
current location of data and where it is processed can depend on a variety of factors to which end
users and data controllers traditionally have given little thought […]. Cloud service providers often
choose to locate their data centers across many countries and several continents, based on the
availability of cheap electricity, a cool local climate and time zone differences […]. Unpredictable
circumstances can also impact the current location of data, such as interruptions in one data center
or lack of capacity at peak periods (overflow).” [27]. The Article 29 Working Party consequently
considers the lack of control over the data and absence of transparency on the data processing as the
two categories of data protection issues with regard to cloud computation [18].
“Personal data” is described in the DPD as “any information relating to an identified or identifiable
natural person”. Generally it can be information which in its content, in its purpose or in its result
relates to a natural person. In nature, content or format the concept of personal data is broadly
interpreted. The article 29 WP noted in its 2007 opinion on the concept of personal data that the EU
Commission, the Council and the EU Parliament all stress the importance to interpret to notion as
wide as possible: “The Commission's original proposal explained that "as in Convention 108, a
broad definition is adopted in order to cover all information which may be linked to an individual".
The Commission's modified proposal noted that "the amended proposal meets Parliament's wish that
the definition of "personal data" should be as general as possible, so as to include all information
concerning an identifiable individual", a wish that also the Council took into account in the common
position”[19]. The data may concern not only texts, but also images, sounds and even
radiofrequencies (such as those used in RFID-applications). In recital 27 it is stated that the Data
Protection Directive aims specifically at “new technologies” which allow for “easy access to personal
data”. The term "personal data" includes information touching the individual’s private and family life
“stricto sensu”, but also information regarding whatever types of activity is undertaken by the
individual, like that concerning working relations or the economic or social behaviour of the
individual. It includes therefore information on individuals, regardless of the position or capacity of
those persons [19].
The person the data are collected from is the so-called “data subject”. In a healthcare setting, the
data subject will often be the patient involved. In a financial services setting this will most likely be
the client, at least if this client is a natural person. For the latter scenario it is important to stress that
data from clients - legal entities are not protected under the DPD. Additionally the DPD will only
apply when the personal data are related to an identified or -at least identifiable - natural person. This
implies that the personal data can be used to identify a particular person. When the data are rendered
anonymous in such a way that the data subject is no longer identifiable, the DPD will not be
applicable. To determine whether a particular person is identifiable, account should be taken of all
the means likely reasonably to be used to identify the data subject. According to the DPD an
identifiable person is “one who can be identified, directly or indirectly, in particular by reference to
an identification number or one or more factors specific to his physical, physiological, psychological,
economic, cultural or social identity”. An in-depth assessment on the identifiability of the data
processed in the WITDOM financial services and health scenarios will be conducted in D6.2. This
assessment will for example further take into account the Article 29 Working Party’s opinions on the
Concept of Personal Data [18] and on anonymization techniques [20].
2.1.1.1.3.1 The processing of health data

Page 21
Health data are considered to be more particularly sensitive and therefore subject to a higher level of
protection than “normal” personal data. As indicated by the Sopot Memorandum, the processing of
sensitive data via cloud computing raises additional concerns and requires additional safeguards [27].
Therefore ENISA for example recommends for sensitive applications to use private and community
clouds. These types of untrusted domains “offer the highest level of governance, control and
visibility”.
In principle, the DPD prohibits the processing of any “data concerning health” (hereinafter: “health
data”). This prohibition applies to all personal data which have “a strong and clear link” with the
description of the health status of a person and will include genetic data. A holiday picture of a
disabled person in a wheelchair e.g., is not to be qualified as health data, since the picture does not
have a direct connection or link with the person’s health, not even when this condition is clearly
genetic of nature. They are considered to be personal data only “revealing” health, not “concerning”
health. But, all data contained in an electronic genetic record should be considered as “health data”
since they do have a strong and clear link with the health status of the person [21].
Consequently third-party providers of distributed data processing operations are – as much as any
other person processing personal data - subject to privacy and data protection regulations. They are
subject to European regulations if they are storing personal data or processing these data in any other
way and .
2.1.1.1.3.2 The processing of financial data
In the financial services scenario we are confronted with a different issue: financial data – although
often experienced as highly secret and sensitive, are definitely not qualified as sensitive data.
Moreover, the question needs to be asked whether they can at all be protected under the regime for
normal personal data?
2.1.1.1.4 The different actors
Before setting up information distribution scenarios, it is most important to identify the different
actors in the project. In accordance with the DPD, the three most central actors are the data subject,
the controller and the processor.
 The data subject and the controller have already been discussed above.
 The processor is defined in article 2 (e) of the DPD as “the natural or legal person, public
authority, agency or any other body which processes personal data on behalf of the
controller”. This processor is always an external person or organization and could be a third
party - service provider.
Following the Article 29 Working Party’s opinion, “the first and foremost role of the concept of
controller is to determine who shall be responsible for compliance with data protection rules, and
how data subjects can exercise the rights in practice. In other words, to allocate responsibility” [23].
The processor, who is acting only on instructions from the controller, will naturally have less
responsibilities than the controller himself. The controller stays liable for most of the data protections
obligations that have to be met under the DPD. If the data processing of a controller is carried out by
a processor, all liability issues have to be governed by a contract or legal act binding the processor to
the controller [22].
In cloud based scenarios or chain processing the qualification of the roles of the different actors is an
issue which was addressed by the Article 29 Working Party in its 2012 opinion [18]. Although at first
sight the cloud client may not be in a very strong position due to the lack of transparency as described
in the paragraphs above, the Working Party does stress the cloud client’s responsibilities and
considers the cloud client as data controller. The Working Party explains that it is the cloud client

Page 22
who determines the outsourcing of his processing activities to an external (cloud based) organization.
Consequently the controller must choose a cloud provider that guarantees compliance with data
protection legislation. The cloud provider is the entity that provides the cloud computing services in
various forms. Since he is providing the means and the platform and acting on behalf of the cloud
client, he is considered data processor. This is different in the exceptional situation where the cloud
provider may re-process some personal data for its own purposes. In such a case the cloud provider
had full or joint responsibility for compliance with data protection requirements. In all other cases
where the cloud provider cannot be considered (co-)controller, cloud providers have as a processor
the duty to ensure confidentiality and to adopt security measures in line with the EU legislation.
Processors must furthermore also support and assist the controller in complying with data subjects’
rights [18]. When cloud providers collaborate with subcontractors they furthermore need to apply all
relevant obligations through contracts. These obligations should not only reflect legal requirements,
but naturally also the stipulations of the contract between cloud client and cloud provider.
Additionally the Article 29 Working Party advices for processors to only work with subcontracts if
they have the informed consent from the cloud client/data controller to this end [18].
2.1.1.1.5 Four Data Quality Principles
1. The transparency principle
The transparency principle relates to the obligation of every controller to give a minimum of
information about the data processing and its purposes, to the data subject prior to the collection of
the data. The transparency principle thus implies that all personal data must be processed “fairly”.
This means, e.g., a transparency level must be guaranteed to the data subject at every stage and every
moment of the data processing, especially when collecting the data. The provided information should
allow for the data subject to make a risk analysis of his data being processed and to choose whether
or not he wants to participate in the project.
“Fairly” processing also means that the personal data cannot be stored any longer than necessary for
the purposes for which the data were collected. This implies that restricted retention periods for the
data storage have to be taken into account. On the other hand it should be taken into account that
(national) sector regulations may require a minimum and / or maximum retention period. On
European level this is for example the case in the telecommunications sector under the ePrivacy
Directive [7]. On national level some countries foresee a minimum retention period for health data in
order to ensure continuity of care and for reasons related to professional liability. Within the financial
services sector national legislations provide also in the obligation to retain certain customer data for
law enforcement purposes or for the matter of legal evidence. These national sectorial laws will be
further investigated in D6.2.
2. Proportionality principle
Secondly, the processing of personal data must always be adequate, relevant and not excessive in
relation to the purposes for which the data are collected and/or further processed. As a consequence,
it is not allowed to process personal data “en bloc”, but a selection will have to be made based on the
relevance of the data for the purposes for which the data are processed.
The patient’s wish for privacy is often related to the degree of data sensitivity. Depending on that
degree, the collected data can be divided into three main data categories: (1) the administrative data,
(2) the data accessible for all service providers and (3) the data only need to be accessible by a
specific person with a closer patient- or client-relationship.
Additionally, the data need to be processed in an accurate way. This obliges the service provider to
permanently manage the quality of the collected data including taking every reasonable step to keep
these data up-to-date and to ensure that data which are inaccurate or incomplete, with regard to the

Page 23
purposes for which they were collected or for which they are being further processed, are erased or
rectified.
Data accuracy is one of the most important issues when exchanging processing and storing data,
especially in the scenario’s chosen by WITDOM: health and financial services. Therefore, also the
appropriate technical and organizational measures have to be taken to protect the data against
accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in
particular where the processing involves the data transmission over a network.
3. Finality principle
Thirdly, personal data can only be collected for “specified, explicit and legitimate purposes”. These
purposes have to be set out before initiating the data processing. When data are further processed in a
way incompatible with the initial purposes, this will be considered illegitimate [23].
In order to determine whether or not further data processing is compatible with the initial purposes,
consideration has to be taken of the data subject’s reasonable expectations regarding the initial
purposes and the legal or other regulations restricting these purposes. What is considered reasonable
will very much depend on the case-by-case situation and may be very different in a health scenario or
a financial services scenario. Particular attention will therefore be paid to this issue when further
assessing both scenarios in D2.2.
However, next thereto it should not be forgotten that further processing of data for historical,
statistical or scientific purposes shall never be considered as incompatible, provided that the member
state involved cares for appropriate safeguards. This means exceptions are allowed to this general
prohibition, but under the DPD one has to rely on national law.
When using data for research it is therefore crucial to distinct between research as the primary
purpose of the data processing or research as the so called secondary purpose of data processing.
Under the current Data Protection Directive primary processing is harmonized in the EU, but
secondary processing is still largely subject to national law. In light of the upcoming Data Protection
Regulation it is however uncertain if this will continue to be the case as Europe is looking for more
harmonization.
4. Lawfulness principle
Finally, the personal data need to be processed in a “lawful” manner. Personal data are “lawfully”
processed when it complies with the legal framework applicable in the context of the data processing,
in the case of WITDOM a hospital and financial services setting. As a consequence, the processing
will be considered “unlawful” whenever a legal provision is not complied with. In that case, a data
subject will be able to go to court.
Furthermore, the purposes of the data processing have to be “legitimate”. The data processing is in
other words, not permitted without a legitimate basis.
The legitimate bases to process normal data can be found in article 7 of the DPD:
 the data subject has unambiguously given his consent;
 processing is necessary for the performance of a contract to which the data subject is party or
in order to take steps at the request of the data subject prior to entering into a contract; or
 processing is necessary for compliance with a legal obligation to which the controller is
subject; or
 processing is necessary in order to protect the vital interests of the data subject;
 processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller or in a third party to whom the data are
disclosed ; or

Page 24
 processing is necessary for the purposes of the legitimate interests pursued by the controller
or by the third party or parties to whom the data are disclosed, except where such interests are
overridden by the interests for fundamental rights and freedoms of the data subject which
require protection under Article 1(1).
The legitimate bases to process health data (for example in a genetic health record) can be found in
article 8 of the DPD:
 the data subject has given his explicit consent to the processing of his health data; or
 the data processing is necessary for the purposes of carrying out the obligations and specific
rights of the controller in the field of employment law in so far as it is authorized by national
law providing for adequate safeguards; or
 the data processing is necessary to protect the vital interests of the data subject or of another
person where the data subject is physically or legally incapable of giving his consent; or
 the data processing is carried out in the course of its legitimate activities with appropriate
guarantees by a foundation, association or any other non-profit-seeking body with a political,
philosophical, religious or trade-union aim and on condition that the processing relates solely
to the members of the body or to persons who have regular contact with it in connection with
its purposes and that the data are not disclosed to a third party without the consent of the data
subjects; or
 the data processing relates to data which are manifestly made public by the data subject or is
necessary for the establishment, exercise or defense of legal claims; or
 the data processing is required for the purposes of preventive medicine, medical diagnosis, the
provision of care or treatment or the management of health-care services, and where those
data are processed by a health professional subject under national law or rules established by
national competent bodies to the obligation of professional secrecy or by another person also
subject to an equivalent obligation of secrecy.
Please note that for reasons of substantial public interest, an EU member state may lay down
additional exceptions (either by national law or by decision of the supervisory authority), as long as
these exemptions are subject to the provision of suitable safeguards.
2.1.1.1.6 Trans border data exchange
The goal of the DPD is to stimulate the free flow of personal data, but with the right protection. The
transfer of data for internal market purposes within the EEA is free. All Member States are bound by
the same minimum rules, specified in the DPD.
When transferring data to countries outside of the EEA a different set of strict regulations comes into
play. In the context of WITDOM this is an important aspect of data protection because for example
cloud environments often build on data centers spread worldwide. Following EU law WITDOM
scenarios will have to take into account an additional set of legal requirements when storage of and
computation on personal data cannot be restricted to the EU.
In case of third country transfers the DPD distinguishes between three different legal bases:
 Transfer to a country that has been recognized by the EU as to offer “adequate protection”.
According to article 25 (1) DPD the EU Commission is competent to assess the level of data
protection in foreign countries through adequacy findings (Rights, 2004). In order for
countries to be given this qualification, the EU assesses all circumstances surrounding data
transfer operations and consults with the Article 29 WP on its findings. The EU Commission

Page 25
has for example decided that Canada, Switzerland and Argentina are offering such an
adequate level of protection3
.
It should be noted that the United States are not considered to offer an adequate level of
protection. In order for data transfers to be allowed to the US, the US recipient needs to be
“Safe Harbor” certified. Joining the Safe Harbor scheme requires compliance with the Safe
Harbor principles and those are comparable to the data protection principles under the Data
Protection Directive (Van Eecke, 2010).
 When the third country personal data are transferred to a country that does not offer adequate
protection, adequate safeguards can still be enforced through contractual model clauses or
Binding Corporate Rules. Model clauses issued by the EU Commission can be adopted
between the sender and the recipient of personal data, controller to controller or controller to
processor transfers (Van Eecke, 2010). Binding Corporate Rules can be adopted by a
corporate group in order to allow data transfers within the group.
- Standard Model clauses were developed by the European Commission with assistance
from the Article 29 Working Party. It is up to the data-exporting controller and the
third-country recipient to agree and sign these clauses. Other clauses can also be
formulated by the contracting parties, but they need to provide the same level of
protection as the standard clauses.
- The procedure for adopting Binding Corporate Rules (BCR) is much more
complicated. In order for BCRs to be adopted, they must be approved by the
appropriate national data protection authorit(y)ies. Once approved the BCR creates a
“safe haven” within the corporate group for free data flow. Transfers outside of the
group are not covered by the BCR.
 Finally free data transfer can also occur when one of the following exceptions is applicable:
- The data subject has given unambiguous consent to the data transfer;
- The data transfer is necessary for the performance of a contract between the data
subject and the controller or the implementation of precontractual measures taken in
response to the data subject’s request
- The transfer is necessary for the conclusion or performance of a contract concluded in
the interest of the data subject between the controller and a third party
- The transfer is necessary or legally required on important public interest grounds, or
for the establishment, exercise or defence of legal claims
- The transfer in necessary in order to protect the vital interests of the data subject
- The transfer is made from some public register (Van Eecke, 2010).
Since this list is an exhaustive list of exemptions, they need to be interpreted restrictively. The Article
29 WP stressed that this is especially important with regard to the exemption for data subject’s
consent. The Working Party stressed that the general rules on the legal significance of consent also
applies here (Rights, 2004). If for example the consent cannot be regarded free, this is an issue.
Given the importance of third country data transfer in cloud based scenarios, this topic will be subject
of further analysis in D6.3. In D6.3 it will be studied how WITDOM solutions should deal with the
distribution of personal data over several databases – cloud-based or not cloud-based – in different
locations. Since especially in public clouds the exact destination of certain pieces of information may
be unknown or unpredictable, this might be troublesome for the storage of personal data, especially
3
A full list of countries can be found at: http://ec.europa.eu/justice/data-protection/document/international-
transfers/adequacy/index_en.htm.

Page 26
sensitive data. To determine the applicability of the current Data Protection Directive article 4 of that
directive refers to the law applying to controllers with one or more establishments within the EEA
and to the law applying to controllers who are outside the EEA but use equipment located within the
EEA to process personal data [18]. Consequently, “if a cloud client is established outside the EEA,
but commissions a cloud provider located in the EEA, then the provider exports the data protection
legislation to the client” [18]. When data are transferred to cloud providers not subject to the Data
Protection Directive, it is the data controller – cloud client responsible for choosing a cloud provider
providing adequate safeguards. Opinions of the Article 29 Working Party, together with progress in
the reform of the data protection legal framework in the EU (General Data Protection Regulation,
Convention 108, but for example also Umbrella agreements and FAIR principles) are deemed to be
of crucial importance in this regard.
2.1.1.2 The General Data Protection Regulation
The Data Protection Directive dates from 1995 and was thus written at times where only 1% of all
telecommunicated information was carried over the Internet. Today, that figure has risen to about
97%. Consequently, it is no surprise the DPD was in high need of a review. When launching the
Proposal for the General Data Protection Regulation commissioner Reding said: “Technological
developments are welcome drivers of innovation, growth and jobs creation. However, technological
changes also bring about new regulatory challenges.”, “Our data races from Munich to Miami and to
Hong Kong in fractions of a second. In this new data world, we all leave digital traces every moment,
everywhere”. “Personal data”, Reding continued in her speech, “is the currency of today’s digital
market. And like any currency it needs stability and trust. Only if consumers can ‘trust’ that their data
is well protected, will they continue to entrust businesses and authorities with it […]” (Reding, 2012).
In the light of this evolution and these findings the DPR aims to enhance opportunities for companies
that want to do business in the EU’s internal market, while ensuring a high level of protection for
individuals.
As indicated above the Regulation mostly confirms the Directive’s general principles of lawful
processing and will not touch upon the original backbone. However, some significant changes
important for WITDOM are listed below.
2.1.1.2.1 Regulation
If adopted, the switch in regulatory instrument from a Directive to a Regulation is the most
significant change. The instrument of Regulation is considered to be the most appropriate European
legal instrument to increase harmonisation and decrease legal fragmentation. In fact a Regulation is
directly applicable to Member States, while a Directive needs to be implemented – kind of translated
– into national law. The Explanatory Memorandum to the proposal states that by opting for the legal
form of a Regulation the EC hopes to “reduce legal fragmentation and provide greater legal certainty
by introducing a harmonised set of core rules, improving the protection of fundamental rights of
individuals and contributing to the functioning of the Internal Market”. In the information package
released by the European Commission it is exemplified that: “By implementing a single set of rules
on data protection, valid across the EU, thereby replacing the current patchwork of national rules in
27 Member States, increasing legal certainty and making it easier to trade and do business in Europe's
Single Market. This will lead to a net saving for companies estimated to amount to €2.3 billion a
year. By simplifying the regulatory environment by cutting red tape and abolishing formalities such
as general notification requirements for companies, saving businesses around €130 million a year”
[17]. For WITDOM it is encouraging that the legal framework would become more harmonised over
Europe as this simplifies the adoption of the WITDOM system in different Member States.

Page 27
2.1.1.2.2 Security of the data processing: data protection and data Privacy-by-Design
With the proposal for a General Data Protection Regulation comes reinforced attention for security.
Security is very high on the European agenda and this can be noticed in multiple legislative
proposals, amongst which the Proposal for a Network and Information Security directive (NIS-
Directive) which will be discussed later. Privacy-by-Design is a paradigm converging and
complementary to Security-by-Design Ann Cavoukian said. Like Security-by-Design, Privacy-by-
Design proposes that privacy properties should be taken into account and enforced since the early
phases of the development lifecycle of a software/hardware system (Cavoukian & Chanliau, 2013).
The article 29 Working Party specified that the introduction of Privacy-by-Design as a general
principle should be considered an extension of the current rules on organizational and technical
security measures [8].
The General Data Protection Regulation introduces the concepts of data protection by design and
data protection by default to ensure an adequate level of data security. Following these principles
data protection safeguards should be built into the technical architecture, services and products from
the earliest stages of development and privacy-friendly default settings should be the norm.
According to Cavoukian privacy aware design has many benefits as it overcomes the dilemma of
privacy versus functionality of an architecture, it ensures end-to-end security and it empowers users
in a transparent way. Data protection by default is complementary to data protection by design since
it requires a minimum standard of protection to be “on” in the pre-set functionalities of a specific
architecture or system (Cavoukian & Chanliau, 2013). Article 23 (2) of the proposal states: “the
principle of data protection by default requires privacy settings on services and products which by
default comply with the general principles of data protection, such as data minimisation and purpose
limitation”.
In the PRIPARE project [9], which studied privacy by design in research, researchers emphasised
that the Proposal for a General Data Protection Regulation mainly cares about lifecycle data
protection management: “it envisages a sustainable data management framework which is
complemented by comprehensive compliance mechanisms” (McDonnell & et.al)4
. It is therefore
important to evaluate potential risks to data protection at every stage of the data processing activities:
 before start of the processing operation;
 when defining the means to be adopted for the data processing operation;
 during the actual process of data processing;
 when the data process operation has ended.
2.1.1.2.3 Data processor and controller’s responsibility and liability
The data processor – data controller role delineation has become of a more complex kind over the last
few years due to intensified cooperation between several parties when processing data. The decisions
of the goals and the means of data processing cannot always easily be attributed to one distinct party.
In article 4, (5) and (6) the proposal for Regulation now allows for co-controllership. The controller
is the person who “alone or jointly with others” decides about the purposes and conditions of the data
processing and the means used. Consequently a party can only be qualified as a processor when he
processes data “on behalf of” the data controller(s) and does himself not decide about the purpose,
conditions or means.
Next to the clarification in article 4, the DPR also proposes changes to the established responsibilities
and liabilities of the controller(s) and processor(s). First of all Article 5, (f) states that personal data
4
see also recital 61 of the Proposal for a General Data Protection Regulation.

Page 28
must be “processed under the responsibility and liability of the controller, who shall ensure and
demonstrate for each processing operation the compliance with the provisions of this regulation”. By
including this explicit provision, the Commission intends to establish a comprehensive responsibility
and liability of the controller.
But, the introduction of the accountability principle in Article 22 is even more important. Article 22
states: “The controller shall adopt policies and implement appropriate measures to ensure and be
able to demonstrate that the processing of personal data is performed in compliance with this
Regulation”. In 2009 and 2010 the Article 29 Working Party already advised the Commission on the
inclusion of the accountability principle in the data protection reforms in order to “move data
protection from “theory to practice”” [24][25]. “A statutory accountability principle would explicitly
require data controllers to implement appropriate and effective measures to put into effect the
principles and obligations of the Directive and demonstrate this on request. In practice this should
translate into scalable programs aiming at implementing the existing data protection principles” the
Article 29 WP summarised its view [25].
More concretely article 22 – depending on the specific situation - obliges the controller for example
to:
 keep documentation of all processing activities under his responsibility. This must for
example describe the details of all the parties involved in the data processing operation, the
purpose of the data processing operation, time limits, transfers to third countries,… ;
 implement data security requirements to technically and organisationally ensure an
appropriate level of security;
 perform a data protection impact assessment detailing the possible impact on data subjects;
 comply with the requirements for prior authorisation or prior consultation of supervisory
authorities
 designate a data protection officer.
By introducing the accountability principle in such a general and detailed way, the proposed
regulation it becomes crucial for the controller(s) to also demonstrate that their processing operations
take into account the newly introduced concepts of privacy by design and data protection by default.
Finally article 31 introduces a data breach notification for incidents with personal data. A comparable
duty to notify data breaches is introduced by the proposal for NIS Directive. This will be discussed
later.
2.1.1.2.4 Transparency
The transparency principle is highlighted several times in the Proposal for General Data Protection
Regulation. In article 5 a general statement is made indicating that “personal data must be processed
in a transparent manner in relation to the data subject”. But it is accompanied by article 11
“Transparent information and communication”. Article 11 first of all obliges the controller to have
transparent and easily accessible policies for the exercise of data subject’s rights. Next thereto it
points out the need to provide all information and communications relating to the processing of
personal data to the data subject in an intelligible form, using clear and plain language. This is one of
the means by which the Regulation tries to strengthen the data subject’s role in data processing
operations.
Transparent communication and the strengthening of the data subject’s right to access has proven to
be crucial in the data subject’s chances to enforce his fundamental rights to data protection, non-
discrimination and others. In the joined cases C-141/12 and C-372/12 of the Dutch Ministry for
Immigration, Integration and Asylum the European Court of Justice reconfirmed this. In paragraph
44 the Court stresses that “the protection of the fundamental right to respect for private life means

LEGAL-ETHICAL FRAMEWORK

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (17)

Ähnlich wie LEGAL-ETHICAL FRAMEWORK

Ähnlich wie LEGAL-ETHICAL FRAMEWORK (20)

LEGAL-ETHICAL FRAMEWORK