Legal aspects of eID

Dr Patrick Van Eecke

Attorney at law (DLA Piper Rudnick Gray Cary)

Lecturer (University of London & Solvay Business School)

Authe

nticat

ion

Signature

ID

Use of eID

• Traditional: off line use of visual data

• New: on line use of electronic data

• Online identification (web portal)

• Electronic Signature

• New: off line use of electronic data

• Off line identification

• Off line electronic signature

eID: good to know

1. Phased roll out of the cards

2. Valid for maximum 5 years

3. Signature function not activated for minors

4. Authentication and signature data not activated if you don’t

want it

5. Specific professional groups able to receive eID

6. 24/7 helpdesk

• in case of lost, theft, destruction of the card

• suspension/withdrawal of electronic functions

Two important legal issues

• What happens with the personal data?

• What can I do with those electronic signatures?

Personal data

5 typical questions

1. Who can visually control the ID?

2. Who can control the eID using electronic means?

3. Who can use the NRR number?

4. Who can receive information from the NRR?

5. Who can directly access the NRR?

Legal basis

1. Data Protection Act

• Act of 8 December 1992 (amended by act of 11 December 1998) on the

protection of personal data

• Royal Decree of 13 February 2001

2. National Register Act

• Act of 8 August 1983 (amended by act of 25 March 2003)

3. National Identity Card Act

• Act of 19 July 1991 (amended by act of 25 March 2003)

4. Royal Decree of 5 June 2004 on acces & correction rights

Which kind of personal data collected?

De visu & Chip

1° de naam;

2° de twee eerste voornamen;

3° de eerste letter van de derde voornaam;

4° de nationaliteit;

5° de geboorteplaats- en datum;

6° het geslacht;

7° de plaats van afgifte van de kaart;

8° de begin- en einddatum van geldigheid van de kaart;

9° de benaming en het nummer van de kaart;

10° de foto van de houder;

11° de handtekening van de houder en van de gemeentelijke ambtenaar

12° het identificatienummer van het Rijksregister.

Chip

1° de identiteits- en handtekeningsleutels;

2° de identiteits- en handtekeningcertificaten;

3° de geaccrediteerde certificatiedienstverlener;

4° de informatie nodig voor de authentificatie van de kaart en voor de beveiliging van de elektronisch leesbare gegevens voorkomend op de kaart en voor het gebruik van de bijhorende gekwalificeerde certificaten;

5° de andere vermeldingen, opgelegd door de wetten;

6° de hoofdverblijfplaats van de houder.

See Article 6 & 6bis, RRN Act.

Who has access to the personal data?

• Visual control of the card

• Only obliged to show the card in restricted cases (Legal authorities)

• Art. 1 Royal Decree 25 March 2003 on ID cards

• Electronic control of the card

• Strictly regulated : only by Royal Decree

• See Article 6, §4, ID card Act

• Acces to the National Register Database (direct/indirect)

• Strictly regulated (5 groups, clearance by Privacy Commission)

• See Article 5 RRN Act

1. Who can control the eID visually?

Only when obliged by law to provide proof of identity:

1. When requested by the legal authorities

2. With every declaration or demand for official certificate

3. Delivery of summons by baillif (“huissier de justice”)

4. in general, always when requested to deliver proof of identity

Art. 1 K.B. 25 maart 2003 identiteitskaart

2. Who can control the eID using electronic means?

Strictly regulated: only when allowed by Royal Decree

• Act 19 July 1991 Identiteitskaart, art. 6, §4:

• “Elke geautomatiseerde controle van de identiteitskaart door optische of andere leesprocédés moet het voorwerp uitmaken van een koninklijk besluit, na advies van het sectoraal comité van het Rijksregister bedoeld in artikel 15 van de wet van 8 augustus 1983 tot regeling van een Rijksregister van de natuurlijke personen.”

3. Wie can use the RRN number?

Strictly regulated:

1. Only after authorisation by Sectoral Committee (Privacy Commission) and only for specific groups (cfr art.5).

2. Exceptions possible by Royal decree

• Act 8 August 1983 Rijksregister, art. 8

Which groups?

1. Belgian public authorities

2. Public and private entities (Belgium) as to the information they need for fulfilling a task of general interest

3. Fysical and legal person acting as a subcontractor of Belgian public authority

4. Notary public and baillif

5. Pharmacists

6. Lawyers

4. Who can access the RRN?

Strictly regulated:

1. Only after authorisation by Sectoral Committee (Privacy Commission) and only for specific groups (cfr art.5).

2. NO exceptions possible by Royal decree

• Act 8 August 1983 Rijksregister, art. 5

Examples

1. Chamber of Representatives

• Access to NRR

• Decision March 2004: conditions fulfilled voorwaarden vervuld

2. V.Z.W. Koninklijke Nationale Kaatsclub

• Use of number for members database

• Decision April 2004: no general interest

3. VZW Nederlandstalige Vrouwenraad

• Women becoming 100 yrs

• Decision 4 October 2004: no general interest

What are my rights as a citizen?

1. Access right

• to the personal data in the database & on the card (via visualisator, online or via municipality)

2. Correction right

• If information is not correct or incomplete

3. Information right

• All administrations/persons who accessed the personal data during the last 6 months (exc: legal authorities)

• Free of charge

See Article 6, ID card Act + Royal Decree 5 june 2004

Electronic signature

• What is an electronic signature?

• What is the legal value of an electronic signature?

• Are electronic contracts allowed?

Legal basis

• E-SIGN Act

• Act of 20 October 2000 on the introduction of telecommunication means and the use of electronic signatures

• CSP Act

• Act of 9 July 2001 to create a legal framework for the usage of electronic signatures and certification services

• National Register Act

• Act of 19 July 1991(as amended by act of 25 March 2003)

What is an electronic signature?

• From a legal perspective: every alternative for a handwritten signature

• PIN codes

• Biometrics

• PKI

• …

1100110001110011

What is the legal value?

• All electronic signatures can be used as an alternative for a handwritten signature, as long as you can prove that the electronic signature corresponds to a transformation of data from which follows with certainty the identity of the author and the integrity of the contents to be signed (art. 1322 CC)

• The ‘qualified electronic signature’ is the only type of signature that will automatically be given the same legal value as a handwritten signature (art.4, §5 Law 9 July 2001). A qualified signature is an advanced electronic signature based on a qualified certificate and produced by a secure signature creation device.

Europe

• European directive 99/93 on electronic signatures of 13 December 1999.

• Transposed into all EU member states

= European wide legal approach towards electronic signatures

Other countries?

Electronic contracting allowed?

• E-Commerce Act of 11 March 2003

• Art. 16. § 1er. Toute exigence légale ou réglementaire de forme relative au processus contractuel est réputée satisfaite à l’égard d’un contrat par voie électronique lorsque les qualités fonctionnelles de cette exigence sont préservées [….].

• Art. 16. § 1. Aan elke wettelijke of reglementaire vormvereiste voor de totstandkoming van contracten langs elektronische weg is voldaan wanneer de functionele kwaliteiten van deze vereiste zijn gevrijwaard […..].

• Double strategy:

• Functional equivalency principle (writing, signature)

+

• Analysis and amendment of contradictory laws and regulations within 18 months

• Exceptions (e.g. real estate, family law)

Conclusion

• eID does not operate in a legal vacuum

• eID offers solution on different levels

• e-government, e-commerce, corporate governance

• Belgium plays a pioneering role on eID

More information

• Website www.fedict.be

• “Gids voor de gebruikers en ontwikkelaars”

• “De elektronische identiteitskaart”

• Website www.rijksregiser.fgov.be

• Book

• P. Van Eecke, “De Handtekening in het recht”, Larcier, 2004, see www.larcier.be

Receive your eID legal package, send me an e-mail

Patrick Van Eecke

+32 (0)2 500.16.30

patrick.van.eecke@dlapiper.com