GDPR Exports and Federated Authentication

Although the Article 29 Working Party seem to have had applications such as incident response in mind when drafting their guidance on exports, that guidance could also be helpful in the field of federated authentication. This technology allows an “identity provider” such as a university or college to assure a “service provider” such as a research discussion group, online journal or wireless network:

  • That an individual requesting access to the service is one of its students or staff, and
  • That the identity provider organisation will deal with any reports of misuse by that individual.

This can be achieved with far less release of personal data than if the service provider tried to obtain those assurances itself. Often no more than “yes, it’s one of my students” needs to be released. Under the current Data Protection Directive, the most appropriate legal justification for the processing – and the one that best protects the individual’s interest – is considered to be the legitimate interests of both identity provider and service provider in providing the service the individual has requested. If the service provider was outside the EEA then the minimal amount of personal data involved has suggested that exporting it may represent an acceptable risk, especially to services of high value to research and education.

Under the GDPR, however, the ability of a data controller to self-assess the risk of exporting has been removed: instead, legitimate interest has been added as a reason that may permit exports. Testing common federated access management against the Working Party’s analysis of this provision:

  • Exports are “occasional” or “not repetitive” (p4): i.e. “such transfers may happen more than once, but not regularly, and would occur outside the regular course of actions, for example, under random, unknown circumstances and within arbitrary time intervals”. Although some instances of federated authentication may take place within long-term relationships – for example where a university has a subscription to an academic publisher (here the subscription contract can contain provisions to protect the exported data) – many authentication requests will be ad hoc, to services chosen by the individual user, with which the identity provider has no existing relationship.
  • All other legal grounds must be inapplicable (p15): where an individual needs to access a service for their research or education, it is unlikely that they will be able to give free consent. As above, for some cases a long-term contract between identity provider and service provider will be appropriate, but for many others this would involve far more complexity than the nature of the request justifies.
  • Export must involve only a limited number of data subjects (p16): each export will involve only the minimised personal data of the individual requesting access to the service.
  • Export must be subject to safeguards (p17): the information released will be minimised, in many cases only a pseudonymous identifier, unique to that service provider, will be needed. Federated authentication is conducted within national and international agreements that ensure information can only be used for the purpose of supplying the service to the individual user.
  • Export must balance the interests, rights and freedoms of the individual (p16): Export will only take place at the request of the individual, and involves significantly less personal data, and less risk, than any other way they could obtain access to the service.
  • Individual must be informed of the export (p17): individuals should be informed by services when an access request will be handled outside the European Economic Area.

The final requirement is that the export must serve a “compelling” legitimate interest of the data exporter (the identity provider in this case). Since the alternative will generally be that the user has to create an account directly with an overseas service provider, with no data minimisation or contractual restrictions, regulators should recognise the provision of privacy-protecting authentication services as a compelling interest of organisations that can offer them.

As with incident response, requiring individual notification of individual exports would be highly burdensome; in the federated authentication context it is likely to represent an increased privacy risk, since such a notification may well need to contain more personal data than the authentication transaction itself!

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *