How to satisfy the data protection regulations in federated identity management?

The EU directive on data protection regulates the release of personal data if the Identity or Service Provider or both of them reside in EU/EEA. The objective of the directive is the free flow of personal data between the EU countries without infringing the data subject's privacy. The EU directive on data protection is a non-technical issue which any Identity or Service Provider administrator and federation operator needs to be aware of. Still the directive and its implications are not well understood by technical people. Several kinds of misunderstandings have risen, such as "you can release whatever attributes if the end user consents to it." The rise of Identity Provider extensions (such as uApprove of Shibboleth) asking user consent for attribute release has feeded this view. The eduGAIN project of GN3 is aiming at releasing a pan-European interfederation service in April 2011. In the eduGAIN policy design work, considerable amount of effort is put on developing a data protection good practice profile which covers the data protection issues in the attribute release between an Identity and Service Provider.



  • Mikael Linden, the Finnish CSC - IT Center for Science

Part of session

Privacy & Governance

Related documents