Data security and multi-factor authentication: Analysis of requirements under EU law and in selected EU Member States

https://doi.org/10.1016/j.clsr.2015.12.004Get rights and content

Abstract

Ensuring the security of personal data, particularly in terms of access controls, is becoming progressively more challenging. The most widely deployed authentication method, a user name plus a password, increasingly appears to be unfit-for-purpose. A more robust technique for maintaining the security of personal data is multi-factor authentication whereby two or more different types of credential are required. This approach is gaining traction, and in the European Union, some national data protection authorities are already recommending the use of multi-factor authentication as a means of complying with the obligation in the EU Data Protection Directive to take “appropriate technical and organisational measures to protect personal data”. A proposal to replace that Directive with a General Data Protection Regulation is at an advanced stage in the EU legislative process with enhanced data security a central feature of the proposed reform.

This article examines how the proposed Regulation would be likely to change the standard for data security both in general terms and in specific ways that might have an impact on the use of multi-factor authentication. Other sources of EU guidance are also considered, together with the position under the national laws and regulatory practices of six EU Member States.

Introduction

This article considers certain legal requirements relating to data security in the EU, and specifically the use of multi-factor authentication as a method of meeting the security obligations established by European Directive 95/46 EC on the processing of personal data (the “Directive”). Following this Introduction, the article comprises two sections: a discussion of the requirements of data security under European data protection legislation and a study of selected national positions. This article is an abbreviated version of a more detailed report which contains an Annex setting out in greater detail the position in each of the six EU Members States that are covered by this survey.

For the purposes of this article, multi-factor authentication, which includes two-factor authentication, is defined as follows:

A method of authentication which requires the user to have a combination of at least two out of the following three types of credentials:

  • (1)

    something you know (e.g. username, password, or PIN number);

  • (2)

    something you have (e.g. a token such as an ATM card reader or one-time verification code which does not require a token); and

  • (3)

    something you are (e.g. biometric information like a fingerprint).

The focus of this article is on the legislative data security requirements and how multi-factor authentication may facilitate compliance with these obligations. We do not evaluate or comment on the effectiveness of multi-factor authentication as a security measure more generally. This article will not consider industry guidance and use of multi-factor authentication in specific sectors,1 or the obligations of the data controller and data processor when a breach of security has occurred. At the date of writing, no final text of the General Data Protection Regulation (the “Regulation”) has been adopted. Therefore, this article will refer separately to the texts of the Draft General Data Protection Regulation (the “DGDPR”) adopted by the EU Commission,2 EU Parliament,3 and the General Approach of the Council of the European Union.4 The transfer of personal data to third countries and related obligations as to data security will not be considered in this article. However, the provisions in Chapter V of the DGDPR on such transfers will be relevant for entities wishing to transfer data outside of the EU.

In the six Member States considered in this article, most national Data Protection Authorities (“DPAs”) have issued guidance on the data security obligations of the Directive. Overall, for non-sectoral data protection, multi-factor authentication is not required to comply with the data security obligations; however, some identify multi-factor authentication as a method which may be used to comply. The position is slightly different in issued sectoral guidance. In three of the Member States surveyed,5 compliance with industry standards is advised for the purposes of data security, and in many of these countries, multi-factor authentication methods are mandated as part of the industry standards. This suggests that some DPAs are already predisposed to suggest multi-factor authentication as a means of complying with the data security obligations despite the comparatively open requirements of the Directive. Notably, where a form of multi-factor authentication is mentioned, it is generally “two-factor authentication” and not “multi-factor authentication” which is referred to. This suggests that currently none of the relevant DPAs consider the use of three credentials necessary for authentication to comply with the Directive, but this may change as security threats and technologies evolve.

The Directive and the DGDPR both contain specific provisions detailing data security obligations which require the implementation of appropriate technical and organisational measures. On the whole, however, the DGDPR arguably mandates higher security requirements for personal data than the Directive. This is consistent with one of the DGDPR's main aims, which is to “strengthen privacy rights”.6 The DGDPR seeks to achieve this through various provisions which increase the “responsibility” and “accountability” of those processing personal data,7 including a right to erasure8 of personal data (right to be forgotten and to erasure),9 more prescriptive obligations regarding data security,10 data breach notifications,11 data protection by design and by default,12 and data protection impact assessments.13 Although the obligation to notify data breaches is not examined in this article, the indirect effect of this provision for data security standards may prove to be significant as the mandatory14 notification of breaches of personal data may encourage the pre-emptive adoption of more robust security measures for processing personal data.15 This notification procedure is likely to increase the risk of reputational damage ensuing from a security breach. Moreover, the very substantial penalties envisaged under the DGDPR are likely to incentivise compliance generally, and specifically are likely to result in Data Controllers and Data Processors taking their data security obligations more seriously. At least from the Commission's text, breaches of the data security obligations would trigger the highest level of fines. Overall, the DGDPR is likely to lead to an upwards trend in security benchmarks particularly where security methods are readily available at non-commercially prohibitive prices. Such security benchmarks will remain dynamic to keep pace with advances in security technologies and techniques. In broad terms, the increased adoption of multi-factor authentication would be consistent with this upward trend.

In particular, the DGDPR goes further than the Directive in specifying what the ‘data controller’ should consider when determining what technical and organisational measures would be appropriate. “Data Controller” means a natural or legal person who alone or jointly with others determines the purposes, conditions, and means of processing personal data. Prima facie, the three texts of the DGDPR do not prescribe the forms of security measures which must be adopted to comply with the data security obligations. This finding accords with one of the key rationales of the reform which is to ensure technological neutrality.16 “Technological neutrality” is not defined in the DGDPR. The three texts of the DGDPR specify that “the protection of individuals should be technologically neutral and not depend on the techniques used”. Thus, specific technologies are not mandated. However, the use of the word “techniques” is ambiguous, and it is unclear whether multi-factor authentication constitutes such a “technique”.

More generally, technology neutrality is often a vague concept.17 In the context of other areas, the result of its application to particular technologies is opaque.18 Further clarification is required on precisely what is meant by technology neutrality under the DGDPR. In principle, the method of multi-factor authentication is technologically neutral as no technology is inherently specified in the definition of “multi-factor authentication”. In practice, much will depend on (1) the final definition of technology neutrality under the Regulation; and (2) how provisions for multi-factor authentication methods are expressed pursuant to the Regulation. As multi-factor authentication is not standardised, issues of interoperability have also to be considered. Overall, it cannot be said that multi-factor authentication is a base-line requirement for compliance under the DGDPR. However, unlike under the Directive, the provisions relating to data security in the DGDPR are not the sole source of data security obligations.

The introduction of data protection by design and by default may result in a different outcome.19 Their inclusion in the Regulation would likely raise the overall “base-level” for security measures. Although the security measures adopted can still be linked to the risks and costs of implementation,20 to comply with data protection by design, and more particularly by default, a certain level of security (higher than currently required) will most likely be necessary. This could diminish the distinction currently made in guidance from some DPAs regarding assessment of levels of security risk and what measures are appropriate for addressing each level. The introduction of data protection by design and by default has an impact on the security obligations of both the Data Controller and any ‘data processor’. “Data Processor” means a natural or legal person who processes personal data on behalf of the Data Controller. Under the DGDPR impact, assessments are required where data processing is seen to be a “specific risk”21 or “high risk”.22 It would seem that a Data Controller or Data Processor cannot fully estimate whether such a risk presents without undertaking a data impact assessment. Guidance from many of the DPAs already recommends that “risk assessments” be carried out before data are processed. Although not necessarily an explicit recognition of the concept of data protection by design, the effect is very similar. Some DPAs already explicitly require the Data Controller to have regard to data protection/privacy by design (presumably picking up on Recital 46 of the Directive).23 The guidance issued by these DPAs goes further than the terms of the Directive. Under the DGDPR, the threshold for carrying out an impact assessment is effectively lowered as the prudent Data Controller and Data Processor will likely carry out such assessments even if a specific risk is not obvious.

Guidance from two of the DPAs24 reviewed formally categorises security standards into three levels of risk: basic, medium, and high, while others refer to “high risk” situations without such formal categorisation.25 DPAs are more likely to require the use of multi-factor authentication when the security risk is high.26 If the final text of the Regulation implements effectively the principle of data protection by default, this would probably mean that a high level of security settings should be pre-set on relevant products and services. This would be consistent with current DPA guidance stating that multi-factor authentication methods are a way of meeting the new obligation of data protection by default. All three texts of the DGDPR try to balance the need for certainty with the requirement for flexibility. For example, the DGDPR requires data protection both by design and by default, but allows consideration of the specific circumstances of data processing. Another example of this tension is the level of specificity detailed in the DGDPR regarding the means of complying with the data security obligations.

Although multi-factor authentication methods are not mentioned in the primary legislation, the DGDPR envisages a number of secondary rules that will establish further requirements and measures for complying with the legislation. The relevant secondary rules under the three texts of the DGDPR have two main aims: (1) to provide specificity as to the types of security measures and risk scenarios enshrined in the DGDPR;27 and (2) to provide means of complying and demonstrating compliance with the obligations of the DGDPR.28 It is possible that multi-factor authentication or analogous measures could be specified within these secondary rules. Currently, the three texts of the DGDPR provide for secondary rules to be adopted in a large number of contexts. Not all will be included in the final Regulation as many are alternatives to each other. Moreover, it must be borne in mind that the DGDPR is intended to be technology neutral.29 Therefore, whether multi-factor authentication as specified in secondary rules complies with the requirement for technological neutrality will depend on: the exact form of drafting included; whether alternative solutions are also provided for; and whether implementation is commercially prohibitive. According to the rationale of the DGDPR, decisions regarding the methods adopted to comply with the security obligations should remain commercial.30 If the secondary rules do not favour a particular implementation of multi-factor authentication, such provisions could be described as according with “implementation neutrality.”31 As multi-factor authentication is not standard and can be implemented in various ways, issues of interoperability must also be considered.32 For example, problems of interoperability could arise if a Data Controller invests in a form of multi-factor authentication which uses tokens and subsequently wishes to change service providers. In light of the current wording of the DGDPR's objective of technological neutrality, it is more likely that multi-factor authentication will be specified in voluntary codes of conduct and guidelines rather than in implementing and delegated acts which would be directly binding. If included in codes or guidelines etc., the use of multi-factor authentication may assist development of technical specifications to assess the appropriateness of security measures depending on the circumstances.

It is worth noting that the current texts of the DGDPR might fail to establish the goal of data protection by default. This is because, instead of raising the level of data security to the highest level as a default, the current proposals would merely require compliance with data protection principles such as data minimisation.33 Moreover, the secondary rules envisaged vary in nature; some would be binding throughout the EU, while others would provide standards which may vary in practice between Member States. Both have advantages and disadvantage for Data Controllers and Data Processors which operate in more than one Member State and for the individuals whose data they process.

Finally, market behaviour may also have an impact on what constitutes an appropriate baseline for security. Even if multi-factor authentication is not mandated, many Data Processors and Data Controllers may offer it anyway if it becomes common market practice to do so. A particular impetus for adoption is likely to arise where use of multi-factor authentication becomes a customary security method in certain sectors or situations. In such circumstances, it may appear that a Data Controller or Data Processor is out-of-step with the rest of the market place if it does not adopt multi-factor authentication.

Section snippets

European position

This section considers the issue of data security at the European level both in the Directive, and in the three proposed texts of the DGDPR. A comparison table giving a high-level summary of the relevant provisions of the three texts can be found at ANNEX 1.

National positions

This section considers the issue of data security at national level, including implementation of Article 17 of the Directive:

Member States shall provide hat the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of

Acknowledgement

Elizabeth Kennedy (Researcher) and Christopher Millard (Professor of Privacy and Information Law) are members of the Cloud Legal Project at the Centre for Commercial Law Studies, Queen Mary University of London. The authors are grateful for valuable input regarding the national law positions in France (Maxime Marie Jean Cordier), Germany (Andreas Hänig), the Netherlands (Mireille Van Helm), Poland (Joanna Kawalec), and Spain (Luce Jacovella and David Marrero Blanco). The authors are also

References (0)

Cited by (0)

View full text