15 minute read
2.3.6 Other data types and barriers
amount of time (AT, BG), without transportation (BE), at all reasonable times (IE) or immediately (SE)
General confidentiality obligation - prohibition against third party access and/or disclosure
Advertisement
Ensuring security/confidentiality, and supporting accountability and supervision Clarification from national regulators, supervisors and lawmakers that the requirement can be met if substantive access to the contents of financial data is made impossible. Offsite storage should not necessarily be considered as constituting third party access and disclosure.
Storage facilities must be within national borders (except when companies are active across borders), except with permission of the tax authority
Format and method of delivery shall be specified by the tax authority during verifications
When new IT systems are introduced, the tax payer must ensure that the old systems remain operative for as long as required to ensure availability under applicable law
Ensuring accountability and verifiability Modernisation of the requirement – moving to accessibility requirements rather than storage requirements.
Ensuring accountability and verifiability The requirement is not a barrier in practice if there is sufficient clarity on the requirements in relation to timeliness and method of delivery. EU level guidance on this point may be useful to avoid needless national divergences.
Ensuring accountability and verifiability Clarification that old systems need not remain operative if the updated system can provide access to all needed information.
As in the previous chapter, most of the aforementioned objectives aim to ensure the accountability and verifiability of the information. However, the barriers highlight that a variety of controls are required or are considered appropriate to achieve those objectives. Therefore, to continue to meet the common objectives through this variety of controls suggests that greater alignment of those controls at the EU-level is needed. In addition, there are also a few explicit geographical barriers that do not seem to be strictly required to achieve the goal of ensuring the availability and verifiability of the data.
2.3.6 Other data types and barriers
Overview and subtypes of data
As noted above, correspondents were also invited to report on barriers they observed for other types of data, which don’t fall cleanly within any single category, and will therefore be analysed collectively here. These reports referred more specifically to the following types of data:
Figure 17 – Types of barrier observed (other types of barriers)
Country Source
Austria Bundesgesetz über die Bundesrechenzentrum GmbH (BRZ GmbH), Federal Act on the Federal Computing Centre (BRZ)
Original version: BGBl. Nr. 757/1996, Latest amendment: BGBl. I Nr. 71/2003. Bundesgesetz, mit dem IKT-Lösungen und IT-Verfahren bundesweit konsolidiert werden (IKTKonsolidierungsgesetz – IKTKonG), Federal Act on the Consolidation of ICT Solutions and IT Processes (ICT Consolidation Act), Original version: BGBl. I Nr. 35/2012. Bulgaria Gambling Act, Promulgated, State Gazette, No. 26/30.03.2012, lastly amended and supplemented, SG No. 1/3.01.2014, effective 1.01.2014, article 6(4).
Restriction imposed on providers / users / data
Users (public sector), providers
Direct or indirect Summary of obligation / restriction
Indirect ICT tasks and duties with respect to the development, maintenance and operation (incl. hosting) are assigned by law to the Austrian Federal Computing Centre (BRZ). The statutory duties are listed in Article 2 of the Bundesrechenzentrum GmbH Gesetz. The list includes i.a. IT support in the areas of unemployment, Austro Control (aviation), banking, disabled persons, insurance supervision, health, finance, and others; According to Article 4 of the ICT Solution Consolidation Act, the BRZ has to be used as a subcontractor by governmental bodies before initiating a public procurement process, if their offer is in line with the market.
Gambling service providers Direct The law states that “The organizer shall have to ensure storing of all data in relation to offering gambling services in the territory of the Republic of Bulgaria, including registration and identification of patrons, wagers made, and winnings paid out. Storing of information shall be on data storage equipment (control local server) located in the territory of the Republic of Bulgaria according to a procedure and in a manner as set forth in the ordinance under para. 1, item 4. The data shall be stored in the way they were created for a term of 5 years after the expiry of the term of limitation for repayment of the public liabilities related to these data.”
Croatia Zakon o državnoj informacijskoj infrastrukturi, Narodne novine br. 92/2014, Law on the State Information Infrastructure, Official Gazette of Republic of Croatia no. 92/2014 passed on July 15, 2014 and Regulation on Organizational and Technical Standards for Connecting to the State Information Infrastructure, Official Gazette of Republic of Croatia no. 103/2015. Public sector bodies, the ICT sector Direct According to the Law on the State Information Infrastructure, public registers are stored in data centres that are located on the territory of the Republic of Croatia, and that meet the requirements prescribed by Regulation on Organizational and Technical Standards for Connecting to the State Information Infrastructure (Article 12).
Germany § 126 III Grundbuchordnung (national federal All parties (potential cloud processors) from Indirect The restriction excludes outsourcing of data processing to any entity other than the state or legal persons under public law (such as the
legislation) the private sector and all non-German (be it from the private or from the public sector) parties. communities). This excludes all entities from the private sector explicitly, and most likely must be read as all entities outside Germany (as public entities of other member states are not explicitly mentioned, and systematically not meant by this provision). A fortiori this should also exclude all cloud providers which are not only processors, but controllers themselves.
Hungary 2013. évi L. törvény az állami és önkormányzati szervek elektronikus információbiztonságáról
Act L of 2013 on Electronic Information Security of State and Municipal Bodies (“Information Security Act”) adopted by the Hungarian Parliament with the effect of 25 April 2013. 2010. évi CLVII. Törvény a nemzeti adatvagyon körébe tartozó állami nyilvántartások fokozottabb védelméről, Act CLVII of 2010 on National Data Assets (“Data Assets Act”), adopted by the Hungarian Parliament with the effect of 22 December 2010 All Hungarian and nonHungarian service providers who may provide cloud services in the governmental sector. Direct The Information Security Act expressly specifies a list of entities, and requires that any data controlled by these entities can only be operated in an IT system in the territory of Hungary. Such entities are, for example, autonomous administrative bodies (e.g. Public Procurement Authority, Equal Treatment Authority, Hungarian Competition Authority, National Authority for Data Protection and Freedom of Information, National Election Office, ministries, independent regulatory authorities (National Media and Communications Authority, Hungarian Energy and Public Utility Regulatory Authority), public administrative bodies established by an act and directed by the Government (Central Statistics Office, National Office of Atomic Energy, Hungarian Intellectual Property Office, National Tax and Customs Administration), security forces (Police, prison service, civil security services), State Audit Office, Hungarian National Bank, Courts and National Office for the Judiciary, Governmental offices of Hungarian counties and Budapest etc.
The relevant authority (now it's the National Electronic Information Security Authority) may approve that a listed entity transfers the operation of an IT system to another EU Member State. The Information Security Act also provides that specific registries which serve as a fundamental basis for the Hungarian public administration and are considered to be authentic by law (“national data assets” – as defined in the Data Assets Act) can only be processed in an IT system in the territory of Hungary.
For a given registry, the data controller authority (as appointed by law) may not decide freely about the identity of the data processor. Most of the data controllers have to use a specific data processor. In the other cases, the data controllers can decide between either carrying out all data processing themselves or outsourcing it, but if they decide to outsource, the data processor has to be either an administrative body or a fully stateowned company. The Minister for National Development may give
55
Netherland s
Ministerie van Binnenlandse Zaken en Koninkrijksrelaties - Kamerbrief over cloud computing, Ministry of Internal Affairs and Kingdom Relationships – Chamber letter on cloud computing, Issued by the Minister of Internal Affairs and Kingdom Relationships, M. Donner, on 20 April 2011 The entirety of the national public sector
Poland Gaming Law of 19 November 2009, article 16d15
Portugal Decreto-Lei n. 16/93 of 23 January (Decree-Law No 16/93 of 23 January (as amended by Law No 14/94 of 11 May) Entities which organise betting via the internet
National and regional archives, private individuals holding classified archive items. individual exemptions. Direct The letter is an early statement of the Dutch government’s position on cloud computing, announcing its intention to establish a closed national cloud (Rijkscloud), and noting that “a strict requirement is that the data remain in the Netherlands and that security is adequate for all participants, and can be addressed at a level which is acceptable for the selected applications”, and that “in relation to information security, the ‘open’ cloud outsourcing of ICT services, or the storage of information outside the Netherlands, implies risks that cannot yet be appropriately covered.”14
Direct The law requires that “the entity which organises betting via the Internet shall archive all the data exchanged between itself and a participant of betting in real time on a data archiving device located within the territory of the Republic of Poland, including the data which make it possible to determine the course and results of betting and transactions carried out under betting and data necessary to identify a participant of betting."
Direct The exchange of classified archive items by others existing in other countries which have exceptional interest for Portuguese cultural heritage requires authorization by joint order of the ministries to which the good belongs and by archive policy, upon hearing of the management body.
Exporting classified (or pending classification) archive items requires
14 Since this letter was issued, the Dutch government has further developed its cloud strategy; at this point in time it appears that only ‘state secrets’ should be kept at Dutch premises, see Letter of the Ministry of Internal Affairs and Kingdom Relationships (Ministerie van Binnenlandse Zaken en Koninkrijksrelaties), answering Parliamentary questions, of 4 July 2014 (with reference no 2014Z09632, see file:///Users/patriciaypma/Downloads/beantwoording-kamervragen-over-opslag-van-vertrouwelijke-data-door-overheidsorganisaties-en-semi-publiekeinstellingen%20(1).pdf, in Dutch) with regard to the storage by governmental organisations and semi-governmental institutions of confidential data. See also Strategic Agenda Governmental service (Strategische I-agenda Rijksdienst) of 2th December 2016: file:///Users/patriciaypma/Downloads/rapport-strategische-i-agenda-rijksdienst%20(1).pdf (in Dutch). Additionally, since this letter was issued, internal governmental guidelines have been developed to guide governmental authorities with regard to their data storage decisions, Rijkscloud is possible, which take as a starting point that decisions on data storage should be judged by the relevant governmental authority on a case-by –case basis, taking into account considerations such as risk assessment and management and data security which in turn relates to the type of data, the use of data encryption, etc. 15 After the cut-off point of our data-collection under this Study, this requirement was amended by the Polish Gambling Act that entered into force on 1 April 2017 (amending act – “National Journal” 2017, poz. 88, adopted on 13 January 2017). The new wording, now set out in Article 15d paragraph 3 of the Polish Gambling Act, is as follows: “the entity which organises betting via the Internet shall archive all the data exchanged between itself and a participant of betting in real time on a data archiving device located within the territory of the Republic of Poland or a European Union Member State or Member States of the European Free Trade Association (EFTA) - parties to the Agreement on the European Economic Area, including the data which make it possible to determine the course and results of betting and transactions carried out under betting and data necessary to identify a participant of betting”.
56
Romania Law no. 161/2003 on assuring transparency measures in exercising public dignities, functions and in the private sector for preventing and sanctioning corruption
(Legea nr. 161 din 2003 privind unele masuri pentru asigurarea transparentei in exercitarea demnitatilor publice, a functiilor publice si in mediul de afaceri, prevenirea si sanctionarea coruptiei )
Romania Government Decision no. 111/2016 approving the Norms of application of 24 February 2016 on gambling, Articles 2, 127 and 136. Public authorities and the operators of the National Electronic System: the General Inspectorate for Information Technology and Communications under the Ministry for Communication and for Information Society for the “e-Government System”, the Ministry for Public Administration for “eAdministration System” and the authority established by the Supreme Council for State Defence for the national security and defence system.
Online gambling providers authorization from the Minister supervising the archive heritage, if temporary, and also of the Member of the Government to which the item belongs, if definitive.
Classified (or pending for classification) archive items cannot stay abroad longer than one year, but it can be renewed for identical period.
Indirect Public authorities have the obligation to apply an electronic procedure described in this law for making available public information or services via electronic means. The electronic procedure requires the transferred documents comply with the criteria set by the National Electronic System (for example to be electronically signed, to be in the format agreed by the system and that the electronic documents be generated, stored and transmitted as the system establishes).
Direct The game server is the electronic system made out of the hardware and software system on which both the game activity takes place, as well as storing the data about this activity. As art. 127 (2) specifies, the main system includes a game server, a registering and identification system for registering and identifying the participant of the game, as well as a system for storing and transferring information for each game session, each registration fee and each payment made by the user. The main system will assure on the back-up/safety server encrypted, real time transfer and automated registration of all data requested by the National Gambling
57
Office, identification data of Romanian users, financial data of Romanian users, as well as any transaction made by a Romanian player. On the mirror server daily/monthly logs will be transmitted, which will allow real time verification of the licensed gambling operator.
The mirror server is the electronic system made out of hardware and/or software, located at the National Gambling Office or in a tier 2 licensed data centre, which is capable of storing and reporting/exporting logs in compliance with the National Gambling Office order.
The back-up/safety server is the hardware and software system, located at the National Gambling Office or in a licensed data centre which stores data about Romanian users or about users which use Romanian IP addresses, as well as game data and financial transactions on online gambling authorized in Romania which are transferred according with the technical procedure established by the National Gambling Office presidential order and without the possibility to be modified by the online gambling operator licensed in Romania.
Slovenia Zakon o varstvu dokumentarnega in arhivskega gradiva ter arhivih (Uradni list RS, št. 30/2006) https://www.uradni-list.si/1/content?id=72425 (English translation not available) Archives, external providers of services and equipment for storage or processing of archives data. Indirect Public archives documentation may only be transferred to third countries or other EU Member States if the competent minister consents to such transfer. Outsourcing of providers of storage for archive data is possible if the provider is chosen by the rules of a public tender and if the provider is accredited by the national archive (Art. 72). The national archive monitors at all times whether a third party provider adheres to the conditions for accredited equipment and services (Art. 86). Inspection supervision of the provisions of this act is in the hands of the Culture and Media Inspection. (Art 75.) An inspector has the right to physically access and inspect the premises, spaces and equipment where archived data is stored (Art. 77).
58
Scope of the barrier
The following barriers were reported upon:
Figure 18 - Nature and scope of barrier observed (other types of barriers)
Nature of the barrier
A specific mandate under law or from a specific body is required to access the data Observed in which countries?
PT Imposes a potentially cumbersome requirement on service providers abroad, who may not be aware of the requirement or who may be unable to meet it.
A specific mandate under law or from a specific body is required to export the data
PT, SI Imposes a potentially cumbersome requirement on service providers abroad, who may not be aware of the requirement or who may be unable to meet it.
Storage service providers must be authorised by the government
Control mechanisms (including audits) from the national supervisors may not be hindered
SI
SI
Requirement to use encryption RO
Storage facilities must be controlled by a public sector entity
Designation of a specific legal entity that manages an official database
National technical storage / exchange requirements
National functional requirements for information processing systems
Storage facilities must be within national borders, or they may be outside national borders but a copy must be made to a mirror system within national borders
DE (real estate registers), NL (national cloud)
AT, HR, NL
RO
RO
BG, PL, RO
Why is this (potentially) a restriction to the free flow of data within the European Union?
Foreign providers may not know this requirement and may meet difficulties in observing it.
IT systems established abroad may be more difficult to control by the regulators.
Requirements defined at the national level may be hard to know / observe by foreign providers.
Geographic limitation by nature.
Can be interpreted as solely permitting storage / transfer of the data by that specific legal entity
Requirements defined at the national level may be hard to know / observe by foreign providers.
Requirements defined at the national level may be hard to know / observe by foreign providers.
Geographic limitation by nature.
Most of the requirements are not new or unique, and have been observed for other data types in prior sections of the report. There are however two notable exceptions, namely the requirement for authorisation to export data (in relation to National Archives that are responsible for the long term preservation, collection, and publication of governmental, cultural and historical records at the national level and therefore the protection of national heritage), and the requirement to maintain local systems and/or mirror systems within national borders (in relation to gambling systems). To limit duplication of previous chapters, only these two barriers will be examined further below.
