Code of conduct for identification service trust network

Transcription

1 Recommendation Code of conduct for identification service trust network FICORA Recommendation

2 Recommendation 1 (25) Contents 1 Introduction and the purpose of the Code of Conduct Recommendation versions Related legislation Definitions Contracts within the trust network Contracting parties Obligation to conclude contracts Matters falling under the responsibility of the identification service provider and those under a cooperative responsibility of the trust network Identification principles and notification of changes Identification assurance levels Technical interfaces and the minimum contents of identification data Communicating information security incidents, failures, maintenance breaks and modifications within a trust network The situations that shall be communicated Communication practices Processing of disturbance, modification and event data within a trust network Cooperation for examining failures Disturbance notifications to the authority Availability Fees related to accessing the technical array of the trust network Restrictions on the use of devices Use of trademarks Division of responsibilities between contracting parties and liability Responsibilities between contracting parties in identification brokering Responsibility in chaining initial identification Data protection Confidentiality Temporary suspension of identification event brokering Expiration of contract Transferring the contract... 23

3 Recommendation 2 (25) 4.18 Settling disputes Amending the Code of Conduct Appendices References... 24

4 Recommendation 3 (25) 1 Introduction and the purpose of the Code of Conduct This Code of Conduct and its annex on data protection complement the Act and Regulation on strong electronic identification and identification service provider trust network, as well as FICORA s technical regulations issued under the Act. This Code of Conduct has been drawn up in collaboration between FICORA and the business sector in the Identification and Trust Services Working Group set up by FICORA, with representatives from banks, telecommunications operators and the Population Register Centre. The legal nature of the Code is a FICORA Recommendation. The amendment ( /139) of the Act on Strong Electronic Identification and Electronic Trust Services (617/2009, hereinafter referred to as the Identification Act) [1] lays down provisions on the formation of an identification service trust network. The purpose of a trust network is to promote the market supply of universal identification services that are advanced, both in terms of usability and security, as well as to improve the security of eservices. A trust network allows the brokering of different identification devices to eservices under uniform technical and administrative arrangements. Further provisions on the administrative practices, technical interfaces and administrative responsibilities in the trust network are laid down in the Government Decree on the trust network of strong electronic identification service providers (169/2016, hereinafter referred to as the Trust Network Decree)[2]. The purpose of the Code of Conduct is to describe general objectives, principles and activities in the operation of a trust network in order to enable a reliable and effective identification of a person irrespective of how the businesses within the trust network organise their operations. The purpose of the Code of Conduct is also to facilitate the conclusion of contracts within the trust network. The Code of Conduct discusses, on a general level, various contractual themes and describes the key legislation concerning them. It also contains a number of practices that have been proven to be useful on the basis of discussions with the industry and that can be used in contracts. The Code of Conduct and its annex on data protection may be annexed or referred to in agreements. The content of the Code of Conduct is not exhaustive. Contractual parties may also include other

5 Recommendation 4 (25) 1.1 Recommendation versions conditions in their contracts. In mutual contracts between contractual parties, other legislation concerning the operations of the trust network members must, naturally, be taken into consideration; such legislation includes consumer protection and competition law not discussed as a whole here due to the extensive nature of the regulatory environment. FICORA does not monitor compliance with the Consumer Protection Act or the Competition Act. It is the responsibility of the Consumer Ombudsman and the Finnish Competition and Consumer Authority. The Recommendation will be supplemented and modified as necessary. In that case, the Recommendation number 216 will be maintained, but the date and the year will be changed appropriately. The modified versions of the Recommendation are listed in the following table: Recommendation version and date Published recommendation 214/2016 S Revised version of the recommendation 214/2016 S and the first published version of the data protection annex Modifications First published version Second published version 2 Related legislation The valid recommendation is published on the FICORA website at linesandpublications/documentsforguidelinesinterpretationsreco mmendationsandreportst.html Section 12 a of the Identification Act on trust networks shall be applied for the first time on 1 May The Trust Network Decree was adopted on 10 March 2016 and will likewise be applied as from 1 May The amendments to the Identification Act related to the EU eidas Regulation entered into force on 1 July 2016 and the FICORA Regulation 72/2016 M

6 Recommendation 5 (25) (hereinafter referred to as Regulation 72 or M72) on electronic identification and trust services was adopted on 2 November 2016 [3]. Pursuant to section 12 a(2) of the Identification Act, an identification service provider belonging to a trust network shall follow administrative practices allowing the interoperability of the services provided by those providing identification services and the eservice providers, using such identification services, as well as provide technical interfaces creating favourable conditions for the operations between identification service providers and those using such services. Strong electronic identification also requires the consideration of the eidas Regulation (EU) 910/2014 [4] adopted by the Parliament and the Council of the European Union on 23 July The eidas Regulation lays down the conditions under which Member States recognise the electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State. The eidas Regulation and the Commission Implementing Regulation (EU) 2015/1502 [5] that specifies the provisions of the eidas Regulation define three identification assurance levels that have been provided for in the Identification Act by considering substantial and high levels of assurance as strong electronic identification. In addition to identification assurance levels, attention should also be paid to the capability of identification brokering in a cross-border context referred to in the Commission Implementing Regulation (EU) 2015/1501 [6]. Pursuant to section 42 c of the Identification Act, the Population Register Centre maintains the national node or PEPS (Pan- European Proxy Server). PEPS is not part of a trust network. Where doubt arises, the order of application of various instruments is the following: 1. eidas Regulation (in applicable cases) and any other relevant EU Regulations 2. Identification Act and any other relevant national laws 3. Government Decree on trust networks 4. FICORA Regulation the identification principles of an identification service provider

7 Recommendation 6 (25) 6. contract between the device provider and the broker service 7. FICORA Recommendation on the Code of Conduct for a trust network 3 Definitions The definitions in the Code of Conduct are based on the Identification Act, the Trust Network Decree and the eidas Regulation. New definitions have been drawn up when there are no existing definitions in the legal provisions. Term used eservice High level of assurance Identification broker service provider Identification device Identification device holder Identification device provider Source and explanation A party relying on electronic identification Assurance level high shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a higher degree of confidence in the claimed or asserted identity of a person than electronic identification means with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent misuse or alteration of the identity. (Article 8(2) of the eidas Regulation and the Commission Implementing Regulation (EU) 2015/1502 on levels of assurance) A service provider who transmits identification events of strong electronic identification to a party relying on electronic identification (section 2 of the Identification Act) Electronic identification means referred to in Article 3(2) of the EU Regulation on electronic identification and trust services, i.e. a material and/or immaterial unit containing person identification data and which is used for authentication for an online service. (Section 2 of the Identification Act) A natural person who has been issued an identification device by an identification service provider, based on a contract (Section 2 of the Identification Act) A service provider who provides or makes available to the public identification devices for

8 Recommendation 7 (25) Identification event Identification principles strong electronic identification and provides its identification device to the identification broker service for transmission within a trust network. (Section 2 of the Identification Act) A chain of events where an identification device holder is identified by the service of a relying party (eservice) and the eservice uses the identification service of one or several contracting parties to detect the identity or other character of the identification device holder. The identification service provider shall have identification principles in place that define how the provider will perform its obligations set out in this Act. (Section 14 of the Identification Act) Identification service A service provided by each of the contracting parties, which the customers of a contracting party may subscribe to and which is compatible with the technical array of the trust network. Contracting parties maintain their own identification services and may provide identification devices and/or act as an identification broker service for their own customers. In making product packages and setting for eservices the price for their services that use the technical array of the trust network, the contracting parties act independently and conclude their contracts with eservices separately. Identification service provider Strong electronic identification Substantial level of assurance A provider of an identification broker service or a provider of an identification device. (Section 2 of the Identification Act) The identification of a person, legal person or a natural person representing a legal person and the verification of the authenticity and validity of the identification by an electronic method based on a substantial assurance level referred to in Article 8(2)(b) or a high assurance level referred to in Article 8(2)(c) of the EU Regulation on electronic identification and trust services. (Section 2 of the Identification Act and Article 8 of the eidas Regulation) Assurance level substantial shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a substantial degree of confidence in

9 Recommendation 8 (25) Technical array of the trust network Technical interface Trust network the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of misuse or alteration of the identity. (Article 8(2) of the eidas Regulation and the Commission Implementing Regulation (EU) 2015/1502 on levels of assurance) The technical environment of the identification services provided by the identification service providers who have made a notification to FICORA enabling the procedure of electronic identification on the basis of a trust network. An interface means specifications and implementations in relation to data transfers between two different systems or parts thereof. (Section 3 of M72) A technical interface refers to the following: 1) interface between identification device providers; 2) interface between an identification device provider and an identification broker service provider; 3) interface between an identification broker service provider and an identification service relying party. (Section 1 of the Trust Network Decree) The network of identification service providers who have made a notification to FICORA. (Section 2 of the Identification Act) 4 Contracts within the trust network 4.1 Contracting parties Providers of an identification service included in FICORA s register of strong electronic identification services pursuant to sections 10 and 12 of the Identification Act may be contracting parties. The Code of Conduct does not determine the terms and conditions of the contracts made between the contracting parties and the identification device holders or eservices concerning the use of the technical array of the trust network.

10 Recommendation 9 (25) 4.2 Obligation to conclude contracts Identification service providers, i.e. the providers of identification devices and identification broker services, conclude contracts on trust network operations between themselves. Pursuant to section 3(1) of the Trust Network Decree, an identification service provider belonging to a trust network shall negotiate and agree, in line with the obligation to cooperate laid down in sections 12 a(2) and 12 a(4) of the Identification Act, with other identification service providers on the matters essential to the implementation of a trust network. Pursuant to section 2(1)(5) of the Trust Network Decree, an identification service provider belonging to a trust network is responsible, for its part, in the trust network for the preparation and maintenance of contracts referred to in section 3(1) that are related to the trust network. The basis for regulation is that an identification device provider must make its device available for all identification broker services for brokering, if they so wish (contractual compulsion). An identification device provider may refuse to conclude a contract only if the identification broker service provider is materially violating the law or any regulations issued under it, or acting materially against its purpose determined in the identification principles (broker principles). Other compelling and legitimate reasons, such as serious violations related to mutual contracts or sanctions, may also be a valid reason for refusing to conclude a contract. Before a total refusal of a contract, it should also be considered whether the contract could be concluded with additional mechanisms safeguarding the rights of the parties included in the contract terms. For example, if an identification device provider has a legitimate reason to doubt the solvency of an identification broker service, due to an earlier failure to pay, it is possible to require a reasonable security to safeguard the meeting of contractual obligations. When refusing to conclude a contract, an identification device provider must act in a fair and non-discriminatory manner. The reasons for refusing to conclude a contract must be compelling enough to validly outweigh the contractual compulsion that

11 Recommendation 10 (25) forms the basis for regulation in this field. Unilaterally delaying the conclusion of a contract in an unjustified manner may also be regarded as a refusal of a contract. The contractual parties may contact FICORA, if they are to refuse to conclude a contract or they do not reach an agreement on the content of the contract. FICORA may invite the parties to negotiate. Any disagreements shall first be settled through negotiations. FICORA does not participate in price negotiations. Ultimately, FICORA may, as the authority monitoring the Identification Act, issue a supervision decision to conclude whether any of the conditions or requirements set by the contractual parties during negotiations are in conflict with regulatory obligations or industry practices. If a supervision decision is issued, the policies set out in this recommendation shall be applied. With its decision, FICORA may order the contractual parties to abandon any of their requirements that are against regulation or other disproportionate requirements that lack a justified relation to performing the identification service (section 12 a of the Identification Act and section 3 of the Trust Network Decree). FICORA's decision may be reinforced by an imposition of constraints referred to in section 45 of the Identification Act. FICORA s supervision decision may be appealed to the Administrative Court. The Finnish Competition and Consumer Authority may assess the refusal to conclude a contract, also from the point of view of competition law. Legislation does not provide for the compulsory brokering of all identification devices by identification broker services, but the objective of the law is that eservice providers could, if they wish, obtain all their identification services from a single identification broker service. The same service provider may provide both identification devices and identification broker services. If the identification device provider also acts as a provider of identification broker services for its own device, i.e. continues to provide the device to an eservice on the basis of an old contract, this activity is regarded as brokering. Even then, the device must be provided to every other identification broker service for brokering, but the provider is not

12 Recommendation 11 (25) obliged to broker any other identification devices in addition to that of its own. A new identification service provider may ask another identification service provider to conclude contracts under the conditions described in the Identification Act, the Trust Network Decree and this Code of Conduct, as long as it is entered in a register maintained by FICORA as referred to in the Identification Act and its identification service is technically prepared to be incorporated in the technical array of the trust network. Contract negotiations may, if the parties so wish, be opened even before the entry in the register. The party requesting the contract may require that the contract shall be concluded under terms based on this Code of Conduct. However, the contracting parties may require that their mutual contract contains other areas, in addition to those discussed in this Code of Conduct. 4.3 Matters falling under the responsibility of the identification service provider and those under a cooperative responsibility of the trust network The administrative responsibilities of a trust network are set out in section 2 of the Trust Network Decree. Together with other identification service providers, the contractual parties shall create the technical array of the trust network through which identification device holders may log on to eservices. The contractual parties are themselves responsible for developing services to be integrated in the technical array of the trust network and determine independently the terms and conditions and prices for their own customers in their mutual contracts. 4.4 Identification principles and notification of changes Under section 14 of the Identification Act, the identification service provider shall have identification principles. The minimum contents of such principles are specified in section 14(2) of the Act. Under section 10(3) of the Identification Act, the identification service provider shall notify FICORA in writing and without delay of any changes to the identification principles.

13 Recommendation 12 (25) 4.5 Identification assurance levels FICORA keeps a register of identification service providers on its website. The register contains links to identification principles provided by each identification service provider and the date on which the identification principles entered into force. The identification service providers provide FICORA with an advance notification on changes to the identification principles as soon as such decision is made. The notification shall include a general description on how the identification principles will be changed. FICORA forwards the advance notification on changing the identification principles and the expected date of such changes to trust network members. The advance notification forwarded by FICORA to the trust network members does not include information on the content of the changes. The trust network members only receive a neutral notification that there will be changes. Identification device providers and identification broker service providers may provide identification services of substantial or high level of assurance or both in a trust network. When brokering an identification event, the identification broker service specifies to the identification device provider the level of assurance at which the requested identification should be carried out. The eservice makes a decision on the identification level and requests a broker service of that level. An identification of substantial assurance level may also be carried out by high assurance level. 4.6 Technical interfaces and the minimum contents of identification data The technical interfaces of a trust network are set out in section 1(1) of the Trust Network Decree. Pursuant to section 1(2) of the Decree, an identification service provider belonging to a trust network shall provide, at each of the interfaces referred to in subsection 1, paragraph 1 (interface between identification device providers) and paragraph 2 (interface between identification device provider and identification broker service) a minimum of one technical interface that complies with a commonly used standard. The minimum data to be brokered within a trust network are defined in section 12 of FICORA Regulation M72. Pursuant to Regulation M72, the identification device provider, the provider of the identification broker service and the

14 Recommendation 13 (25) eservice provider shall negotiate the properties of their mutual interfaces (other than those laid down in this Regulation) and the respective protocol to be employed (section 14). The contractual parties shall negotiate which defined interfaces they will use. The Explanatory notes to Regulation 72 [3] (see page 51) recommend that the SAML 2.0 or the Open ID Connect protocol and the respective protocol profiles drawn up at the national level shall be used in the trust network. FICORA shall publish the profiles as separate recommendations [7] [8]. The contractual parties are free to agree on any other interface, as long as this does not prevent other trust network members from operating on the defined interfaces. In this case, a nondiscriminatory treatment of the defined interfaces, in relation to other interfaces provided, is required in the trust network. It is recommended that the application of other interfaces is communicated to the cooperation working group of the trust network. 4.7 Communicating information security incidents, failures, maintenance breaks and modifications within a trust network The situations that shall be communicated Pursuant to section 16(1) of the Identification Act, notwithstanding secrecy provisions, an identification service provider shall, without undue delay, notify the identification service s relying parties, identification device holders, other contractual parties in the trust network, as well as FICORA of severe threats or disturbances in the operation or the information security of the service or in the use of electronic identity. Pursuant to section 2(1)(4) of the Trust Network Decree, an identification service provider belonging to a trust network is responsible for its part for notifying, without undue delay, other identification service providers in the trust network of any disturbances or information security threats affecting their services, and for examining disturbances within a trust network. The notification obligation between trust network operators applies to information security threats and disturbances, failures and maintenance breaks affecting the operation of the service, and modifications potentially causing a break or a disturbance. When determining the notification threshold, the

15 Recommendation 14 (25) Communication practices potential impact of the disturbance, threat or modification to the service of another operator in the trust network. For example, the threshold for notifying information security threats, such as software vulnerabilities, active phishing campaigns or denial-of-service attacks should be fairly low to allow other operators to anticipate the situation. Failures in operation must be notified at least when they affect the services of other contractual parties. It is recommended for contractual parties to agree on advance notifications of maintenance breaks or to set a predetermined schedule for such breaks. It is also recommended that notifications of any modifications of an identification service are agreed upon in a similar manner to maintenance breaks, depending on the associated risk of a potential break or disturbance or unexpected impact on other trust network operators. Maintenance and modifications are typically likely to cause breaks. The contractual parties should agree on communicating information security threats and disturbances, failures and maintenance breaks to allow other trust network operators to anticipate such situations and take the necessary preparatory or corrective measures. The contractual parties should agree on the communication procedures, such as contact persons, communication channels and notification periods. The communication channels shall be secure. The contractual parties may agree that the contact details, in case of disturbance notifications, are shared (also) in a bulletin jointly managed by the trust network and limited to this purpose only. The notification periods should be proportional to the nature, severity, extent and impact of the problem. A good practice is to communicate: o immediately after coming to attention, but within 24 hours at the latest: information security threats and disturbances compromising the integrity of the identification scheme, such as computer break-ins, extensive DoS attacks, information security

16 Recommendation 15 (25) vulnerabilities, identification devices issued to a wrong person or similar situations; o o o immediately after coming to attention, but within 48 hours at the latest: information security threats or disturbances risking the confidentiality of personal data, such as computer break-ins; as soon as possible after being detected: failures interfering with the availability of the service; and at least one week in advance or, if the work comes to attention later, as soon as the work comes to attention: maintenance breaks and modifications Processing of disturbance, modification and event data within a trust network Pursuant to section 16(4) of the Identification Act, an identification service provider may use information relating to another identification service provider obtained by way of this section only to prepare for threats and disturbances referred to in this section and to examine disturbances. Information may only be handled by those at the service of an identification service provider who necessarily need the information in the course of their work. Information shall be handled in such a way that the business secrets of another identification service provider are not put into risk. The above principles on the notification of disturbances only apply to the exchange of information within a trust network. The contracting parties do not have the right to disclose to eservices or identification device holders or other third parties any confidential information that they have obtained as a member of a trust network. With respect to other trust network operators, only general information on the fact that the service is not available may be passed to eservices or into the public domain. The contractual parties may agree that they inform eservices or the public of any disturbances on behalf of each other, and in submitting a mutual notification, they indicate which information may be disclosed to eservices or the public. In this case, the binding legislation concerning the obligation to notify, such as section 16 of the Identification Act and the General Data Protection Regulation, shall be taken into account.

17 Recommendation 16 (25) Cooperation for examining failures Mutual secrecy of the contracting parties must not adversely affect consumers right to obtain information on the party they should turn to in order to invoke their legal rights. Pursuant to section 2(1)(4) of the Trust Network Decree, an identification service provider belonging to a trust network is responsible, for its part, for notifying, without undue delay, other identification service providers in the trust network of any disturbances or information security threats affecting their services, and for examining disturbances within a trust network. Pursuant to section 24(5) of the Identification Act, the identification service provider may only process stored data to perform and maintain the service, for invoicing, to protect its rights in case of disputes, to examine cases of abuse, as well as upon request by a service provider, using the identification service or the holder of the identification device. The identification service provider shall store data on processing the event, the time, reason, and person processing it. The contractual parties shall cooperate in examining failures and abuse related to identification events. The examination procedure in urgent information security disturbances or failures is different from the ex post examination of errors or abuse. The contractual parties should agree at least on the submission of contact details in examining errors or abuse, if the details are different from those used in urgent situations Disturbance notifications to the authority An example of a situation to be examined is where a person holds both valid and invalid identification devices, because the person s initial identification for some devices has been true and for others it has been false. In this case, the invalid identification devices should be recovered from the person without affecting the validity of the other identification devices. Because a simple cancellation of identification devices based on a personal identity code is not an option in such a situation, the entire trust network must collaborate. Disturbance notifications to FICORA are subject to the provisions of section 16(1) of the Identification Act and further regulated by section 11 of FICORA Regulation M72. The

18 Recommendation 17 (25) explanatory notes of the Regulation provide application instructions on notifying. An electronic form for submitting disturbance notifications is available on FICORA s website. FICORA processes the information on the disturbance notifications submitted pursuant to the Act on the Openness of Government Activities. Pursuant to section 24(1) of the Act, trade secrets and information on network security shall be secret. The disclosure of secret information always requires that the party concerned is consulted and consents to the disclosure or that the disclosure criteria provided for by law are met. If a conflict of interest arises, the matter shall be resolved by an administrative decision, against which it is possible to lodge an appeal. 4.8 Availability The Identification Act or the decrees issued under it do not provide for specific requirements concerning the availability of the service, with the exception of the provision on the revocation service in section 25(2) of the Identification Act stating that an identification device provider must make available an option to submit the notification referred to in subsection 1 at any time. The contracting parties should agree on the availability and capacity of the service. The availability of the technical array of the trust network is fundamentally important to the provision of the identification service by the contracting parties. Unless otherwise provided (with respect to, for example, the accessibility of a revocation list service), the contracting parties may agree on the service level in their mutual contracts. Nevertheless, when negotiating the service level, an identification device provider must treat all contractual partners in a fair and non-discriminatory manner. An identification device provider must not unduly provide a lower service level to identification broker services than that provided to eservices when it is acting as the identification broker service. Modifications of an identification service may affect the services of other operators in a trust network. The contracting parties should agree that when planning and implementing maintenance work and modifications, they take the impact on other trust network operators into account. The contracting parties should also agree that they perform any

19 Recommendation 18 (25) maintenance work and modifications in such a way and at such a time that the service break is as short as possible and has a minimum impact. Contract terms on maintenance work and modifications shall be reasonable from a consumer s perspective. FICORA does not monitor compliance with the Consumer Protection Act as it is the responsibility of the Consumer Ombudsman. 4.9 Fees related to accessing the technical array of the trust network The technical array of a trust network is where identification events are brokered between the contracting parties. The contracting parties serve their own identification device holders and the eservices that belong to their contract partners. The contracting parties broker identification events between each other s identification services. In this case, the identification device provider may charge an agreed fee from the contracting party whose customer the eservice is. Section 12 a of the Identification Act lays down provisions on the compensation to be charged for brokered identification data. The maximum amount of compensation that can be charged for brokered identification data which, pursuant to the preparatory material related to the Act, shall always contain at least a piece of information identifying a person is ten cents. The maximum fee only applies to data brokered by the identification service provider to the actual identification broker service provider. However, when the identification service transmits identification data outside the trust network directly to its contracting party, the eservices, the maximum fee does not apply and the fee charged is the fee agreed by the parties. Pursuant to section 1(2) of the Trust Network Decree, the identification service providers in a trust network may agree on an interface required for the transmission of a charge for identification data referred to in section 12 a(3) of the Identification Act or other interface necessary for the operation of the trust network. The contracting parties may provide each other with a service for the creation of an identification device ( chained initial identification ). In this case, a contracting party employs an identification device issued by another contracting party for issuing a new identification device to the identification device

20 Recommendation 19 (25) 4.10 Restrictions on the use of devices 4.11 Use of trademarks holder. The procedure of initial identification is subject to a separate agreement by the contracting parties. The contracting parties shall develop and make product packages of their own identification services and determine independently the terms of use and other contractual terms and prices for their own customers in their mutual contracts. An identification device provider may impose restrictions of use on its device that are either based on a contract or technical in nature (section 18 of the Identification Act). However, the identification service provider shall treat its customers in a nondiscriminatory way and the identification device applicants fairly when entering into an agreement (section 20 of the Identification Act). Any restrictions on the use of devices shall be agreed upon in contracts concluded between the contracting parties. An identification service provider shall ensure that all parties are aware of the preclusions or restrictions or that they are conspicuous. The legislator s intent is to facilitate the entry into the market of universally and widely available identification devices that make all kinds of transactions possible. Identification devices may be considered as basic services in the information society (see, for example, reports 12/2009 and 33/2014 by the Transport and Communications Committee). There must be a justified need for any restrictions derogating from the principle of universality, and the restrictions shall only be used to the extent necessary for answering the justified need for the derogation. It is forbidden to use restrictions to purposefully prevent legitimate business operations. Under section 6(2) of the Identification Act, identification broker services may disclose personal data, such as personal identity codes, only to such eservices which have a legal right to process personal data. In other respects, the principles of processing personal data are specified in the annex on data protection. The contracting parties shall agree on the presentation of trademarks within the trust network. The identification broker service has the right to agree with an eservice that the

21 Recommendation 20 (25) trademarks of the identification devices available in the eservice are visible in the eservice. Logos shall be presented in the form they are presented by the trademark holder or required in the contract by the trademark holder. When handling trademarks, the legislation on the use of trademarks shall be complied with. The identification device provider has the right to require that the identification broker service provider ensures by way of agreement that an eservice does not use the trademark of the identification service provider in an illegal or misleading manner to obtain more goodwill. The trademark of the identification device provider may only be used in the context of an identification event. The trademark must not be used in a manner listed in section 14 of the Trademarks Act (7/1964, as amended by 616/2016) Division of responsibilities between contracting parties and liability The Code of Conduct only deals with the mutual relationships of the trust network members and therefore only with liability issues concerning those relationships. An identification event involves a number of relationships between various parties, and the majority of them are excluded from the Code of Conduct. FICORA has commissioned a legal analysis of the compensation law issues involved in a trust network from Professor Olli Norros (FICORA s publication 004/2016 J [9]). The contracting parties may use this analysis in drawing up their contracts. Although the following relationships are excluded from the Code of Conduct, the contracting parties should take them into account when planning their operations and concluding contracts: 1. Identification device provider Identification device holder 2. Performer of a secondary initial identification (who is chaining an initial identification) Identification device holder 3. Identification device provider Injured third party 4. Identification broker service provider Identification device holder 5. Identification broker service provider eservice

22 Recommendation 21 (25) 6. Identification device provider eservice Responsibilities between contracting parties in identification brokering The contracting parties are responsible for their part for complying with the obligations laid down in the Identification Act and other legislation and their own identification principles. Liability and the right of recourse in a trust network are, by default, based on contracts. Being a member of a trust network does not automatically mean a mutual responsibility for any damage occurring in the trust network, for example. When drawing up contracts, at least the following should be considered separately: 1. Damages related to service interruptions and disruptions, and 2. Damages related to mistaken identity or identity theft. The contracting parties may agree on limitations of liability and an upper limit for liability in Euro within the limits set by legislation. However, the contracting parties must take into account applicable provisions on consumer protection, and their mutual contracts cannot undermine the legal rights of a consumer who is a holder of an identification device. A consumer is not a party to the trust network contracts but the contracts may affect the consumer's rights and this must be taken into account. The contracting parties may agree that if the source of occurred damage cannot be undisputedly established, the liability for the damage shall be divided in equal proportions between the contracting parties Responsibility in chaining initial identification Pursuant to section 17(4) of the Identification Act, a provider of a strong electronic identification service relying on an earlier identification is responsible for any incorrect identification towards the injured party. The contracting parties may agree on the right of recourse in situations where a contracting party has to pay compensation for damages under the provisions of section 17(4) of the Identification Act.

23 Recommendation 22 (25) 4.13 Data protection 4.14 Confidentiality The contracting parties shall comply with valid laws and regulations on data protection and the annex on data protection Processing of personal data in a trust network for electronic identification. The Code of Conduct is public. The contracting parties agree on the confidentiality of the content of their contract Temporary suspension of identification event brokering 4.16 Expiration of contract An identification device provider may suspend the brokering of identification events to its own identification device holders from an identification broker service that ignores any admonitions or otherwise seriously disregards its legislative obligations or the obligations of the parties mutual contract. The suspension may also be due to the fact that an identification broker service makes it impossible for the identification device provider to comply with its legislative or contractual obligations. The identification device provider notifies the suspension to other trust network members and to FICORA. An identification broker service provider may suspend the brokering of the identification events of an identification device provider to an eservice on the grounds mentioned above. A contract expires when one of the parties submits a termination or cancellation notice or by a mutual agreement of the contracting parties. The reasons for terminating a contract must be compelling enough to validly outweigh the contractual compulsion that forms the basis for regulation in this field. A contract may be terminated on such grounds which would have originally justified the refusal to conclude a contract (see section 4.2), provided that the information was not available when originally concluding the contract. An immediate termination of contract may only be considered a valid manner to end a contract in exceptional cases. A contract

24 Recommendation 23 (25) 4.17 Transferring the contract 4.18 Settling disputes 5 Amending the Code of Conduct may always be cancelled if FICORA removes the service provider from the register referred to in section 12 of the Identification Act. If problems arise, the primary option should always be an amicable settlement and, in serious situations, a temporary suspension of brokering of identification events. Although the contract between identification service providers expires, the contract terms concerning damage shall remain in force. The expiry of the contract between identification service providers does not erase responsibility for damage caused by an action or inaction during the validity of the expired contract. If operations are rearranged in a group of companies or other set of undertakings similar to a group of companies to which a contracting party belongs, the contract may be transferred to a group company or an undertaking belonging to the same set of undertakings mentioned in a change notification submitted to FICORA. The contracting parties agree on other terms and procedures relating to contract transfers in their mutual contract. FICORA and the Data Protection Ombudsman monitor the compliance with the provisions of the Identification Act and may issue a supervision decision obligating corrective action, insofar as the obligations and rights are laid down in the Act, the Decree or any regulations. FICORA may issue a decision prohibiting the provision of an identification service as strong electronic identification referred to in legislation, if the operations no longer comply with legislative requirements. FICORA does not have the authority to resolve contract disputes. The contracting parties may agree on a competent dispute resolution body. The Finnish law shall apply to contracts, unless the contracting parties agree otherwise in exceptional cases. As the Code of Conduct is issued as a FICORA Recommendation, FICORA is responsible for amending and

25 Recommendation 24 (25) managing the Code. When amendments are made to the Code of Conduct, a period of transition that is reasonable from the point of view of the nature of amendment shall be reserved for implementing the amendments. FICORA may transfer the management of the Code of Conduct to the cooperation work group of the trust network once it has discussed this with the cooperation work group to be appointed under the Trust Network Decree. If this Code of Conduct is amended, identification service providers shall amend their existing contracts according to the Code. This should be taken into account in contracts. In amending this Code of Conduct and the associated contract model clauses, the impact on existing contracts shall be carefully assessed. 6 Appendices Processing of personal data in a trust network for electronic identification 7 References [1] Act on Strong Electronic Identification and Electronic Trust Services (617/2009, the Identification Act) [2] Government Decree on the trust network of strong electronic identification service providers (169/2016, the Trust Network Decree) [3] FICORA Regulation 72/2016 M on electronic identification and trust services (M72, Regulation 72) and related Explanatory Notes MPS72 for the Regulation. [4] Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eidas) [5] Commission Implementing Regulation (EU) 2015/1502 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market

26 Recommendation 25 (25) [6] Commission Implementing Regulation (EU) 2015/1501 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market [7] FICORA Recommendation 212/2017 S Finnish Trust Network SAML 2.0 Protocol Profile [8] FICORA Recommendation 213/2017 S Finnish Trust Network OpenID Connect Protocol Profile (under preparation) [9] FICORA Publication 004/2016 J, Olli Norros: Selvitys tunnistamiseen liittyvistä vahingonkorvauskysymyksistä, Vahingonkorvausoikeudellinen selvitys