Privacy & identity management - Data protection issues in relation to networked organisations utilizing identity management systems
Today, we are expected to remember a different user name and password for almost every organisation or domain we want to access on the Internet. Identity management seeks to solve this problem by making digital identities transferable across organisational boundaries. The basic idea is that the participating organisations will set up a collaboration (or circle of trust) which involves both identity providers and other service providers. However, there is a risk that identity management may reduce the users' level of privacy: Can the collaborating organisations collect personal information and create a profile which includes the user's interaction with all collaborators? Who is responsible for the processing of personal data if many organisations collaborate? How can the user make informed decisions and consent to the processing of his data? This report seeks to address these issues from the perspective of European data protection law.
Thomas Olsen and Tobias Mahler are research fellows at the Norwegian Research Center for Computers and Law (NRCCL). This report was written in collaboration with the law firms Pinsent Masons (UK) and Garrigues (Spain) in the framework of the Legal-IST project (www. legal-ist.org). The project, funded by the European Commission under the 6th framework programme, aimed to support the research in the Information Society Technologies (IST) priority by studying the legal implications of current research initiatives.