Identity management and data protection law: Risk, responsibility and compliance in ‘Circles of Trust’ – Part II

Abstract

Today, we are expected to remember a different user name and password for almost every organisation or domain we want to access on the Internet. Identity management seeks to solve this problem by making digital identities transferable across organisational boundaries. The basic idea is that the participating organisations will set up a collaboration (or circle of trust) which involves both identity providers and other service providers. However, there is a risk that identity management may reduce the users' level of privacy: Can the collaborating organisations collect personal information and create a profile which includes the user's interaction with all collaborators? Who is responsible for the processing of personal data if many organisations collaborate? How can the user make informed decisions and consent to the processing of his data? This article seeks to address these issues from the perspective of European data protection law. The paper is split into two parts. Part I [Olsen T, Mahler, T, Identity management and data protection law: Risk, responsibility and compliance in `Circles of Trust' – Part I, Comput Law Secur Rep 2007;23(4):342–351. doi:10.1016/j.clsr.2007.05.009] introduced and analysed identity management with a focus on technical issues and risks to privacy. This is part II, which concentrates on data protection law, addressing the roles and responsibilities of collaborators and analysing how to ensure a compliant interaction with the end-user.