Abstract
The Fourth Industrial Revolution imposes a number of unprecedented societal challenges and these are increasingly being addressed through regulation. This, in turn, lays the burden to adopt and implement the different concepts and principles (such as privacy-by-design) with practitioners. However, these concepts and principles are formulated by legal experts in a way that does not allow their direct usage by software engineers and developers, and the practical implications are thus not always obvious nor clear-cut. Furthermore, many complementary regulatory frameworks exist to which compliance should, in some cases, be reached simultaneously.
In this paper, we address this generic problem by transforming the legal requirements imposed by the EU’s General Data Protection Regulation (GDPR) and the China’s Cybersecurity Law (CSL) into technical requirements for an exemplar case study of a generic eHealth IoT system. The derived requirements result from an interdisciplinary collaboration between technical and legal experts and are representative of the types of trade-off decisions made in such a compliance process. By means of this exemplar case study, we propose a set of generic requirement-driven elements that can be applied to similar IoT-based architectures and thereby reduce the role of supervision from a legal point of view in the development of such architectures.
O. Tomashchuk and Y. Li—The authors contributed equally.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Five systems constitute the Cybersecurity Law: (1) Cybersecurity Multi-Level Protection Scheme – specific security measures need to be met according to the level of the activities that would affect the public, scaled from 1 the least risky to 5 the most risky; (2) Critical Information Infrastructure Security Protection System (Chapter 3); (3) Personal Information and Important Data Protection System (Chapter 4), which focuses on the scope of personal information protection and the according protection standard; (4) Network Products and Services Management – network products that are used in critical information infrastructure (see number 3) are required to go through a cybersecurity assessment; and (5) Cybersecurity Incident Management System – guidelines and measures are provided to be activated in response to cybersecurity incidents.
- 2.
All the appendices can be found online: http://bit.ly/39bGd8I.
- 3.
Within China, national standards play an important role in implementing higher-level laws and legislations. They are better understood as a quasi-regulation rather than a technical specification or voluntary frameworks typically presented in Western context. Although they are not legally binding, the competent authorities often refer to them when conducting assessments and approvals. The bundle of standards under the umbrella of the CSL in practice will function as a form of regulation where auditing and certification of the entities will be conducted based on the criteria. Up to date, over 240 national standards related to the field have been issued since 2010.
References
HEalth related Activity Recognition system based on IoT. http://heart-itn.eu/
APEC Privacy Framework, Asia-Pacific Economic Cooperation, Electronic Commerce Steering Group (ECSG) (2005)
Consumer data privacy in a networked world: a framework for protecting privacy and promoting innovation in the global digital economy (2012)
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2013)
Handbook on European data protection law, European Union Agency for Fundamental Rights and Council of Europe (2018)
Ayala-Rivera, V., Pasquale, L.: The grace period has ended: An approach to operationalize GDPR requirements. In: Proceedings of 26th International Requirements Engineering Conference (RE). IEEE, Banff, August 2018
Farahani, B., Firouzi, F., Chang, V., Badaroglu, M., Constant, N., Mankodiya, K.: Towards fog-driven IoT eHealth: promises and challenges of IoT in medicine and healthcare. Future Gener. Comput. Syst. 78, 659–676 (2018)
Bisztray, T., Gruschka, N.: Privacy impact assessment: comparing methodologies with a focus on practicality. In: Askarov, A., Hansen, R.R., Rafnsson, W. (eds.) NordSec 2019. LNCS, vol. 11875, pp. 3–19. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35055-0_1
Brodin, M.: A framework for GDPR compliance for small and medium-sized enterprises. Eur. J. Secur. Res. 4(2), 243–264 (2019)
Ekdahl, A., Nyman, L.: A methodology to validate compliance to the GDPR. Master’s thesis, Department of Computer Science and Engineering, Chalmer University of Technology, University of Gothenburg, Gothenburg, Sweden (2018)
Erickson, A.: Comparative analysis of the EU’s GDPR and Brazil’s LGPD: enforcement challenges with the LGPD. Brooklyn J. Int. Law 44, 859–888 (2019)
Secretary General of the Council of Europe: Convention for the protection of individuals with regard to automatic processing of personal data (1981)
Fernandes, M., da Silva, A.R., Gonçalves, A.: Specification of personal data protection requirements: analysis of legal requirements based on the GDPR regulation (2018)
Graham Greenleaf, S.L.: China’s New Cybersecurity Law - Also a Data Privacy Law? (2016)
Greenleaf, G.: Asian Data Privacy Laws. Oxford University Press, United Kingdom (2014)
Habib, K., Leister, W.: Threats identification for the smart internet of things in ehealth and adaptive security countermeasures. In: Proceedings of the 7th International Conference on New Technologies, Mobility and Security (NTMS), vol. 555. IEEE, Nashville, Tennessee (2015)
Han, S.W., Munir, A.B.: Information security technology - personal information security specification: China’s version of the GDPR. Eur. Data Protect. Law Rev. (EDPL) 4, 535–541 (2018)
Hintze, M., LaFever, G.: Meeting upcoming GDPR requirements while maximizing the full value of data analytics (2017)
Huth, D., Matthes, F.: Appropriate technical and organizational measures: identifying privacy engineering approaches to meet GDPR requirements. In: Proceedings of 25th Americas Conference on Information Systems (2019)
Sion, L., Dewitte, P., Van Landuyt D., Wuyts, K., Emanuilov, I., Valcke, P., Joosen, W.: An architectural view for data protection by design. In: Proceedings of the 2019 IEEE International Conference on Software Architecture (ICSA). IEEE, Hamburg, Germany (2019)
Loren Kohnfelder, P.G.: The threats to our products. Microsoft Interface, April 1999
Maribel Fernandez, J.J., Thuraisingham, B.: Privacy-preserving architecture for Cloud-IoT platforms. In: Proceedings of the International Conference on Web Services (ICWS), vol. 555. IEEE (2019)
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Eng. J. 16, 3–32 (2011)
European Parliament Council: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995)
Dewitte, P., Wuyts, K., Sion, L., Van Landuyt, D., Emanuilov, I., Valcke, P., Joosen, W.: A comparison of system description models for data protection by design. In: SAC 2019: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, pp. 1512–1515 (2019)
Ringmann, S.D., Langweg, H., Waldvogel, M.: Requirements for legally compliant software based on the GDPR. In: Panetto, H., Debruyne, C., Proper, H.A., Ardagna, C.A., Roman, D., Meersman, R. (eds.) OTM 2018. LNCS, vol. 11230, pp. 258–276. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02671-4_15
El-Sappagh, S., Ali, F., Hendawi, A., Jang, J.-H., Kwak, K.S.: A mobile health monitoring-and-treatment system based on integration of the SSN sensor ontology and the HL7 FHIR standard. BMC Med. Inform. Decis. Mak. 19, 97 (2019)
Standing Committee of the People’s Congress: Cybersecurity Law (2016)
Tovino, S.A.: The HIPAA privacy rule and the EU GDPR: illustrative comparisons. Seton Hall Law Rev. 47(4), 973–993 (2017)
European Union: Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the EU (L 119), 1–88, May 2016
Voigt, P., von dem Bussche, A.: The EU General Data Protection Regulation (GDPR). Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57959-7
Wang Han, S., Munir, A.: Practitioner’s corner information security technology - personal information security specification: China’s version of the GDPR? Eur. Data Protect. Law Re. 4, 535–541 (2018)
Zeadally, S., Perez, A.J.: Privacy issues and solutions for consumer wearables. IT Prof. 20, 46–56 (2018)
Acknowledgements
This research is funded by Philips Research, Research Fund KU Leuven, and the HEART project (www.heart-itn.eu). This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 766139. This publication reflects only the authors’ view and the REA is not responsible for any use that may be made of the information it contains.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Tomashchuk, O., Li, Y., Van Landuyt, D., Joosen, W. (2020). Operationalization of Privacy and Security Requirements for eHealth IoT Applications in the Context of GDPR and CSL. In: Antunes, L., Naldi, M., Italiano, G., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2020. Lecture Notes in Computer Science(), vol 12121. Springer, Cham. https://doi.org/10.1007/978-3-030-55196-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-55196-4_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-55195-7
Online ISBN: 978-3-030-55196-4
eBook Packages: Computer ScienceComputer Science (R0)