Data security and multi-factor authentication: Analysis of requirements under EU law and in selected EU Member States

Ensuring the security of personal data, particularly in terms of access controls, is becoming progressively more challenging. The most widely deployed authentication method, a user name plus a password, increasingly appears to be unfit-for-purpose. A more robust technique for maintaining the security of personal data is multi-factor authentication whereby two or more different types of credential are required. This approach is gaining traction, and in the European Union, some national data protection authorities are already recommending the use of multi-factor authentication as a means of complying with the obligation in the EU Data Protection Directive to take “appropriate technical and organisational measures to protect personal data”. A proposal to replace that Directive with a General Data Protection Regulation is at an advanced stage in the EU legislative process with enhanced data security a central feature of the proposed reform.This article examines how the proposed Regulation would be likely to change the standard for data security both in general terms and in specific ways that might have an impact on the use of multi-factor authentication. Other sources of EU guidance are also considered, together with the position under the national laws and regulatory practices of six EU Member States.