Cyber security is not an excuse for the unlimited monitoring and analysis of the personal information of individuals, said the European Data Protection Supervisor (EDPS) today following the publication of his opinion on the EU's strategy on cyber security. While there is a welcome acknowledgement of the importance of data protection principles for a robust cyber security policy, the strategy is not clear on how these principles will be applied in practice to reinforce the security of individuals, industry, governments and other organisations.
Peter Hustinx, EDPS, said: "There is no security without privacy. So I am delighted that the EU strategy recognises that it is not a case of privacy versus cyber security but rather privacy and data protection are guiding principles for it. However, the ambitions of the strategy are not reflected in how it will be implemented. We acknowledge that cyber security issues have to be addressed at an international level through international standards and cooperation. Nevertheless, if the EU wants to cooperate with other countries, including the USA, on cyber security, it must necessarily be on the basis of mutual trust and respect for fundamental rights, a foundation which currently appears compromised."
The overall aim of the EU strategy is to make the use of the internet and any network and information system connected to it, safer by enabling organisations in the EU countries to prevent and respond to cyber disruptions and attacks. The result would be to foster trust in individuals and organisations using the internet. However, the Commission Communication fails to take due account of the role of data protection law and of current EU proposals in promoting cyber security, such as the proposed Data Protection Regulation and the eTrust Regulation, among others. It also does not take into account the importance of factoring in protection at the inception of any system that contributes to cyber security - privacy by design - as a foundation for building trust. The result is that the strategy is not as effective and comprehensive as the Commission intends it to be.
While measures to ensure cyber security may require the analysis of some personal information of individuals, for instance IP addresses that can be traced back to specific individuals, cyber security can play a fundamental role in ensuring the protection of privacy and data protection rights in the online environment, provided the processing of this data is proportionate, necessary and lawful.
National data protection authorities (DPAs) play a significant role in ensuring that an appropriate level of security is applied to the processing of personal information, including on the internet and through network and information systems, and in raising awareness of the rules that apply to individuals and organisations in EU countries. Moreover, DPAs must be notified of any new operation by an organisation that involves the processing of personal information and of data breaches. Agencies such as Europol, ENISA and others listed in the strategy also need to liaise with them in the performance of their tasks. Although this is not reflected in the strategy, their role in contributing to cyber security must be acknowledged.
On 7 February 2013, the Commission and the High Representative of the European Union for Foreign Affairs and Security Policy adopted a Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a "Cyber Security Strategy of the European Union: an Open, Safe and Secure Cyberspace".
On the same date, the Commission adopted a proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union. This Proposal was sent to the EDPS for consultation on 7 February 2013.
Privacy and data protection are fundamental rights in the EU. Under the Data Protection Regulation (EC) No 45/2001, one of the duties of the EDPS is to advise the European Commission, the European Parliament and the Council on proposals for new legislation and a wide range of other issues that have an impact on data protection. Furthermore, EU institutions and bodies processing personal data presenting specific risks to the rights and freedoms of individuals ('data subjects') are subject to prior-checking by the EDPS. If in the opinion of the EDPS, the notified processing may involve a breach of any provision of the Regulation, he shall make proposals to avoid such a breach.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Privacy by design: to build privacy and data protection into the design and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles.
Purpose limitation: personal information may only be collected for specified, explicit and legitimate purposes. Once it is collected, it may not be further processed in a way that is incompatible with those purposes. The principle is designed to protect individuals by limiting the use of their information to pre-defined purposes, except under strict conditions and with appropriate safeguards.
Data breach: any personal data kept by an organisation (usually a telecoms provider) that is (accidentally or deliberately) lost, stolen, destroyed, changed, accessed or disclosed.