EDPS issues an alert on intrusive surveillance
Today, as the European Data Protection Supervisor (EDPS) published his Opinion on Intrusive surveillance technology, he said he was issuing an alert about the risks posed by the unregulated growing market for the selling, distribution and (dual) use of spyware.
Giovanni Buttarelli, EDPS, said: “As the unregulated market for the trading and use of covert monitoring technology continues to grow, the EU must not underestimate the appetite for such technology. By addressing weaknesses in existing legislation and policies as well as developing new legislation, the EU legislator can help protect against the very real threat posed to our privacy and data protection rights. The sale of these privacy-invasive dual-use tools and the offer of related services also needs to be more tightly regulated in the EU to prevent human rights abuses in Europe and further afield."
In an appeal to the IT community in particular and the EU legislator in general, the EDPS says that more needs to be done to monitor the market and urges them to investigate safeguards to embed privacy by design to secure the technology. Without fixing the vulnerabilities, he says, the digital single market cannot succeed.
Surveillance tools can be instruments for legitimate and regulated use by law enforcement bodies. However, they can also be used to circumvent security measures in electronic communications and data processing thereby undermining the integrity of databases, systems and networks. As the internet of things becomes more widespread, so the risks will become more significant.
The EDPS calls for a coordinated approach to tackle these risks. In many non-EU countries, the standards of data protection maybe lower than in Europe. This leaves EU citizens, for instance journalists, vulnerable to potentially being monitored in non-EU countries. The trade and use of surveillance software in the private sector must be regulated more closely since there is a lack of or insufficient legal provisions for their use in many countries.
The internet has allowed a global interconnectedness which in turn gives cybersecurity in the EU an international dimension. The complex challenges this poses for law enforcement agencies, must not be an excuse for the disproportionate processing of personal data that these surveillance tools allow. The EDPS asks that law enforcement agencies be more transparent and accountable in their use of such software so that the individual's right to self-determination is not infringed.
Complying with data protection laws is as much an obligation as compliance with other relevant regulations such as export. However, the Opinion by the EDPS, which was prepared on his own initiative, covers the known market for surveillance technologies, the legality of which is too frequently a grey area.
His Opinion is an alert to tighten up the regulation in this market, to clarify the criteria for legal trading, export and usage, for instance by security researchers.
The EDPS will also inform the Internet Privacy Engineering Network (IPEN) to raise awareness about this very sensitive subject.
Background information
Privacy and data protection are fundamental rights in the EU. Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.
More specifically, the rules for data protection in the EU institutions - as well as the duties of the European Data Protection Supervisor (EDPS) - are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
EDPS Strategy 2015-2019: Unveiled on 2 March 2015, the 2015-2019 plan summarises the major data protection and privacy challenges over the coming years and the EDPS' three strategic objectives and 10 accompanying actions for meeting them. The objectives are (1) Data protection goes Digital (2) Forging Global Partnerships and (3) Opening a New Chapter for EU Data Protection.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.
Dual-use technologies: Technologies that can be used for both military and civilian (often commercial) purposes.
Electronic Communication/eCommunication tools include email, internet and telephony.
Mobile Device: is any portable computing device such as a smartphone or tablet computer.
The internet of things: objects and people interconnected through communication networks which can report about their status and/or the surrounding environment.