EU’s Cybersecurity Strategy gets harsh criticism from data protection advocate

A top EU data privacy advocate has criticised the European Union’s plans to combat cybercrime, saying they don’t provide enough protection for personal data.

In the same statement, the European Data Protection Supervisor (EDPS) Peter Hustinx suggested that too little attention has been paid to existing regulations and agencies, and that it would be useful to have tighter definitions of what exactly the European Commission means by “cybercrime” and related terms.

The statement comes as an official “opinion” document [PDF] responding to the EU’s Cybersecurity Strategy [PDF] plan.

The strategy was issued in February alongside proposals for a set of unified network and information security rules, referred to as the “NIS Directive [PDF]“.

The strategy document got a lukewarm reception at the time, with general approval that the EC was heading in the right direction but worries that the proposals were too vague and open-ended. The opinions from the EDPS seem to echo this, welcoming the existence of the strategy but pointing out some potential problems.

The main thing the EDPS finds “regrettable” (a term repeated many times in the opinion document) is that the strategy does not adequately emphasize privacy as a key part of any planned dealing with personal data.

While acknowledging that privacy issues are covered in some parts of the strategy, there is little mention of them in the sections covering cybercrime, where privacy is pivotal.

Most cybercrime involves theft or abuse of personal data in some way, and any effort to tackle it must inevitably involve the collection and sharing of private data, by police and other bodies.

Data shared may include information on victims, suspects and innocent bystanders, so ensuring that this gathering and sharing is done within well-defined and regulated boundaries is a prime concern.

These worries tie in with another point regretted by the EDPS – the lack of mention, or indeed apparent awareness, of existing parallel plans and bodies in the field of digital data protection.

These include a proposed General Data Protection Regulation from last year, and also cover existing national Data Protection Authorities, such as the UK’s Information Commissioner’s Office.

The EDPS believes these bodies should be playing a major role in ensuring plans to combat cybercrime do not infringe on privacy, but they are omitted from the strategy document. Many of the same criticisms are also leveled at the NIS Directive.

Another point of criticism is the rather broad definition of cybercrime given in a footnote to the strategy:

Cybercrime commonly refers to a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target.

Cybercrime comprises traditional offences (e.g. fraud, forgery, and identity theft), content-related offences (e.g. on-line distribution of child pornography or incitement to racial hatred) and offences unique to computers and information systems (e.g. attacks against information systems, denial of service and malware).

The EDPS points out that cybercrime and related terms “are used as a justification for certain special measures which could cause interference with fundamental rights, including the rights to privacy and data protection.”

It is clearly more than a little worrying that the EU might be granting police and other bodies special powers in cases where a “cybercrime” may have occurred, if a “cybercrime” is defined as any of an unlimited “broad range” of generally bad things with some sort of association with computers.

It would seem more sensible in this case to have a very restrictive definition of “cybercrime” as only crimes of a type which could only occur digitally, and to treat “normal” crimes – theft, fraud, porn or hatred offences etc – as mere variations on their “real-world” equivalent, which just happen to take place online.

The other option would be to stick with the vague definition, but not allow it to be used as the basis of any special legal powers.

If the investigation of any crime or other issue involves the gathering, processing or sharing of private information, then there should be comprehensive and strongly-enforced rules on what data can be dealt with, how, and by whom. This should apply regardless of whether it relates to a “cybercrime” or any other kind of incident.

Despite the raised profile of data protection issues lately, there does seem to be some way to go to ensuring that those in political circles pay enough attention to data privacy. It’s good to hear someone out there is pushing the right agenda.

Image of EU fingerprint and handcuff on keyboard courtesy of Shutterstock.