Speech: The EU's Data Protection rules and Cyber Security Strategy: two sides of the same coin
European Commission - SPEECH/13/436 19/05/2013
Other available languages: none
Vice-President of the European Commission, EU Justice Commissioner
The EU's Data Protection rules and Cyber Security Strategy: two sides of the same coin
NATO Parliamentary Assembly/Luxembourg
19 May 2013
The Internet is the infrastructure of the modern age. It accounted for more than 20% of GDP growth in the world’s major economies over the last five years. If it were a national economy, the Internet economy would already rank in the world’s top five.
The benefits of the Internet go far beyond its direct economic impact. It is one of the most powerful agents for change, growth and jobs everywhere, and its impact is particularly forceful in the developing world. It can reduce poverty by connecting local communities to existing cultural and institutional structures. It can revolutionise education through the provision of free access to courses and classroom lectures. We all have seen how the Internet has promoted social and democratic reform across the world. The Arab Spring is one of the large scale examples, but certainly not the only one.
But the Internet is not only there for those who fight for progress and freedom. It can be exploited for sectarian and extremist purposes. Hackers can use the Internet for financial gain or for political goals. And as we could see during the war in Georgia, cyber-attacks can be used as an additional tool in conventional warfare.
That's why, as policy-makers, we should always be aware of the challenges that go along with the opportunities. These considerations are not relevant only for international politics. The need to make sure that technological progress is in line with our values applies also inside the European Union. As Europe's first Justice Commissioner I see that the question of how our values apply to the online world is being asked with increasing regularity.
Two recent cases stand out. The reform of the EU's data protection rules proposed by the Commission in January 2012 and the Cyber-Security Strategy it unveiled in February 2013. Some might think that they are unrelated. Some may even murmur that they serve different purposes and seek to achieve different goals. They would be mistaken. The two initiatives are mutually reinforcing. I will make my point in two steps
1/Data Protection, Cyber-Security and the EU's values and goals
Data protection is a fundamental right in the EU. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or, every mouse click is not compatible with Europe's fundamental values or our common understanding of a free society.
This is why the Union's Charter of fundamental rights, our "Bill of Rights", recognises both the right to private life in Article 7 and the right to the protection of personal data in Article 8. But this is not all.
Article 16 of the Treaty on the Functioning of the European Union also gives the European Union the legislative competence to establish harmonised EU data protection laws that apply to the whole continent and that make the right to data protection a reality.
Data protection is thus one of the rare fields where we have full coherence between the fundamental right and the EU’s legislative competences. It is our responsibility as political leaders to adapt and refresh the current rules.
Recent years have demonstrated that while the digital world brings enormous benefits, it is also vulnerable. Cyberspace is the subject of incidents, malicious activities and misuse. The Cyber-Security Strategy for "An Open, Safe and Secure Cyberspace" - represents the EU's comprehensive vision on how best to prevent and respond to these disruptions and attacks. It is the Union roadmap to the safety and security of the Internet.
But the European Cyber-Security strategy is about more than security. Measures to ensure safety and security online are not a goal in themselves. The overarching aim is to make sure that the internet remains open and free. The goal is to ensure that the same norms, principles and values that the EU upholds offline, also apply online. Fundamental rights, democracy and the rule of law need to be protected in cyberspace. Our freedom and prosperity increasingly depend on a robust and innovative Internet. The Cyber-Security Strategy is about our fundamental values.
The data protection reform and the Cyber-Security Strategy also share a second goal. Both seek to build the EU's digital single market.
The EU already has a data protection law: a Directive which dates back to 1995. In the intervening 18 years, the Member States have reacted to new technologies differently. The result is an inconsistent patchwork of 27 different national laws. It entails huge legal costs for firms who simply want to do business across the EU. The European Commission is eliminating those costs by replacing the current Directive by one single clear set of rules for all businesses in the Union – resulting in savings for companies of around 2.3 billion EUR per year.
Let me explain this more graphically. The 1995 Directive is 12 pages long. In Germany, it has been transposed in the shape of a data protection law that is 60 pages long. Take those 60 pages and multiply by 27 Member States, and you'll get an idea of what the term "regulatory complexity" means in practice. We will replace this mountain of paper with one law that is valid in all of Europe.
It meets the expectations of business to have a true digital single market with one single law for data protection. One continent, one law. That’s what I call simplicity. That’s what I call opening a market.
The proposed Network Information Security Directive which accompanies the Cyber-Security Strategy has a similar goal: it is also concerned with building a resilient digital single market.
The Commission, together with the EU's Network Security Agency, ENISA, identified clear gaps in the Member States' preparedness for cyber-attacks. We found that only a handful of Member States cooperated on these issues. We consider that companies also need to take cyber-security more seriously.
Indeed, the number of cyber-attacks and incidents is high and rising. Let me give you 3 examples from the past 3 years. In 2010, a cyber-attack on the London Stock Exchange forced trading to stop for a day. In 2011, an outage affected millions of BlackBerry users. In 2012, total internet cut-offs resulted from the mistaken cut of a sub-sea cable between the UK and the Netherlands. Each of these incidents disrupted the provision of services within the internal market.
The proposed Directive responds to these incidents. It requires Member States to improve the level of national preparedness, for instance through the creation of Emergency Response Teams. National authorities will be required to cooperate, notably by informing each other of threats in good time. The Commission also wants to extend the number of sectors – not just Telecoms but also banking, energy, health, transport – which have to adopt Network Information Security management measures and to report significant incidents to national authorities. The purpose is clear: to raise the level of Cyber-Security in the EU in order to strengthen the digital single market.
Ladies and Gentlemen,
The EU wants to develop the digital single market. It wants to remain true to the values on which it is founded. The EU's reform of its data protection rules and its strategy on cyber-security serve both these purposes. But they have more in common than objectives and aspirations. They are mutually reinforcing.
2/ The relationship between Data Protection and Cyber-Security
Personal data has become a highly valuable asset. The market for analysis of large sets of data is growing by 40% per year worldwide. The currency of this new digital economy is data and in many cases personal data.
But the free flow of any currency depends on a precious commodity: Trust. It is only when consumers can 'trust' that their data is well protected that they will continue to entrust businesses and authorities with it by buying online and accepting new product developments and services. And trust is waning.
The figures tell the story. 92% of Europeans are concerned about mobile apps collecting their data without their consent. 89% of people say they want to know when the data on their smartphone is being shared with a third party. They want the option to give or refuse permission.
EU citizens are also increasingly aware of the risks linked to Cyber-Security. According to a Eurobarometer survey carried out last year, the level of concern about cyber-security is increasing. 74% of respondents agreed that the risk of becoming a victim of cybercrime has gone up in the past year.
It is in the Government's and the business’ interest to reverse these figures. This lack of trust affects behaviour online. A modern set of data protection rules and greater cyber-security resilience will contribute to more people using more online services which directly translates into growth for the companies. People will also be more confident to entrust their data to public administrations. This is the first way in which Data protection rules and Cyber-Security measures are complementary.
It is in this spirit that the Commission, in its data protection reform proposal, has introduced new concepts such as data protection by design and data protection impact assessments. The goal is to make sure that companies and national administrations don't collect and use more personal data than they need. This good for citizens' rights. It is also good for Governments and business.
Security breaches that affect personal data can have an enormous cost. Experts believe that the hacker attack on Sony, in which the data of 77 million people was compromised, cost the firm between 1 and 2 billion US dollars. That's what I call the cost of non-compliance. It is a cost which is both high and avoidable. By minimising the data stored, you minimise the damage that can be caused by a successful attack. This is the second way in which the two instruments are complementary.
This brings me to another connection between data protection and the fight against cyber-crime.
The figures for the amount of criminal activity online, while being hard to quantify exactly, are staggering. Cyber-security incidents, be they intentional or accidental, are increasing at an alarming pace. Symantec estimates that the direct losses for victims of cybercrime alone are in the order of 290 billion euros a year. Europol puts the annual value of the global cybercriminal economy at one trillion US dollars.
The Cyber-Security Strategy puts forward a determined plan to respond to this threat. It recognises that cyberspace is increasingly becoming a facilitator for organized crime in all its forms.
The Strategy sets out a series of measures that should be taken within the EU to address the threat. The creation of the European Cybercrime Centre at Europol marks a significant step in this direction. The Strategy proposes measures to allow for cooperation and exchange of best practices and information. It implicates all the communities involved, from industry to law enforcement to the defence sector.
This cooperation should not stop at the borders of the EU. Cyber-security is borderless. Therefore it is obvious that the EU should articulate a coherent international cyberspace policy. It should enhance its engagement with key international partners and organisations. Cyber-security issues are increasingly on the agenda of dialogues between the EU and its key partners. There is a special focus on like-minded partners that share our values, such as the US. But we cannot neglect those countries where the approach to cyber-security might not be the same as ours. In a time where the global network of cyberspace can be accessed from anywhere in the world, we are only as strong as our weakest link. The EU must provide leadership on the global stage in this common struggle.
The Union should be true to its values also in this context. Few would contest that fundamental rights, such as the procedural rights of suspects and victims of crimes, are the same online as they are offline. The same goes for data protection.
The international fight against cyber-crime often involves the collection of information about the electronic behaviour of individuals. A law enforcement authority may require information, sometimes personal data, held by a company. The law enforcement body may be in one country and the company in another. How should such requests be tackled? Two imperatives – data protection and law enforcement – have to be weighed against each other. Sensible solutions that reconcile the two need to be found.
First, the imperative of data protection. When personal data is at stake, any information sharing should be compliant with data protection law and take full account of fundamental rights. When fighting cyber-crime, law enforcement authorities should apply investigative measures as sophisticated as the software they are trying to fight. Monitoring every click of every mouse would be simply inefficient. Companies should not be forced to choose between compliance with one sovereign's data protection laws and another's law enforcement measures. Bypassing the EU's data protection rules would mean violating citizens' rights and exposing European companies to significant legal risks. That's why out Mutual Legal Assistance Agreements have been negotiated. Let's make sure they work effectively to solve these problems.
Second, the imperative of law enforcement. Data protection laws should be drafted in such a way as to render the fight against crime winnable. This is what the Commission has sought to achieve in its reform proposals. It has proposed a separate instrument on data protection in the law enforcement sector. It affords law enforcement authorities the flexibility they need to act. The Commission has also made sure that the data protection reform package allows for international transfers of data where an important ground of public interest applies. We recognise that while data protection is a fundamental right, it is not absolute. It should shape but not prevent the fight against cyber-crime.
Ladies and Gentlemen,
The EU's Cyber-security Strategy outlines the EU's vision of how to build up its resilience and make the EU's online environment the safest in the world. Its cornerstone is the respect and protection of citizens' rights. This vision can only be realised through cooperation between many actors. The EU is open to work with all partners, and to team up with those that share its vision of a free and open internet. NATO should be one of those partners. The Centre of Excellence and the Response Capability demonstrate that NATO is also aware of the threat and awake to the dangers. It is obvious that there are potential synergies to be exploited to deliver and promote our shared values and freedoms. So let's act together to deliver a safe, free Internet for everyone.