Yesterday (12/12/2013), a serious blow was dealt to one of the fundamental building blocks establishing the legal framework for retention of data for law enforcement across Europe.  Advocate General Pedro Cruz Villalón (AG) at the Court of Justice of the European Union (ECJ) delivered an opinion stating that the Data Retention Directive (DRD) is, as a whole, incompatible with the individual’s right to privacy in the Charter of Fundamental Rights of the European Union. The opinion has potentially profound implications for law enforcement agencies and for service providers subject to the retention requirements across Europe. The opinion is here. Background The DRD requires Member States to implement laws requiring telephone or electronic communications service providers to collect and retain traffic data, location data and the related data necessary to identify the subscriber or user of the services “in order to ensure that the data is available for the purposes of the investigation, … Continue Reading ››
After lengthy discussions, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) agreed this Monday (22 October 2013) on a compromise text of the draft General Data Protection Regulation (“GDPR”). The proposal still has a mountain to climb as opinions between the different EU institutions remain deeply divided. However, Monday’s vote is significant as it gives the European Parliament (“EP”) a mandate to start the next phase of negotiations with Member States. The GDPR was published by the European Commission 21 months ago in January 2012 and has proved to be one of the most controversial proposals ever to come out of Brussels, with lobbyists proposing over 4000 amendments to the Commission’s text. Background The compromise text was adopted by the LIBE Committee on a 49-1 vote with three abstentions. The EP’s press release is here and includes some radical proposed changes to the Commission’s draft. Datonomy has taken a … Continue Reading ››
With recent reports of ever more daring cyber-attacks on the banking system, and claims that cyber criminals are exploiting weaknesses in the supply chain to hack major corporations, Datonomy looks at the current EU proposals on reporting security incidents which are aimed at tackling the problem – and the concerns and flaws identified by industry and by legislators. What’s new? Some recent developments on the NISD Datonomy readers will be familiar with the proposal for a new EU Directive on Network and Information Security (NISD) unveiled by the Commission in February, and set for its first reading in the European Parliament in early 2014. The aim of the new measures is to boost security by imposing new standards, and auditing and reporting requirements on market operators – including key infrastructure providers (e.g. energy companies) and, more controversially, ecommerce platforms and social networks. Our earlier summary of those proposals can be found Continue Reading ››
Datonomy considers the Germany authorities’ reaction to the PRISM affair, and the wider practical consequences this could have for international transfers being made under the auspices of U.S. Safe Harbor and model contracts. After the reports about extensive surveillance activities by foreign and European intelligence services, especially by the American National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) and possible transfers of personal data to them by American companies, European data protection authorities are raising their voices. In a letter dated 13 August 2013, the chairman of the Article 29 Working Party expressed his deep concern to the Vice-President of the European Commission, Viviane Reding, urging her to seek for more clarification from the U.S. as well as announcing the intention of the European data protection authorities to conduct own investigations regarding the compliance of foreign and European intelligence programs with EU data protection principles. Concrete actions have … Continue Reading ››
On 3rd September, the new EU Directive 2013/40 on attacks against information systems came into force, requiring Member States to beef up national cybercrime laws and sentencing. The Directive updates and replaces the previous Framework Decision in this area and introduces new measures including criminal offences for attacks using malicious software, and increased sentencing of up to 5 years’ imprisonment for the most serious offences. The new measures are illustrative of the EU’s increasingly aggressive stance in tackling cyber-crime – but how different is the new legislation to that already in force? Datonomy explores. Why the new Directive? Last week on 3 September, the new EU Directive 2013/40 on attacks against information systems came into force. The Directive was proposed in 2010 as a replacement to the previous Framework Decision 2005/222/JHA, which criminalised various activities in relation to attacks on information systems, including illegal access to information systems, and illegal interference with systems … Continue Reading ››
Aberdeen City Council (“ACC”) has been fined £100,000 by the Information Commissioner’s Office (the “ICO”)  for failing to implement an adequate home working policy following one of its employees posting sensitive information online whilst working from home. There has been a rash of fines for security breaches imposed on public sector data controllers.  Datonomy was particularly interested in this fine because of the wider implications for the private sector.  Home working, remote working and “bring your own device” security are currently in the regulatory spot light and in the notice announcing the fine, the ICO has reiterated the importance of organisations ensuring that personal data is fully secure when accessed remotely.  It is time to revisit your BYOD and remote working policies and procedures if you haven’t already done so. In November 2011, an ACC employee unintentionally uploaded 39 pages of highly personal and confidential information relating to her job (caring … Continue Reading ››
The ICO recently updated its Data Protection Enforcement Policy in the light of recommendations from the Leveson Report. The policy remains largely the same as the ICO’s earlier 2010 policy, but contains new sections specifically clarifying the regulation of the press and incorporating the ICO’s recent Information Rights Strategy. The policy again stresses that market forces and proportionality will play a key role in the ICO’s decisions whether to take enforcement action. The ICO last week published its updated Data Protection Enforcement Policy and Datonomy has been comparing this new improved version to the last version of the policy published in 2010. The policy sets out how the ICO intends to implement its regulatory powers under the Data Protection Act 1998, Privacy and Electronic Communications Regulations 2003 and associated legislation. The updated policy follows recommendations in the Leveson Report that the ICO publish clearer practice guidelines to ensure compliance … Continue Reading ››