Monday, 26 October 2009

Data breaches & security: Reding's speech

Viviane Reding, European Commissioner responsible for Information
Society and Media, at the 23 October 2009 EDPS-ENISA Seminar 'Responding to Data Breaches', made a speech on Securing personal data and fighting data breaches.

Some extracts:

"… if citizens have an underlying fear that their data may be lost or stolen
they will not participate fully in the digital economy.

The Telecoms Reform has put the issue of mandatory notification of personal data breaches firmly on the European policy agenda. The reformed telecoms package, now awaiting final agreement, will establish rules concerning the prevention, management and reporting of data breaches in the electronic communications sector. As you are aware, the Commission will go a step further to extend the debate to generally applicable breach notification requirements and work on possible legislative solutions. This will be done in close consultation with the European Data Protection Supervisor and other stakeholders…

I find it very reassuring that today's event is organised jointly by representatives of data protection and of Network and Information Security. This cooperation underlines the fact that privacy and information security are not in conflict with each other: Without information security, protection of privacy and personal data is not possible. Indeed, we must see challenges to personal data security in the broader context of the resilience of information and communication infrastructures. A key principle of EU data protection law is that those who process personal data have to take the necessary security measures to counter the risks to this data.

With the telecoms reform, we are now strengthening and clarifying these rules: when a security breach happens, the operator will have to inform the authorities and those citizens who may face harm as a result of the loss of their personal data. Furthermore, network operators must notify the competent national regulatory authority of a breach of security or loss of integrity that had a significant impact on the operation of networks or services.

In short: Transparency and information will be the key new principles for
dealing with breaches of data security

Those who profit from the information revolution must respond to the public policy responsibilities that come with it. It will of course not be possible to prevent all breaches. But operators must be prepared to minimise the risks by ensuring that management of incidents is planned and organized beforehand..

My vision is that security and data protection in the Information Society must be based on a comprehensive risk assessment and on management approaches, which take into account all hazards and threats, whether they come from cyber-attacks, from natural disruptions, or any other source

… social networking. It has, on the one hand, a strong potential for new forms of communication; but on the other hand it brings privacy concerns for internet users who put personal information online. We have seen this in Germany recently where sensitive data was illegally collected from one of the biggest German social networks, Schueler VZ. This clearly demonstrates that obligations to ensure protection against data breaches cannot be limited to electronic communications networks alone – but may need to be addressed in new EU rules which cover online services as well. The European Parliament is certainly right with calling on the Commission to study different legislative options to address this issue.

Our role is to understand what the public policy challenges are; identify the proper mechanisms to tackle them; and set the framework conditions - where necessary through sector-specific legislation.

The Commission has committed itself to reviewing Europe's general rules on
protecting personal information, in the light of rapid technological development. At the same time, we will have to find agreement with our partners in other parts of the world, as the information society is becoming more and more global.

In 2010, the Commission intends to launch – as part of the ambitious European Digital Agenda advocated by President Barroso in his recent policy guidelines - a major initiative to modernise and strengthen network and information security policy in the EU. At the same time, I believe we should look at the emerging challenges for privacy and trust in the broad information society, with a particular emphasis on some of the outstanding issues which were raised during the discussions on the revision of the ePrivacy Directive, such as targeted advertising, convergence, the use of IP addresses and on-line identifiers…"

On the European Digital Agenda, see also:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.