The European Commission released its cybersecurity strategy yesterday (7 January) to address concerns and promote greater internet safety.
But the obligation put on EU member countries to report cyberattacks are “vague” and appear to do little to protect EU citizens' data stored outside the EU, Wim Nauwelaerts, a privacy and data security lawyer with Hunton & Williams firm, told EurActiv.
The EU-wide strategy aims at establishing cross-border cybersecurity rules and practices, and coordinated attack response. Companies and public bodies will also have to report significant attacks to the Commission, which took the unusual step of publishing a list of companies to which this may apply, including Google, the retailer Amazon, eBay and a number of telecoms and cloud service providers.
It also contains a legislative proposal obliging member states to designate a national competent authority for network information service, and set up a functioning computer emergency response team.
Catherine Ashton, the Commission vice president in charge of foreign policy, said the EU executive had to agree norms and enhance dialogue with governments outside Europe to ensure the “protection of fundamental rights online and offline”.
The new EU rules, pending the European Parliament and Council’s approval, would require member states to report to the Commission cyber attacks in data sites within their “control”, even if they are outside the EU.
The responsibility for the safety of an EU citizen’s data kept in an off-site data storage centre “has to come back to one national authority”, said an official from the office of Neelie Kroes, commissioner for the digital agenda.
Therefore, the national authority covering a German company or public body using a data storage centre in Singapore will be responsible for ensuring the safety of the service for citizens within their jurisdiction, he told EurActiv.
To Nauwelaerts, who is also a cloud computing advisor, this opens up a regulatory can of worms.
“As it stands right now it’s going to raise a number of legal issues”, he said.
“We are going to have to export European rules in that respect… If they are only from Europe I’m not sure they are going to solve global problems.”
Under the strategy, member states will have to audit “critical infrastructure”, including off-site cloud storage facilities “for all services, no matter if they are in Europe,” the EU official said.
“I am skeptical about how to put that in practice,” Nauwelaerts said, adding that overall he supported the cybersecurity initiative.
“How do you define control? ... How do you continue to exercise ‘control’,” he said. “This is a complex legal issue and topic of debate in the privacy and data protection field.”
The EU body using the service provider in another country would have to ensure that they abide by the EU’s standards, or risk failing to comply themselves.
“This requires a robust contractual framework between the EU [private or public] body and the service provider in other countries”, he said.
The EU strategy does not call for the creation of new international legal instruments for cyber issues.
Currently, an international convention on cybercrime exists, providing a model for drafting national legislation and a basis for international cooperation. But as yet only 39 states have ratified the agreement, named the Budapest Convention.
The strategy calls for the creation of a coherent EU international cyberspace policy, which “will be aimed at increased engagement and stronger relations with key international partners and organisations.
“It will promote achieving a high level of data protection, including for transfer to a third country of personal data", the Commission said.