Companies may try to bypass GDPR fines by negotiating with cybercriminals, Europol say

An exterior view of the Europol headquarters in The Hague, the Netherlands. [EPA/Lex van Lieshout]

Europol, the EU’s policing agency, has warned that EU data protection laws may lead to an increase in cyber-extortion in a report  released on Tuesday (18 September) .

The fifth Internet Organised Crime Threat Assessment (IOCTA) was presented at the INTERPOL-Europol Cybercrime Conference in Singapore, and warned of the implications of companies breaching General Data Protection Regulation (GDPR) rules and choosing to pay hackers bribes.

Under GDPR rules that came into force in May, violations can result in fines of up to €20 million or 4% of global turnover, whichever is higher.

Europol’s research shines a light on the fact that companies could be inclined to pay lesser extortion fees to hackers.

The report states:

“Hacked companies [may] rather pay a smaller ransom to a hacker for non-disclosure than the steep fine that might be imposed by their competent authority.”

Europol goes on to warn that if such companies are to negotiate with cybercriminals, then they “will only fund further attacks and other criminal activity” and that the organisation at risk has no guarantee that “the attacker will not disclose or otherwise exploit information.”

EU Elections 2019: Data protection a priority for next parliament, forecast shows

The next European Parliament is likely to offer citizens better protection of their data, according to a study conducted by a leading European think tank. At the same time, concerns are growing about the adequacy of an EU-US deal on exchanging personal data across the Atlantic.

When pressed for the basis of the claim that companies may prefer to negotiate fees with hackers rather than pay GDPR fines, a Europol spokesperson told EURACTIV that the conclusion was drawn up from responses to a survey Europol had sent out to private partners.

The survey itself nor the ‘private partners’ who participated could be disclosed. A European Commission official also informed EURACTIV that they had not been consulted on the survey in question.

Nevertheless, Europol’s claims will no doubt raise alarms at the Commission, who struck a steadfast tone in response to the report.

“The GDPR includes a clear obligation on companies to notify data breaches,” a Commission official told EURACTIV.

“The enforcement of data protection rules is the responsibility of the data protection authorities. They have to assess a certain number of criteria when imposing a fine. One of these criteria is the good cooperation of the company with authorities, including informing them about data breaches.”

GDPR: EU's new data protection rules come into effect

The European Union’s new data protection laws came into effect on Friday (25 May), with Brussels saying the changes will protect consumers from being like “people naked in an aquarium”.

Europol’s critique of GDPR goes further than highlighting the shortfalls of compliance. The report also notes the technical ramifications that GDPR has had on cybersecurity policing across the continent.

The criticism centres around the operation of the WHOIS database, an online repository of information associated with registered domain names. Europol says that EU data protection law has “debilitating repercussions for cybercrime investigations,” in the context of WHOIS.

Subsequent to GDPR entering into force, the Board of the Internet Corporation for Assigned Name and Numbers (ICANN), established temporary requirements that call upon registries and registrars to redact all personal data from publicly available WHOIS records.

Europol say that this necessity is “significantly hampering the ability of investigators across the world to identify and investigate online crime,” as they no longer have the unimpeached access to data records that would previously have assisted in investigations.

Silicon Valley giants hit with first complaints on day one of GDPR

Big American technology companies were the first to be hit with complaints for how they handle users’ personal information under the new EU data protection regulation known as GDPR.

The study arrives at a time when questions are being raised as to the effective execution of punitive measures for non-compliance.

At the Confederation of British Industry Cyber Security conference in London on September 12, Deputy Commissioner for Operations at the UK’s information rights authority, James Dipple-Johnstone, conceded that the UK “has not issued any fines for breaches of the new regime,” even though monthly data breach reports have risen rapidly since GDPR was enforced, amounting to as many as 500 calls a week.

Dipple-Johnstone added that much malicious activity online is often dealt with “advice, guidance and reassurance” rather than fines from UK authorities.

UK guilty of human rights abuse, ECHR finds in groundbreaking surveillance case

GCHQ, the British government’s intelligence and security organisation, has breached human rights in its mass surveillance programme, the European Court of Human Rights (ECHR) said in a landmark ruling on Thursday (13 September).

Questions will no doubt surface as to the issues of non-compliance with GDPR, as Europol’s study is digested by policymakers in Brussels.

The EU’s law enforcement agency also drew attention to the wider vulnerabilities that citizens and businesses face across the EU.

The use of ransomware and Distributed-Denial-of-Service (DDoS) attacks have become staples for online criminality, mobile malware is expected to rise as users shift from online to mobile banking, and social engineering threats are judged to become more prevalent.

Catherine De Bolle, Executive Director of Europol, wrote in the assessment that legislative developments on the continent “impact on our ability as law enforcement officers to effectively investigate cybercrime.”

“This emphasises the need for law enforcement to engage with policymakers, legislators, and industry, in order to have a voice in how our society develops,” she said.


This stakeholder supports EURACTIV's coverage of Cybersecurity. This support enables EURACTIV to devote additional editorial resources to cover the topic more widely and deeply. EURACTIV's editorial content is independent from the views of its supporters.


Subscribe to our newsletters