23 July 2012


The European Data Protection Supervisor (EDPS), noted in the preceding post, has issued an Opinion [PDF] on the European Cybercrime Centre, aka EC3.

The Centre is to "serve as a focal point in the fight against cybercrime" and "will cooperate closely with relevant agencies and actors at international level", presumably including the Australian Crime Commission and the AFP High Tech Crime Centre that was in the news over the weekend over rather plaintive claims that the absence of a data retention regime left it powerless.

It is to address cybercrimes -
  • committed by organised crime groups, particularly those generating large criminal profits such as online fraud, 
  • which cause serious harm to their victims, such as online child sexual exploitation, and
  • seriously affecting critical Information Communication Technology systems in the Union.
It will have four main tasks: -
  • serving as the European cybercrime information focal point; 
  • pooling European cybercrime expertise to support Members States in capacity building; 
  • providing support to Member States' cybercrime investigations; 
  • becoming the collective voice of European cybercrime investigators across law enforcement and the judiciary.
The Supervisor comments that
This opinion addresses the importance of data protection when setting up the EC3, and provides specific suggestions that could be taken into consideration in the course of the set up of the terms of reference for the EC3 and in the legislative revision of the Europol legal framework.
He goes on to note that -
The information processed by the EC3 will be gathered from the widest array of public, private and open sources, enriching available police data, and it would concern cybercrime activities, methods and suspects. The EC3 will also collaborate directly with other European agencies and bodies. 
Accordingly the EDPS seeks through the Opinion to -
  • ask the Commission to clarify the scope of the activities of the EC3, as far as they are relevant for data protection; 
  • assess the foreseen activities in the context of the current Europol legal framework, especially their compatibility with the framework; 
  • highlight relevant aspects where the legislator should introduce further detail in the context of the future review of Europol's legal regime to ensure a higher level of data protection. 
He comments that -
The EDPS regards the fight against cybercrime as a cornerstone in building security and safety in the digital space and generating the required trust. It can also enhance the security in the digital space and consequently improve the level of data protection in this area. Indeed, protection of individuals in cyberspace will inherently benefit if the Centre can achieve its goals while at the same time fully respecting fundamental rights and in particular the right to data protection. Against this background, the EDPS would like to express his support for the creation of mechanisms to fight against cybercrime, such as the proposed Centre. 
The fight against cybercrime will often require processing personal data in the context of investigations. It consequently entails risks of intrusions into the citizens' privacy. This is why privacy concerns should be taken into consideration together with the objectives of the EC3. 
The EDPS is convinced that effective action to fight cybercrime cannot be put in place without the support of a solid data protection scheme complementing it. Appropriate safeguards are needed to ensure that monitoring and processing of personal data will only be done in a strictly targeted way, and that misuse of this mechanism is prevented by adequate measures. The EDPS wishes to ensure that this monitoring is carried out under a clear framework with adequate data protection safeguards put in place.
In relation to data retention (subject of an item here) the Opinion comments that
The fight against cybercrime is likely to often require the cooperation of the private sector as most of the data relevant to investigate cybercrime offences are stored by private entities that keep records of electronic transactions and communications in the course of their regular activities or in compliance with specific legislative requirements. For instance, telecom operators retain data of internet and telecom communications for commercial purposes or in compliance with the [2006] Data Retention Directive
It is obvious that the fight against cybercrime constitutes a purpose unrelated to the commercial activities carried out by such companies. Therefore, issues with regard to lawful processing and compatible use of personal data have to be considered as this collection and further use of the associated data in the fight against cybercrime could amount to an infringement of the right to the protection of personal data. 
The EDPS referred to the cooperation with the private sector in law enforcement activities on different occasions, recognising its sensitive nature. In particular, the EDPS is concerned about the issues raised by the involvement of a commercial actor, offering a specific service, in a sphere such as law enforcement where in principle only competent authorities are supposed to intervene, under the conditions foreseen in national law. 
Unfortunately, the Communication does not mention data protection as an element to be considered in the activities of the Centre. The EDPS calls on the Commission to consider that activities of EC3 should be based on a solid data protection scheme and that this should be reflected in its establishment, both in the terms of reference of the Centre and in the upcoming review of Europol's legal framework.
It concludes that -
Until the new Europol legislation becomes applicable, the EDPS recommends that the Commission sets forth such competences and data protection safeguards in the terms of reference for the Centre. These could include: a clear definition in which data processing tasks (in particular, investigations and operational support activities) the Centre's staff could be engaged, alone or in collaboration with joint investigation teams, and  clear procedures that on the one hand ensure the respect of individual rights (including the right for data protection), and on the other hand provide guarantees that evidence has been lawfully obtained and can be used before a court. 
The EDPS considers that the exchanges of personal data of the EC3 with the "widest array of public, private and open source actors" imply specific data protection risks as they will often involve the processing of data collected for commercial purposes and international data transfers. These risks are addressed by the current Europol Decision which establishes that, in general, Europol should not exchange data directly with the private sector, and with specific international organisations only in very concrete circumstances. 
Against this background, and given the importance of these two activities for the EC3, the EDPS recommends that appropriate data protection safeguards should be provided in compliance with the existing provisions in the Europol Decision. These safeguards should be embedded in the terms of reference to be elaborated by the implementation team for the EC3 (and later in the revised Europol legal framework) and should in no event result in a lower level of data protection.
The Directive referred to in the EDPS Opinion is the subject of works such as Breyer's 'Telecommunications Data Retention and Human Rights: The Compatibility of Blanket Data Retention with ECHR' in 11(3) European Law Journal (2005) 365; Escudero-Pascual & Hosein's 'The Hazards of Technology Neutral Policy: Questioning Lawful Access to Traffic Data' in 47(3) Communications of the ACM (2004) 77 and 'The German Constitutional Court Judgement on data retention: proportionality overrides unlimited surveillance (doesn't it ?)' (Bepress, 2010) by de Vries, Bellanova, De Hert & Gutwirth.