EUROPEAN COMMISSION
Viviane Reding
Vice-President of the European Commission, EU Justice Commissioner
The EU's Data Protection rules and Cyber Security
Strategy: two sides of the same coin
NATO Parliamentary Assembly/Luxembourg
19 May 2013
SPEECH/13/436
The Internet is the infrastructure of the modern age. It accounted for more than 20% of
GDP growth in the world’s major economies over the last five years. If it were a national
economy, the Internet economy would already rank in the world’s top five.
The benefits of the Internet go far beyond its direct economic impact. It is one of the
most powerful agents for change, growth and jobs everywhere, and its impact is
particularly forceful in the developing world. It can reduce poverty by connecting local
communities to existing cultural and institutional structures. It can revolutionise
education through the provision of free access to courses and classroom lectures. We all
have seen how the Internet has promoted social and democratic reform across the
world. The Arab Spring is one of the large scale examples, but certainly not the only
one.
But the Internet is not only there for those who fight for progress and freedom. It can be
exploited for sectarian and extremist purposes. Hackers can use the Internet for financial
gain or for political goals. And as we could see during the war in Georgia, cyber-attacks
can be used as an additional tool in conventional warfare.
That's why, as policy-makers, we should always be aware of the challenges that go
along with the opportunities. These considerations are not relevant only for international
politics. The need to make sure that technological progress is in line with our values
applies also inside the European Union. As Europe's first Justice Commissioner I see that
the question of how our values apply to the online world is being asked with increasing
regularity.
Two recent cases stand out. The reform of the EU's data protection rules proposed by
the Commission in January 2012 and the Cyber-Security Strategy it unveiled in February
2013. Some might think that they are unrelated. Some may even murmur that they
serve different purposes and seek to achieve different goals. They would be mistaken.
The two initiatives are mutually reinforcing. I will make my point in two steps


First, I will set out the shared objectives of these two initiatives: they reflect
the values on which the Union has been built and they contribute to the
creation of the digital single market serving 500 million citizens in the largest
economy in the world;
Second, I will explain how the protection of personal data complements
measures to promote cyber-security and shapes the fight against cyber-crime.
1/Data Protection, Cyber-Security and the EU's values and goals
Data protection is a fundamental right in the EU. The reason for this is rooted in our
historical experience with dictatorships from the right and from the left of the political
spectrum. They have led to a common understanding in Europe that privacy is an
integral part of human dignity and personal freedom. Control of every movement, every
word or, every mouse click is not compatible with Europe's fundamental values or our
common understanding of a free society.
This is why the Union's Charter of fundamental rights, our "Bill of Rights", recognises
both the right to private life in Article 7 and the right to the protection of personal data
in Article 8. But this is not all.
Article 16 of the Treaty on the Functioning of the European Union also gives the
European Union the legislative competence to establish harmonised EU data protection
laws that apply to the whole continent and that make the right to data protection a
reality.
2
Data protection is thus one of the rare fields where we have full coherence between the
fundamental right and the EU’s legislative competences. It is our responsibility as
political leaders to adapt and refresh the current rules.
Recent years have demonstrated that while the digital world brings enormous benefits, it
is also vulnerable. Cyberspace is the subject of incidents, malicious activities and
misuse. The Cyber-Security Strategy for "An Open, Safe and Secure Cyberspace" represents the EU's comprehensive vision on how best to prevent and respond to these
disruptions and attacks. It is the Union roadmap to the safety and security of the
Internet.
But the European Cyber-Security strategy is about more than security. Measures to
ensure safety and security online are not a goal in themselves. The overarching aim is to
make sure that the internet remains open and free. The goal is to ensure that the same
norms, principles and values that the EU upholds offline, also apply online. Fundamental
rights, democracy and the rule of law need to be protected in cyberspace. Our freedom
and prosperity increasingly depend on a robust and innovative Internet. The CyberSecurity Strategy is about our fundamental values.
The data protection reform and the Cyber-Security Strategy also share a second goal.
Both seek to build the EU's digital single market.
The EU already has a data protection law: a Directive which dates back to 1995. In the
intervening 18 years, the Member States have reacted to new technologies differently.
The result is an inconsistent patchwork of 27 different national laws. It entails huge legal
costs for firms who simply want to do business across the EU. The European Commission
is eliminating those costs by replacing the current Directive by one single clear set of
rules for all businesses in the Union – resulting in savings for companies of around 2.3
billion EUR per year.
Let me explain this more graphically. The 1995 Directive is 12 pages long. In Germany,
it has been transposed in the shape of a data protection law that is 60 pages long. Take
those 60 pages and multiply by 27 Member States, and you'll get an idea of what the
term "regulatory complexity" means in practice. We will replace this mountain of paper
with one law that is valid in all of Europe.
It meets the expectations of business to have a true digital single market with one single
law for data protection. One continent, one law. That’s what I call simplicity. That’s what
I call opening a market.
The proposed Network Information Security Directive which accompanies the CyberSecurity Strategy has a similar goal: it is also concerned with building a resilient digital
single market.
The Commission, together with the EU's Network Security Agency, ENISA, identified
clear gaps in the Member States' preparedness for cyber-attacks. We found that only a
handful of Member States cooperated on these issues. We consider that companies also
need to take cyber-security more seriously.
Indeed, the number of cyber-attacks and incidents is high and rising. Let me give you 3
examples from the past 3 years. In 2010, a cyber-attack on the London Stock Exchange
forced trading to stop for a day. In 2011, an outage affected millions of BlackBerry
users. In 2012, total internet cut-offs resulted from the mistaken cut of a sub-sea cable
between the UK and the Netherlands. Each of these incidents disrupted the provision of
services within the internal market.
3
The proposed Directive responds to these incidents. It requires Member States to
improve the level of national preparedness, for instance through the creation of
Emergency Response Teams. National authorities will be required to cooperate, notably
by informing each other of threats in good time. The Commission also wants to extend
the number of sectors – not just Telecoms but also banking, energy, health, transport –
which have to adopt Network Information Security management measures and to report
significant incidents to national authorities. The purpose is clear: to raise the level of
Cyber-Security in the EU in order to strengthen the digital single market.
Ladies and Gentlemen,
The EU wants to develop the digital single market. It wants to remain true to the values
on which it is founded. The EU's reform of its data protection rules and its strategy on
cyber-security serve both these purposes. But they have more in common than
objectives and aspirations. They are mutually reinforcing.
2/ The relationship between Data Protection and Cyber-Security
Personal data has become a highly valuable asset. The market for analysis of large sets
of data is growing by 40% per year worldwide. The currency of this new digital economy
is data and in many cases personal data.
But the free flow of any currency depends on a precious commodity: Trust. It is only
when consumers can 'trust' that their data is well protected that they will continue to
entrust businesses and authorities with it by buying online and accepting new product
developments and services. And trust is waning.
The figures tell the story. 92% of Europeans are concerned about mobile apps collecting
their data without their consent. 89% of people say they want to know when the data on
their smartphone is being shared with a third party. They want the option to give or
refuse permission.
EU citizens are also increasingly aware of the risks linked to Cyber-Security. According to
a Eurobarometer survey carried out last year, the level of concern about cyber-security
is increasing. 74% of respondents agreed that the risk of becoming a victim of
cybercrime has gone up in the past year.
It is in the Government's and the business’ interest to reverse these figures. This lack of
trust affects behaviour online. A modern set of data protection rules and greater cybersecurity resilience will contribute to more people using more online services which
directly translates into growth for the companies. People will also be more confident to
entrust their data to public administrations. This is the first way in which Data protection
rules and Cyber-Security measures are complementary.
It is in this spirit that the Commission, in its data protection reform proposal, has
introduced new concepts such as data protection by design and data protection impact
assessments. The goal is to make sure that companies and national administrations
don't collect and use more personal data than they need. This good for citizens' rights. It
is also good for Governments and business.
Security breaches that affect personal data can have an enormous cost. Experts believe
that the hacker attack on Sony, in which the data of 77 million people was compromised,
cost the firm between 1 and 2 billion US dollars. That's what I call the cost of noncompliance. It is a cost which is both high and avoidable. By minimising the data stored,
you minimise the damage that can be caused by a successful attack. This is the second
way in which the two instruments are complementary.
4
This brings me to another connection between data protection and the fight against
cyber-crime.
The figures for the amount of criminal activity online, while being hard to quantify
exactly, are staggering. Cyber-security incidents, be they intentional or accidental, are
increasing at an alarming pace. Symantec estimates that the direct losses for victims of
cybercrime alone are in the order of 290 billion euros a year. Europol puts the annual
value of the global cybercriminal economy at one trillion US dollars.
The Cyber-Security Strategy puts forward a determined plan to respond to this threat. It
recognises that cyberspace is increasingly becoming a facilitator for organized crime in
all its forms.
The Strategy sets out a series of measures that should be taken within the EU to
address the threat. The creation of the European Cybercrime Centre at Europol marks a
significant step in this direction. The Strategy proposes measures to allow for
cooperation and exchange of best practices and information. It implicates all the
communities involved, from industry to law enforcement to the defence sector.
This cooperation should not stop at the borders of the EU. Cyber-security is borderless.
Therefore it is obvious that the EU should articulate a coherent international cyberspace
policy. It should enhance its engagement with key international partners and
organisations. Cyber-security issues are increasingly on the agenda of dialogues
between the EU and its key partners. There is a special focus on like-minded partners
that share our values, such as the US. But we cannot neglect those countries where the
approach to cyber-security might not be the same as ours. In a time where the global
network of cyberspace can be accessed from anywhere in the world, we are only as
strong as our weakest link. The EU must provide leadership on the global stage in this
common struggle.
The Union should be true to its values also in this context. Few would contest that
fundamental rights, such as the procedural rights of suspects and victims of crimes, are
the same online as they are offline. The same goes for data protection.
The international fight against cyber-crime often involves the collection of information
about the electronic behaviour of individuals. A law enforcement authority may require
information, sometimes personal data, held by a company. The law enforcement body
may be in one country and the company in another. How should such requests be
tackled? Two imperatives – data protection and law enforcement – have to be weighed
against each other. Sensible solutions that reconcile the two need to be found.
First, the imperative of data protection. When personal data is at stake, any information
sharing should be compliant with data protection law and take full account of
fundamental rights. When fighting cyber-crime, law enforcement authorities should
apply investigative measures as sophisticated as the software they are trying to fight.
Monitoring every click of every mouse would be simply inefficient. Companies should not
be forced to choose between compliance with one sovereign's data protection laws and
another's law enforcement measures. Bypassing the EU's data protection rules would
mean violating citizens' rights and exposing European companies to significant legal
risks. That's why out Mutual Legal Assistance Agreements have been negotiated. Let's
make sure they work effectively to solve these problems.
5
Second, the imperative of law enforcement. Data protection laws should be drafted in
such a way as to render the fight against crime winnable. This is what the Commission
has sought to achieve in its reform proposals. It has proposed a separate instrument on
data protection in the law enforcement sector. It affords law enforcement authorities the
flexibility they need to act. The Commission has also made sure that the data protection
reform package allows for international transfers of data where an important ground of
public interest applies. We recognise that while data protection is a fundamental right, it
is not absolute. It should shape but not prevent the fight against cyber-crime.
6
Conclusion
Ladies and Gentlemen,
The EU's Cyber-security Strategy outlines the EU's vision of how to build up its resilience
and make the EU's online environment the safest in the world. Its cornerstone is the
respect and protection of citizens' rights. This vision can only be realised through
cooperation between many actors. The EU is open to work with all partners, and to team
up with those that share its vision of a free and open internet. NATO should be one of
those partners. The Centre of Excellence and the Response Capability demonstrate that
NATO is also aware of the threat and awake to the dangers. It is obvious that there are
potential synergies to be exploited to deliver and promote our shared values and
freedoms. So let's act together to deliver a safe, free Internet for everyone.
7