Non-executive board members may be well advised to acquaint themselves with new European Union (EU) legislation that may force their companies to yield up data if law enforcement authorities think it may help prevent crime.
New legislation has been passed by the EU amidst continuing debate over the issue of mandatory “backdoor” access to encrypted data—highlighted by the FBI’s request for information from Apple over the San Bernardino shootings.
The new laws underpin these rights for law enforcers:
- The so-called “Europe regulation” (EU) 2016/794—in force from May 2017.
- A general data protection regulation (EU) 2016/679—in force from May 2018;
- A directive on the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences (2016/680)—to be implemented from May 2018.
These laws lay down the rules by which police can collect such information and pass it onto supra-national bodies such as EU police agency Europol.
An annexe of the Europol regulation lists the categories of data that may be collected.
These include: details of directorships and links with companies; bank and credit contacts; a person’s tax position and “other information revealing a person’s management of their financial affairs”.
Company directors must co-operate with police requests for such information, although they can appeal to data protection officials in their countries, if they feel a request is unjustified.
So far, of course, there is inadequate case law to determine how the new regulations and directive will be enforced, but the Europol regulation gives pretty broad powers—requests can be made whenever there is a criminal investigation—so it is inevitable that board members will be facing some tough decisions on protecting their data.
The EU’s executive, the European Commission, is hopeful that the EU legislation balances the rights of companies to protect data with the needs of law enforcement to fight crime.
Commenting on “backdoors” automatic data access systems, Andrus Ansip, the Commission’s vice-president for the digital single market, said: “I am against them. If you are going to have public trust in systems which rely on the internet, you cannot have backdoors.”
And it would appear that—for now—EU law enforcement is prepared to go along with this.
A face-saving deal struck in May on how law enforcers will use this new EU legislation, between Europol director Rob Wainwright and Udo Helmbrecht, director of ENISA (the European Union Agency for Network and Information Security) came out against mandatory backdoors. However, it left open the possibility of unspecified future measures to secure necessary data in specific cases.
Europol insisted to Board Agenda that the “deal” was not binding on policy, and a spokesperson said: “Europol is an operating body of the EU—when it comes to actual policy-making, it’s all decided at a level much higher than us.”
Commenting publicly on the agreement, Wainwright said: “The new powers will also improve Europol’s ability to act as the EU’s information hub in the fight against terrorism and serious organised crime.”
The Europol-ENISA statement was an attempt to resolve perceived differences between the two men on the subject of access to encrypted corporate data, saying: “Proposals to introduce mandatory backdoors to weaken encryption would [as well as providing access to messages] also increase the attack surface for malicious abuse.”
It concluded: “When circumvention is not possible, yet access to encrypted information is imperative for security and justice, then feasible solutions to decryption without weakening the protective mechanisms must be offered, both in legislation and through continuous technical evolution.”
Although this statement strikes a different chord from the tone of the FBI in its clash with Apple, it seems to leave open the possibility that European security forces will use whatever means they see fit to access whatever data they may need to protect the public at any given time.
And the issue will probably get more complex. Looking further ahead, company directors will have to update themselves on what kinds of data are being collected by the “internet of things”—internet-connected thermostats or driverless cars, for example—and be aware of the types of data government agencies in different jurisdictions will be able to access.
Bruce Schneier, a Harvard University fellow at the Berkman Center for Internet and Society, told Board Agenda: “The Internet of Things is basically turning the world into a robot. We are on the cusp of a sea-change in the world of data and it really is impossible to predict how that change will affect society and legislation.
“I believe we need a new agency to centralise expertise and advise others. Governments will regulate these new technologies, and data security and encryption will be part of that.”
The Europol-ENISA deal was summed up by Giovanni Buttarelli of the EDPS (European Data Protection Supervisor), when he said in May that enforcement agencies’ need for information access should be balanced with privacy issues.
He said that security agencies could improve their ability to combat threats by working more closely together, rather than seeking access to corporate data or personal data held by companies.
He said: “Backdoors are not the solution to cybersecurity; they would be a new and dangerous part of the problem.”
Buttarelli also touched on the Internet of Things. “A Trojan horse or built-in vulnerability in all smart devices would allow collection of information on a much greater scale than ever before.
“It would set a precedent for the emerging Internet of Things where a whole range of everyday devices and objects will be connected.”
Buttarelli backs a right to encrypt, but alongside strengthening powers to help police access company and personal data. His department will oversee data compliance next year under the terms of the Europol regulation.
With so much inter-jurisdictional complexity operating in the background to EU policy, board directors will have to develop their ability to keep up with developments in different countries.
The UK is soon to pass a law offering police greater powers to access data; in Germany and Italy, case law has recently established separate and varying rules.
The German Federal Constitutional Court ruled this year that police had acted in a disproportionate manner when collecting data, while the Italian Court of Cassation ruled in April that information gathered by attaching Trojans to electronic devices was permissible.
Simon Placks, director of cybercrime investigations at Deloitte LLP, works with clients all over continental Europe to advise them on security and data compliance issues. He said: “Companies are getting better at putting data and security at the centre of what they do rather than leaving it to the IT department. This is vital.”
Placks said that with regard to law enforcement, directors in industries such as social media, smart devices and banks needed to look at what kind of information the police might want from them.