Cyber Security Industry Alliance Newsletter • Volume 2, Number 7 • March 2006

Global Perspectives

Data retention

Austria, Belgium, the Czech Republic, Cyprus, Estonia, Greece, Latvia, Lithuania, Luxembourg, The Netherlands, Slovenia, Sweden and the United Kingdom have all opted to extend the period for implementing the provisions on Internet data from 18 months to 36 months. Links to declarations made by the Commission and member states in relation to the Data Retention Directive:

Review of Regulatory Framework

The Commission has published the list of non-confidential contributions to its consultation on the review of the regulatory framework, to which CSIA participated. Other organizations that submitted (public) comments include:

  • AeA Europe
  • BSA
  • EuroISPA (European Internet Service Providers’ Association)
  • Intel
  • Microsoft
  • Skype
  • Yahoo
  • A number of telecoms operators

Link to the complete list:

The Communications Committee (COCOM), established by the regulatory framework, assists the Commission in carrying out its executive powers. It provides a platform for an exchange of information on market developments and regulatory activities. It adopted a working document on the review of the regulatory framework on 1 February 2006. It examines three sections, one of which is security and integrity.

COCOM questions whether the current provisions provide an adequate legal framework to protect citizens, and to promote consumer trust and confidence in the information society while contributing to the development of the internal market. COCOM also notes that Article 4 of the E-Privacy Directive (2002/58/EC) requires service providers to take measures to safeguard the security of their services, but that the notification of security breaches is however not required.

Additional questions raised by COCOM to national representatives include:

  • What is the impact of the current legal provision on the levels of security and integrity in your country?
  • Should more specific requirements be defined at the EU level? What improvements would you suggest? Would specific remedies or penalties be needed?

Link to COCOM’s working document:

ENISA Update

ENISA’s Management Board held its first regular meeting of 2006 on 3 March. For the first time since ENISA moved its seat and set up operations in September 2005, this meeting took place in Crete. The main items on the agenda were:

  • Adoption of the Work Program for 2006;
  • Information Security Working Group plans for 2006;
  • Discussing the draft work program and preliminary draft budget for 2007; and
  • Update on the state of play of ENISA’s activities.

Another important issue that was tabled was the idea of extending involvement of the Permanent Stakeholders Group (PSG) to the Working Groups and trying to encourage closer cooperation. The meeting took place behind closed doors and the minutes have not yet been published.

The Management Board is composed of representatives of the 25 member states, three representatives from the European Commission and three stakeholders (notably from industry, academics and consumer organizations). There are also three observers from the European Economic Area (EEA) countries ( Iceland, Norway and Lichtenstein.)

Article 29 Working Party / RFID

The European Commission launched a public consultation on radio frequency ID tags on 9 March 2006 at a high level conference on RFID organised at the CeBIT 2006 trade fair in Hannover, Germany. Commissioner Reding, responsible for Information Society & Media said "we need to build a society-wide consensus on the future of RFID, and the need for credible safeguards". The Commission’s public debate will centre on a number of workshops with the aim of building consensus on key issues associated with the use of RFID. They will address: RFID applications, end-user issues, interoperability and standards, and frequency spectrum requirements. They will take place between March and June 2006 and their conclusions will be used by the Commission to draft a document on RFID, which will be the subject of an online consultation. The Commission will then draft a Communication on RFID, to be adopted before the end of the year.

The Commission has acknowledged that this work on RFID could also feed into the review of the E-Privacy Directive (2002/58/EC) which is due to take place this year. The Commission will also be considering other legislative measures for RFID, such as decisions on the allocation of spectrum.

The Commission is engaged in exchanges of information with the US and Asia on RFID technologies, "in order to define globally-accepted interoperability standards and practices with regard to data privacy and ethical principles when applying the technology".

Links to press release and FAQ:

The Article 29 Working Party, which was set up under Article 29 of the Data Protection Directive (95/46/EC) to act as an independent advisory body on data protection and privacy, adopted an opinion regarding the extent to which the screening of e-mails for viruses, spam and certain other pre-determined content is consistent with the E-Privacy Directive and other privacy laws on 21 February 2006.

The Working Party decided to publish an opinion on this topic because of the perceived uncertainty on the compatibility of the filtering of email communications with data protection legislation (the Data Protection Directive 95/46/EC and the ePrivacy Directive 2002/58/EC), and the request for guidance from stakeholders.

Link to the opinion: