Cyber Security Industry Alliance Newsletter •  Volume 2, Number 9 • May 2006

Global Perspectives


In June 2005, the European Commission launched a five-year strategy to boost the digital economy. Entitled: "i2010: a European Information Society for growth and employment", the initiative aims to foster growth and jobs in the information society and media industries. The project foresees a number of initiatives, including in the areas of network security and e-government.

The Commission has announced that it will present a Strategic Communication on Network and Information Security at the end of May 2006.

On 25 April 2006 the European Commission adopted an Action Plan on e-Government as part of the i2010 initiative. The Commission recognises that information and communication technology is the key to modernising government services: making them more efficient and more responsive. It is estimated that 100% take-up of electronic invoicing and electronic public procurement will save €300 billion every year. Member States signed up to an ambitious agenda to achieve these goals at a Manchester Ministerial Summit held in November 2005. The action plan proposes concrete steps towards achieving these goals.

"We are starting to see benefits from Europe’s investments in e-Government over the last few years, but we need to be more active in learning lessons from each other and getting the benefits of scale from adopting common approaches across borders", stated Viviane Reding, European Commissioner for the Information Society and Media. "e-Government is no longer just a political toy, it is the essential tool of government, for modernising Europe’s public administration", she added.

Among the key priority areas that need to be prioritised, the Commission calls for an enhanced access to technology and interoperability for all European citizens regardless of gender, age, nationality, income or disability. The Action Plan focuses on five major objectives for e-Government with specific objectives, including "Putting key enablers in place - enabling citizens and businesses to benefit, by 2010, from convenient, secure and interoperable authenticated access across Europe to public services".

The Action Plan is an integral part of the i2010 initiative, and is conceived as a tool to boost the Lisbon Agenda.


Data retention

The European Data Protection Supervisor (EDPS) has published his annual report for 2005. Some interesting aspects include:

  • For the first time, the EDPS made use of his right to intervene in cases before the European Court of Justice (ECJ). This was in the proceedings involving the transfer of airline passenger data to the US. The EDPS intervened in support of the conclusions of the European Parliament seeking to annul the decisions of the European Commission and the Council on this issue. The ECJ’s ruling is outstanding;

  • The identification by the EDPS of a number of technological developments which he sees as having important implications for data protection, namely the availability of unlimited bandwidth and storage capacity, ubiquitous network connections and the increasing use of web services to provide software (these services involve new forms of data processing).

  • Specific new technologies which the EDPS sees as having an impact on data protection include:

    • Radio frequency identification (RFID) tags

    • Ambient intelligence environments (this refers to environments in which humans use computing and networking technology unobtrusively embedded in their surroundings)

    • Identity management systems

    • Biometrics

The EDPS intends to "follow closely" the European Commission's review of the regulatory framework for electronic communications and services, including the E-Privacy Directive (2002/58/EC).

The Data Retention Directive was published in the Official Journal on 13 April 2006.


ENISA Update

The ECJ has ruled that the European Network and Information Security Agency (ENISA) was correctly established on the basis of the single market clause in Article 95 of the EC Treaty. The Court thereby rejected a legal challenge made by the United Kingdom.

"Network and information security is of key economic importance for the stability of the European economy, for the security of our society and to win the trust of consumers in new technologies", Viviane Reding, Commissioner for Information Society and Media, commented. "The Court’s judgement confirms the Commission’s view that rules which guarantee such safe, stable and trustworthy IT networks in Europe can be adopted on the basis of the EC Treaty’s single market rules. I am particularly glad that today’s ruling also gives legal certainty to the staff of ENISA in Greece, which I visited three weeks ago and whose valuable work I saw with my own eyes. I intend to make ENISA a key element of the Commission’s future work on network and IT security."

The United Kingdom had challenged the establishment of ENISA, which in its view should have been made by unanimity in the Council and with consultation of the European Parliament only (EC Treaty Article 308), as opposed to qualified majority in the Council and co-decision by the European Parliament and Council.


Internet governance and WSIS

The European Commission issued a Communication on 27 April 2006 setting out its priorities for implementing the international policy commitments made at the UN World Summit on the Information Society in Tunis last November. These include: safeguarding and strengthening human rights, in particular the freedom to receive and access information.

"The European Union must be at the forefront of an open, accessible and undivided worldwide Information Society and of a free exchange of information, ideas and opinions around the globe," said European Commissioner for Information Society and Media, Viviane Reding. "At the World Summit in Tunis last year, we made an important step towards a global consensus that the day-to-day management of the Internet should take place without the interference of any government. Now we must ensure that those commitments are fully implemented. Interventions in the core architecture of the Internet can no longer be justified if not made on the basis of globally accepted public policy principles."

The Communication addresses a number of issues:

  • "Cyber-repression", ie the misuse of ICT to help repressive regimes to restrict the free flow of information on the Internet. The Commission encourages companies to work on a code of conduct on this crucial issue, in close cooperation with NGOs.

  • On Internet governance, the Commission notes that the multi-stakeholder Forum on Internet governance (the first meeting of which will take place in Athens this autumn) and the enhanced cooperation model agreed at the Summit are a prerequisite for developing a worldwide commitment to fight effectively against spam and malware and to ensure the sustainability of the Internet as a global network.

  • On digital divide, the Commission proposed a new Partnership on Infrastructures in October 2005, which will cover areas such as ICT strategy and regulation, technology-neutral broadband networks and development of non-commercial pan-African electronic services.

  • EU action should include promoting international cooperation in ICT R&D, which is to become a priority in the EU’s new Framework Research Programme, with the opening-up of all activities to researchers from third countries and joint research programmes between the EU and specific countries or regions.

  • The Communication underlines the EU’s readiness to closely monitor attempts to call into question the neutral character of the Internet.

The Commission Communication will be discussed at the Telecom Council meeting scheduled for 8 June 2006 and the European Parliament Industry Committee meeting on 4 July 2006. =HTML&aged=0&language=EN&guiLanguage=en =HTML&aged=0&language=EN&guiLanguage=en


Online Public Procurement

The e-Government Action Plan issued by the Commission on 25 April 2006 (see section 1 above) includes access to government procurement on the Internet as one of its priorities. The Commission states that government procurement represents 15% of GDP or about €1.500 billion a year. The Member States have committed to achieving 100% availability and at least 50% take-up of procurement online by 2010, with an estimated annual saving of €40 billion. The Action Plan lays out a road map for achieving these goals as well as the practical steps required for such large-scale cross-border procurement pilots and full electronic handling of company documents.;=HTML&aged; =0&language;=EN&guiLanguage;=en; =HTML&aged;=0&language;=EN&guiLanguage;=en


Article 29 Working Party / RFID

The European Commission has announced that the next high-level workshop on RFID will take place in Brussels between 15 and 17 May 2006. Entitled: "RFID Security, data protection & privacy, health and safety issues", speakers on the draft agenda include: João da Silva, Director, Network and Communication Technologies Directorate in DG Information Society at the European Commission, Gerald Santucci, Head of Unit D5, DG Information Society, Ian Watmore, e-Government Unit in the UK Cabinet Office, Dirk Heymann, Procter & Gamble, Michael Pearson, Lloyds TSB Strategic Ventures and Pierre Sreffen, Airbus.

The contact person at the European Commission for registration is Ghislaine Craeghs, who can be reached at: [email protected]. The Commission has stated that numbers are limited and there has been an overwhelming amount of interest.

Gail Orton from Freshfields Bruckhaus Deringer has registered to attend at least part of this event on CSIA’s behalf.

The Article 29 Working Party issued its work programme for the years 2006-2007 on 5 April 2006. The Working Party "intends to concentrate on a limited number of strategic issues aiming at contributing to a common understanding" of key provisions of directives 95/46/EC (data protection directive) and 2002/58/EC (e-privacy directive) and ensure better implementation of them.

There is, however, a substantial list of issues on the agenda:

  1. Directive 95/46/EC: interpretation of key provisions, enforcement and contribution to future developments

  2. Input to Commission's Communications on Privacy Enhancing Technologies (PETs)

  3. Radio Frequency Identification (RFID), ubiquitous computing, ambient intelligence (impact of RFID applications with special emphasis on concept of personal data)

  4. Identity Management, especially in e-Government (including Private Identification Numbers (PINs) & biometrics as means of unique identification)

  5. E-Health Patients Records (with special emphasis on consent and processing of medical data)

  6. Archives & Privacy (with special emphasis on preservation of data and access)

  7. Children & Privacy (with special emphasis on exercise of rights)

  8. International transfers to third countries

  9. External communication and relations with public

  10. Directive 2002/58/EC (Interpretation and enforcement issues, spam, cookies, spyware, email services, etc, Review of Directive, eCall)

  11. Self Evaluation of WP documents as appropriate instrument to achieve harmonisation of national practice

  12. Other issues


Safer Internet Plus Programme

The April edition of the Safer Internet Newsletter focuses on the issue of privacy. It looks, inter alia, at how to raise awareness among children.


Other Issues of Relevance
  • Council of Europe Convention on Cybercrime: The Cybercrime Convention Committee held its first "Multilateral Consultation of the Parties" in Strasbourg, France on 21-22 March 2006, as provided for in the Convention. Abbreviated to T-CY, the meeting was chaired by Henrik Kaspersen of the Netherlands, with Betty Shave of the United Stated acting as Vice-Chair. The following participating nations stated their hope that they would become parties to the Convention in either 2006 or 2007: Austria, Germany, Japan, Liechtenstein, the Netherlands, Norway, Slovak Republic, Sweden, the United Kingdom and the United States. ENISA, the European Commission and Council were some of the other bodies invited to the meting. The fact that the European Commission and Council wish to join as members in their own right demonstrates the importance that they place on its work.

  • .eu: On 7 April 2006 at 11h00 the new European Top Level Domain .eu was made available to the general public. According to EURid, three hours later over half a million EU citizens had registered Internet addresses ending with .eu. As at 5 May 2006, there were over 1.5 million registrations.

    "Today, Europe’s competitive knowledge society becomes very visible to the world on the Internet", said Information Society and Media Commissioner, Viviane Reding when she presented the Internet domain to the press. "Europe and its citizens can now project their own web identity, protected by EU rules".

    The Commissioner announced that all EU institutions will migrate their web page and e-mail addresses from the current suffix to .eu on 9 May 2006, the European Day. The former addresses will however remain active for about a year. The European Commission can already be reached at:;=HTML& aged=0&language;=EN&guiLanguage;=en /06/159&format;=HTML&aged;=0&language;=EN&guiLanguage;=en

  • e-money: The European Commission has published a report setting out the findings of its review of the E-Money Directive, launched in July 2005. The purpose of this review was to provide evidence of the state of the e-money market in the EU-25, to evaluate the impact of national rules implementing the Directive, and to test to what extent the Directive's original objectives had been met. It concludes that the Directive has achieved most of its original objectives to a certain extent, although there are certain shortcomings in relation to uncertainty over scope and applicability, and the perceived disproportionality of the regulatory framework. Other findings are as follows:

    • Assessment of the EU e-money market - the e-money market has developed more slowly than expected. The take-up of card based e-money remains low in most Member States. Traditional credit institutions or electronic money institutions (ELMI) that have close ties to the banking sector issue most of the card-based e-money and non-bank issuers predominate in the market for server based e-money. The number of active ELMIs in Europe is low.

    • Impact of national rules implementing the Directive - the differences in national rules implementing the Directive that are most likely to impact on the development of the market relate to the implementation of the waiver, the interpretation of the scope and applicability of the Directive, and the existence or not of a customised set of rules regarding management, administrative and accounting procedures, internal control mechanisms, anti-money laundering rules etc.

  • Protection of personal data in the area of Justice and Home Affairs. On 4 October 2005, the Commission issued a Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters. The main issues debated so far in the Council are:

    1. Whether both police and judicial co-operation should be included in the scope of the draft Framework Decision

    2. The question of extending the scope to other law enforcement agencies other than the police

    3. The question whether the Framework Decision should also cover information which is transmitted to third States

    4. The question whether the scope of the Framework Decision should be confined to the cross-border transmission of information and the processing of data thus transmitted or whether it should - as foreseen in the Commission's proposal - also encompass data gathered and used in a purely domestic context.

  • Internet shopping: the UK’s Office of Fair Trading (OFT) has launched a fact-finding market study into Internet shopping to explore consumer confidence and consider the adequacy of the current consumer protection regime in this area.