The European Data Protection Supervisor (EDPS), Peter Hustinx, said that he had concerns about the "quite vague and broad" definition of 'cybercrime' that the Commission proposed in a cyber security strategy (the Strategy) it outlined earlier this year. The Strategy contains a number of initiatives aimed at reducing cybercrime, such as through the development of more resilient systems and encouraging better information sharing on security risks.
In its strategy document the Commission said that the term 'cybercrime' "commonly refers to a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target". It said "traditional offences", such as fraud and identity theft, "content-related offences", such as the distribution of child pornography, and "offences unique to computers and information systems", such as malware or denial of service attacks, were all examples of 'cybercrime'.
However, the EDPS said that the Commission's definition was not clear enough, and that 'cybercrime' is not referred to on a consistent basis within a variety of EU legislation.
"In the absence of a common definition of the notion of 'cybercrime' in the legal framework of the EU, several measures planned in the Strategy relating to the fight against 'cybercrime' (such as measures to strengthen cooperation amongst law enforcement bodies) are not clearly linked to precise and well-defined offences," Hustinx said in a new opinion (26-page / 122KB PDF).
"A clear definition of the terms 'cyber-resilience', 'cybercrime' and 'cyberdefence' is particularly important since these terms are used as a justification for certain special measures which could cause interference with fundamental rights, including the rights to privacy and data protection. However, the definitions of 'cybercrime' provided in the Strategy and in the Cybercrime Convention remain very broad. It would be advisable to have a clear and restrictive definition of 'cybercrime' rather than an overreaching one," he added.
The EDPS also criticised the Commission's proposals for a new Network and Information Security (NIS) Directive. The draft Directive would, if introduced, require banks, energy companies and online trade platforms, among other firms, to adhere to new system security requirements and notify regulators of significant cyber breaches.
The EDPS said that the Directive should be amended to better account for data protection laws.
"Due respect of the principles of necessity and proportionality must be ensured, so that only the data strictly necessary for the purpose to be achieved are processed," the EDPS said. "This must be ensured not only by the public administrations and market operators that are experiencing the incident and processing data about it but also at the point of collection of personal data by the NIS competent authorities (i.e. in the incident notification form), in the design of the structured exchange of information through the cooperation network, and for the further transmission of personal data to other recipients (in particular to national and EU competent authorities)."
Safeguards should also be introduced to limit the personal data processing undertaken by regulatory bodies responsible for ensuring compliance with the NIS Directive, Hustinx said.
"If personal data have been compromised, specific procedures should be put in place to guide the handling of these cases by the NIS competent authorities together with data protection authorities," the watchdog said. "In the EDPS' view, it must be ensured that the extent of the personal data processing undertaken by NIS competent authorities fits within their mandate and does not interfere with the tasks of data protection authorities."
"While data protection authorities are entitled, as part of their mandate, to have access to personal data where necessary to help evaluate and remedy a personal data breach, the tasks of NIS competent authorities may not necessarily require knowing all details of the personal data that have been compromised," Hustinx added. "NIS competent authorities – whose mandate is not to investigate personal data breaches – should only be allowed to collect and process personal data in the framework of a security incident only where this is strictly necessary."