Hostname: page-component-78c5997874-xbtfd Total loading time: 0 Render date: 2024-11-05T16:15:04.020Z Has data issue: false hasContentIssue false

The EU's Cybercrime and Cyber-Security Rulemaking: Mapping the Internal and External Dimensions of EU Security

Published online by Cambridge University Press:  20 January 2017

Elaine Fahey*
Affiliation:
Amsterdam Centre for European Law & Governance (ACELG), University of Amsterdam. Email:[email protected].

Abstract

By taking the EU Cyber Strategy as a case in point, this contribution examines how the distinction between external and internal security in contemporary EU law manifests itself in large-scale risk regulation and in particular, how the EU relies upon external norms to regulate risk. This article also maps the evolution of the rule-making processes themselves.

Type
Articles
Copyright
Copyright © Cambridge University Press 2014

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 Heyvaert, Veerle, “Governing Climate Change. Towards a New Paradigm for Risk Regulation,” 74(6) The Modern Law Review (2011), pp. 817844, at p. 823.CrossRefGoogle Scholar

2 See, most famously, Ewald, Francois, “Two Infinities of Risk” in Massumo, Brian (ed.), The Politics of Everyday Fear (Minneapolis MN: University of Minneapolis Press, 1993) pp. 221228 Google Scholar; Fichera, Massimo and Kremer, Jens, (eds.) Law and Security in Europe: Reconsidering the Security Constitution (Cambridge: Intersentia, 2013)Google Scholar, especially Ch. 7. As a result, see its ‘absence’ from ‘highly effective’ risk-regulation, e.g., Black, Julia and Baldwin, Robert, “Really responsive risk-based regulation,” 32 (2) Law & Policy (2010), 181213.CrossRefGoogle Scholar

3 See Florian Trauner “The internal-external security nexus: more coherence under Lisbon?” (EUISS Occasional Paper No 89, March 2011), available at <http://www.iss.europa.eu/uploads/media/op89_The_internal-external_security_nexus.pdf> (last accessed on 25 November 2013); Trauner, Florian and Carrapio, Helena, “The external dimension of EU justice and home affairs after the Lisbon Treaty: analysing the dynamics of expansion and diversification”, 17 European Foreign Affairs Review (2012), 5.Google Scholar

4 “The EU Internal Security Strategy in Action: Five steps towards a more secure Europe,” COM(2010)673 final.

5 “Towards a European Security Model,” Council doc 5842/2/10, 2.

6 Black, JuliaDecentring regulation: understanding the role of regulation and self-regulation in a “post-regulatory” world,” 54 (1) Current Legal Problems (2001), pp. 103146.CrossRefGoogle Scholar

7 de Goede, Marieke, “The politics of preemption and the War on Terror in Europe” (2008) 14(1) European Journal of International Relations, pp. 161–18CrossRefGoogle Scholar, e.g. if institutionalised through listing, alerts or networks.

8 The Stockholm programme — an open and secure Europe serving and Protecting citizens, OJ 2010 C 115/01.

9 Cyber-security Strategy of the European Union: An Open, Safe and Secure Cyberspace JOIN(2013)1final, Brussels, 7 February 2013. It was met with calls for its urgent implementation by defence officials: see Council doc 7847/13. The Directives are analysed in more detail in S. II.

10 EU-US Summit, Joint Statement, Council doc 16726/10, p. 3; Presidency Conclusions of the cybercrime Conference Budapest Conclusions Budapest, 13 April 2011.

11 The EU Cybercrime Centre, based within an existing agency, Europol (“EC3”): “Tackling Crime in our Digital Age: Establishing a European Cybercrime Centre,” COM(2012) 140.

12 For e.g., “Parliament demands single EU voice on cyber-security” EUObserver.com, 13 June 2012. Contrariwise, attacks against the Commission and the EEAS in 2011 resulted in cyber-security reportedly being considered as a priority by the then Polish, Danish and Cypriot Trio of Presidencies of the Council.

13 “First Annual Report on the implementation of the EU Internal Security Strategy,” COM(2011)790; “The EU Internal Security Strategy in Action: Five steps towards a more secure Europe,” COM(2010) 673 final.

14 Cyber Security Strategy, supra note 9, 15.

15 E.g. David Thaw, “The Efficacy of Cybersecurity Regulation”, 30 Ga. St. U. L. Rev. (forthcoming), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2298205. See Brenner, Susan and Koops, Bert-Jaan (eds.), Cybercrime and Jurisdiction: A Global Survey (The Hague: Asser Press, 2006).Google Scholar

16 Informal Justice and Home Affairs Ministers” Meeting, Cyber Security issues, Discussion paper, (18-19 July 2013), Vilnius.

17 European Treaty Series (ETS), No. 185, Budapest, 23 September 2001.

18 See Clough, Jonathan Principles of Cybercrime (Cambridge: Cambridge University Press, 2010).CrossRefGoogle Scholar

19 Joseph Nye, “Cyber Power”, Belfer Center for Science and International Affairs Working Paper, May 2010, at p. 16, available on the internet at <http://belfercenter.ksg.harvard.edu/files/cyber-power.pdf> (last accessed on 21 January 2014).

20 It categorises cybercrime in four sets of categories in Articles 2-13 thereof: Offences against the confidentiality, integrity and availability of computer data, computer related offences, contentrelated offences and offences related to intellectual property rights. It is applicable to any crimes for which it is necessary it collect evidence in electronic form, i.e. not just to cybercrimes: Art. 14(2)(c).

21 Although, on its enforcement provisions, it is argued that the Convention can be read to permit direct interaction between law enforcement and ISPs. This was the subject of review by the Council of Europe in 2013; see also Jack Goldsmith “the Internet and the Legitimacy of Remote Cross-Border Searches” University of Chicago Law School Public Law and Legal Theory Working Paper No. 16; 1 Chicago Legal Forum (2001), 103; Porcedda, Maria Grazie, “Transatlantic Approaches to cyber-security and cybercrime,” in The EU-US Security and Justice Agenda in Action, Pawlak, Patryk (ed), (EUISS Chaillot Paper, No. 127, 30 December 2011)Google Scholar, <http://www.iss.europa.eu/uploads/media/cp127_EU-US_security_justice_agenda.pdf> (last accessed on 25 November 2013).

22 Opinion of the European Data Protection Supervisor of 14 June 2013 on the Cyber Security Strategy and Directive, at <https://secure.edps.europa.eu/EDPSWEB/edps/Consultation/OpinionsC> (last accessed 25 November 2013).

23 Informal Justice and Home Affairs Ministers” Meeting, supra note 16.

24 European Parliament resolution of 23 October 2013 on the suspension of the TFTP agreement as a result of US National Security Agency surveillance (2013/2831(RSP)).

25 See Joint Press Statement following EU-US Justice and Home Affairs Ministerial Meeting of 18 November 2013, Council 16418/13, 18 November, 2013.

26 E.g. Commission Communication “Network and Information Security; proposal for a European Policy Approach,” COM(2001)298; “Strategy for a Secure Information Society,” COM(2006) 251; Protecting Europe from large-scale cyberattacks and disruptions: enhancing preparedness, security and resilience COM(2009) 14; Council Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, OJ 2008 L 345/75.

27 Cyber Security Strategy supra note 9, at 3.

28 E.g. Talinn Manual on the International Law applicable to Cyberwarfare (Cambridge: Cambridge University Press, 2013).Google Scholar

29 The EU Counterterrorism Coordinator is a participant in the EUUS cooperation.

30 p. 3, i.e. where computers and information systems are involved either as a primary tool or primary target, comprising traditional offences, content-related offences and offences unique to computers and information systems.

31 See Opinion of the European Data Protection Supervisor, supra note 22.

32 At p. 8.

33 At p. 13.

34 But notably not including the UN.

35 Emphasis supplied, at p. 15.

36 P. 17.

37 The Commission European Network and Information Security Agency (ENISA), the Computer Emergency Response Team, (CERT EU), national networks of competent authorities responsible for NIS, and “EP3R”, the entity which partners the public and private sector (i.e. NIS globally), EC3, the European Police College (CEPOL) and Eurojust (i.e. law enforcement); the EEAS and the European Defence Agency (i.e. defence), CERT, NIS Competent Authorities (i.e. NIS), cybercrime units (i.e. national law enforcement) and National defence and security authorities (i.e. defence).

38 Directive concerning measures to ensure a high common level of network and information security across the Union: COM(2013)

48 final.

39 Art. 6.

40 The latter pursuant to Art. 7, said to act under the supervision of the competent authority.

41 Art. 8.

42 COM(2013) 48, at pp. 8–9.

43 Small and medium sized enterprises are excluded: Art. 14(8); the obligations only apply within the EU. See Annex II. This contrasts with the extensive voluntary programme provided for in the recent US Cybersecurity Executive Order: see Section III below.

44 He criticises in particular its compliance with data protection obligations (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data) and the obligations incumbent upon microenterprises: Opinion supra note 22, 16–17.

45 P. 15.

46 Specifically in the area of EU Gender Equality law, whereby Art. 8 TFEU mandates the integration and promotion of equality between men and women in all areas of EU policy. See also the mainstreaming of basic values into the legislative process. It is a central tool of the European Pact for Gender Equality 2011–2020 and the Strategy for Equality between Women and Men 2010-2015. See Laurent Pech, “Rule of Law as a Guiding Principle of the European Union's External Action,” 2012/3 CLEER Working Paper, available on the internet at <http://www.asser.nl/default.aspx?site_id=26&level1=14467&level2=14468&level3=&textid=40218> (last accessed on 25 November 2013).

47 Council Framework Decision 2005/22/JHA of 24 February 2005 on attacks against information systems, OJ 2005 L 69/ 67.

48 See for e.g., Report from the Commission to the Council based on Art. 12 of the Council Framework Decision of 24 February 2005 on attacks against information systems, COM(2008) 448 final; Council Conclusions concerning an Action Plan to implement the concerted strategy to combat cybercrime, 3010th General Affairs Council meeting (Luxembourg, 26 April 2010).

49 See Mitsilegas, Valsamis, “Area of Freedom, Security and Justice, including Information Society Issues” in Laffranque, Julia (ed.), FIDE Congress XXV Reports: General Report, 4041, (Talinn, Estonia, 2012)Google Scholar; Commission Communication, “Towards a general policy on the fight against cybercrime,” COM(2007) 267 final

50 Botnets are a network of computers infected by a virus which can be activated without the users knowledge to attack information systems on a large scale. See Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA 2013, 2013 OJ 218/8. See its previous draft: COM(2010)517 final.

51 The UK has stated that it will opt-into the Directive, on the basis that the Directive explicitly states that it will not to change existing EU competence. See “United Kingdom Report”, in Mitsilegas (ed.) “Area of Freedom, Security and Justice”, supra note 49 at 655–681. See also European Parliament LIBE briefing, June 2012 2010/0273.

52 “Cybercrime: eu citizens concerned by security of personal information and online payments,” ip/12/751, 9 July 2012. on socalled post-lisbon third generation eu criminal law and its relationship to the internal market, see Fichera, Massimo, “Criminal law beyond the State: The European Model,” 19 European Law Journal (2013),174200.CrossRefGoogle Scholar

53 The Council in 2008 began plans to institutionalise cybercrime in EU law with the development of so-called “platforms”, a national alert “platform” and a European “platform”, convergence points of national platforms within the competence of Europol: Justice and Home Affairs Council Conclusions, Council doc 14667/08, p. 8–10. See draft Council Conclusions on a Concerted Work Strategy and Practice Measures against cybercrime Council doc. 15569/08.

54 See Action Plan Implementing the Stockholm Programme, COM(2010)171 final, at p. 34.

55 See supra note 11, at pp. 3. See its website: <https://www.europol.europa.eu/content/megamenu/european-cybercrime-centre-ec3-1837> (last visited 25 November 2013). It is not a “functionally autonomous” body similar to the European External Action Service.

56 For e.g. as to Europol, Eurojust, ENISA and a European Public Prosecutor's Office, pursuant to Articles 85 and 86 TFEU. See Busuioc, Madalina, European Agencies: Law and Practices of Accountability (Oxford: Oxford University Press, 2013)CrossRefGoogle Scholar. The status of such entities is subject to change: See Draft Regulation on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA, COM(2013) 173 final. To similar effect, see Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Criminal Justice Cooperation (Eurojust) COM(2013) 535 Others the subject of modernization include ENISA, established by Council Regulation (EC) 460/2004 and see. COM(2010) 521. See also the proposal for a European Public Prosecutors Office: COM(2013)0534 final.

57 “Europol wants to host EU cybercrime centre,” https://EUObserver.com, 14 November 2011. At the launch of the Centre, Europol was asserted to have previously lacked sufficient resources to gather information from a broad range of sources and to have lacked the capacity to deal with requests from law enforcements agencies, the judiciary and the private sector.

58 A point not considered in much detail in the Feasibility Study for a European Cybercrime Centre, RAND Corporation, 2012, prepared for the European Commission. Notably, Interpol representatives with sit on its board and Interpol will reportedly launch its own Cybercentre in 2015. While non-duplication of EU rules with international rules are aims of the EU, international cooperation is a function of the Centre.

59 Wall, David, Cybercrime: The Transformation of Crime in the Information Age (Polity Press, 2007)Google Scholar; See also Wall, David, “Cybercrime and the Culture of Fear: Social Science fiction(s) and the production of knowledge about cybercrime,” 11(6) Information, Communications and Society (2008), 861884 CrossRefGoogle Scholar, writing of a “series of myths”: at 862.

60 “Cyber security incidents rarely reported: EU Agency” Euractiv, 27 August 2012, citing an ENISA report (‘Cyber Incident Reporting (August 2012)), mentioning 51 notifications of “large” incidents by regulators. On ENISA, see supra note 56.

61 “Cybersecurity incidents are increasing at an alarming pace”: strategy, p. 3; impact assessment strasbourg, 7 february 2013, swd(2013) 32 final, at 12–14. cf Bendiek, Annegret and Porter, Andrew, “European Cyber Security Policy within a Global Multistakeholder structure,” 18 European Foreign Affairs Review (2013), 155180.Google Scholar

62 EU Cybersecurity plan to protect open internet and online freedom and opportunity, IP/13/94, 7 February 2013.

63 See supra note 51.

65 See Bendiek and Porter “European Cyber Security Policy”, supra note 61.

66 E.g. Black, Julia, ‘Enrolling actors in regulatory systems: examples from UK financial services regulation,” Public Law (2003), pp. 6391.Google Scholar

67 See generally Black & Baldwin, “Really responsive risk-regulation”, supra note 2.

68 See COM(2013) 48 final SWD(2013) 32 final, 2. “EP3R” (see supra note 37) is described as the device where the private sector was consulted and a public online and written consultation conducted yielded 179 responses, including from public authorities and NGO”s: p. 7. The manner of portraying this procedure is not particularly explicit or detailed.

69 See De Witte, Bruno, “New Institutions for Promoting Equality in Europe: Legal Transfers, National Bricolage and European Governance,” 60 American Journal of Comparative Law (2013), 49, at pp. 58, fns. 28 and 29.CrossRefGoogle Scholar

70 Opinion of the European Data Protection Supervisor of 14 June 2013 on the Cyber Security Strategy and Directive, available at <https://secure.edps.europa.eu/EDPSWEB/edps/Consultation/OpinionsC> (last accessed 25 November 2013).

71 See Fahey, Elaine, “Law and Governance as checks and balances in Transatlantic Security,” 32 Yearbook of European Law (2013), 121 CrossRefGoogle Scholar. See also on transatlantic rulemaking, Fahey, Elaine and Curtin, Deirdre (eds.), A Transatlantic Community of Law: Legal Perspectives on the Relationship between the EU and US legal orders (Cambridge: Cambridge University Press, 2014).CrossRefGoogle Scholar

72 See Herlin-Karnell, Ester, The Constitutional Dimension of European Criminal Law (Oxford: Hart, 2012).Google Scholar

73 “Creating a safer Information Society by improving the security of information infrastructures and combating computer related crime”: COM(2000)890 final.

74 See Section II. It entered into force on 1 July 2004 and was drafted by the Council of Europe Member States and Canada, Japan, South Africa and the US.

75 Until recently. See “European Commission seeks high privacy standards in EU-US data protection agreement”, IP/10/609 Brussels, 26 May 2010. See the Press Release from 4 April 2013 http://www.justice.gov/opa/pr/2013/April/13-ag-382.html, of discussions between the US Attorney General and Vice-Commissioner Reding. The LIBE committee of the European Parliament was debriefed on the negotiations in February 2013: LIBE(2013)0220_1.

76 EU-US Working Group on cyber-security and cybercrime, Concept Paper, 13 April 2011. Annex I. It set a deadline for ratification before the 10th Anniversary celebration of the Convention in 2011.

77 See Commissioner Malmstrom, “Next step in the EU - US cooperation on Cyber security and Cybercrime” SPEECH/13/380, 30 April 2013.

78 Concept paper, p. 6.

79 For example, holding open workshops for a broad range of private and public actors and publishing the lists of all of the participants: available on the internet on <http://www.enisa.europa.eu/activities/Resilience-and-CIIP/workshops-1/2012/eu-us-open-workshop> (last accessed on 21 January 2014).

80 Notably, the US is not a member of the Council of Europe but took part in the drafting of the Convention and has signed and ratified it domestically: see Fahey, Elaine, “On the use of law in Transatlantic Relations: Legal Dialogues Between the EU and US,” 20(2) European Law Journal (forthcoming).Google Scholar

81 COM(2010) 517 final, p. 2.

82 Concept Paper, p. 4.

83 Cf the Commission's advocacy of the Convention, emphasising how the Convention had been signed by 25 out of the 27 Member States and ratified by 15 of them: supra note 66. See the ratification table at <http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=&DF=&CL=ENG> (last accessed on 25 November 2013).

84 WGCC Concept paper, p. 3. However, IANN appears increasingly eager to interact publicly with the internet governance community: see <http://www.icann.org/en/news/announcements/announcement-07feb13-en.htm> (last accessed on 25 November 2013).

85 “Summary of Conclusions of the EU-US JHA Informal Senior Officials Meeting of 25-26 July,” Council doc 13228/11, p. 3.

86 Cf “Critical Information Infrastructure Protection- Achievements and next steps: towards global cyber-security,” COM (2011)163 final.

87 “Parliament demands single EU voice on cyber-security” supra note 12.

88 Executive Order 13636, Improving Critical Infrastructure cybersecurity, Federal Register 78, No. 33 (19 February 2013). See the Comprehensive National Cybersecurity Initiative, which employs commercial and government technology to engage in threatbased decision-making, available at <http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative> (last accessed 25 November, 2013). See also The 2013 Cyber-security Executive Order: Overview and Considerations for Change, Congressional Research Service 7-5700 R42984 (1 March 2013).

89 See “EU, US go separate ways on cybersecurity” Euractiv, 5 March, 2013; Bendiek & Porter, “European Cyber Security Policy,” supra note 61.

90 See more generally, Wiener, Jonathan, Swedlow, Brendon, Hammitt, James, Rogers, Michael and Sand, Peter, “Better Ways to Study Regulatory Elephants,” 2 European Journal of Risk Regulation (2013), pp. 311319.CrossRefGoogle Scholar

91 See, for e.g., significant emphasis on the ICANN website on transparency and accountability-related activities. See http://www.icann.org/.

92 For a recent survey of the European Parliament, see Library of the European Parliament, “Principal EU-US disputes” (22 April 2013), http://www.europarl.europa.eu/RegData/bibliotheque/briefing/2013/130518/LDM_BRI(2013)130518_REV1_EN.pdf.

93 E.g. Facebook, Google, Twitter.

95 Cf media reports that the US Foreign Intelligence Surveillance Amendment Act (FISAAA) granted powers to grab EU data in US clouds: “US free to grab EU data on American clouds” http://EUObserver.com, 28 January 2013.

96 “Europe pushes own digital “cloud” in wake of US spying scandal” Euractiv, 29 August 2013.

97 Joint Press Statement following EU-US Justice and Home Affairs Ministerial Meeting of 18 November 2013, Council 16418/13 (Brussels 18 November, 2013). See “Report on the Findings by the EU Co-chairs of the Ad Hoc EU-US Working Group on Data Protection”, Council doc 16987/13, 27 November, 2013 and “Rebuilding Trust in EU-US Data Flows” COM(2013) 846 final. The latter references the role of the US within the Council of Europe Convention on Cybercrime as evidence of promotion of privacy standards internationally, at 9.

98 Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012) 11 final. Recent developments suggest that the adoption of a General Regulation will not occur until 2015, well after an outcome to the EU internal and external rule-making processes.

99 See Eilis Ferran and Kern Alexander, Can Soft Law Bodies be Effective? Soft Systemic Risk Oversight Bodies and the Special Case of the European Systemic Risk Board University of Cambridge Faculty of Law Research Paper No. 36/2011; Ottow, Annette, “Europeanization of the Supervision of Competitive Markets”, 18(1) European Public Law, (2012), pp. 191221 Google Scholar; Moloney, Niamh, Ferran, Eilís, Hill, Jennifer, Coffee, John, The Regulatory Aftermath of the Global Financial Crisis (Cambridge: Cambridge University Press 2012)Google Scholar; Fahey, Elaine, “Does the Emperor Have Financial Crisis Clothes? Reflections on the legal Basis of the European Banking Authority”, 74 The Modern Law Review (2011), pp. 581595 CrossRefGoogle Scholar; Busuioc, Madalina, ‘Rulemaking by the European Financial Supervisory Authorities: Walking a Tight Rope,” 19(1) European Law Journal (2013), pp. 111125.CrossRefGoogle Scholar

100 Something which has been recently impugned with success in the Opinion of Advocate General Jääskinen in C-270/12, United Kingdom v Council and Parliament on 12 September, 2013 striking down the use of Article 114 TFEU in Article 28 of Regulation (EU) No 236/2012 of the European Parliament and of the Council of 14 March 2012 on short selling and certain aspects of credit default swaps, vesting powers in the European Securities and Markets Authority (“ESMA”).

101 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC, 2013 L 176/338.

102 Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM (2012)11, articles 31 and 32. See also the discussion of obligations on actors and institutional design in risk infrastructure, for example, as to product safety in respect of Article 114 TFEU, in Fahey, “Does the Emperor Have Financial Crisis Clothes,” supra note 99.

103 Pursuant to Article 30 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 (the European Banking Authority (EBA) Regulation). According to the EBA, peer review focusses on methods and examples of best practice, and considers (i) stress testing governance structures and their use, (ii) possible methodologies including the appropriate severity of scenarios and potential mitigating measures during stressed conditions, and (iii) the overall impact of risk on institution.

104 Consultation on Draft Recommendation on the use of Legal Entity Identifier (LEI) (EBA/CP/2013/42, 28 October, 2013.

105 Thaw, “The Efficacy of Cybersecurity Regulation” supra note 15.

106 “EU Develops New Cybersecurity Rules,” Wall Street Journal, 4 February 2013.

107 E.g. Council Directive 2009/71/Euratom of 25 June 2009 establishing a Community framework for the nuclear safety of nuclear installations.