Tag Archives: ICO

EU cyber security directive considered harmful

Ross Anderson commented for the Lightbluetouchpaper.com of the Security Research, Computer Laboratory, University of Cambridge the new proposal of the European Commission for a cybersecurity directive, which could be “harmful”. Apparently, the main argument for this is enhanced and centralized bureaucracy.

“Yesterday the European Commission launched its new draft directive on cybersecurity, on a webpage which omits a negative Opinion of the Impact Assessment Board. This directive had already been widely leaked, and I wrote about it in an EDRi Enditorial. There are at least two serious problems with it.

The first is that it will oblige Member States to set up single “competent authorities” for technical expertise, international liasion, security breach reporting and CERT functions. In the UK, these functions are distributed across GCHQ, MI5/CPNI, the new NCA, the ICO and various private-sector bodies. And the UK is relatively centralised; in Germany, for example, there’s a constitutional separation between police and intelligence functions. Centralisation will not just damage the separation of powers essential in any democracy, but will also harm operational effectiveness. Most of our critical infrastructure is in the hands of foreign companies, from O2 through EDF to Google; moving cybersecurity cooperation from the current loose association of private-public partnerships to a centralised, classified system will make it harder for most of them to play.”

Read the whole comment HERE


What a surprise (not)! UK's ICO attacks the draft data protection regulation

According to computerweekly.com, Christopher Graham, UK’s Information Commissioner, considers that the proposals for the new European data protection framework are over-engineered and need a lot of work.

In their current form, the proposals are also unaffordable because regulators would need a small army of staff to cope, he told a Westminster eForum seminar in London.

“The draft proposals demand that data protection authorities must impose fines for a whole list of things classified as data breaches, leaving no room for regulators to exercise discretion,” said Graham.

European data protection authorities, he said, would never be able to get enough funding to implement and enforce all the proposals to the letter as they now stand.

“The result would be that they be forced to pick and choose [which to enforce], which would lead to inconsistencies across Europe,” he said.

Many regulations would also not be enforced, he said, leading to less effective data protection regulation for Europe than those currently in place.

“Surely it is possible to get agreement to say instead that data protection authorities mayimpose fines, rather than must,” said Graham.

Read the whole story HERE.