Categories
Articles

ENISA: “Right to be Forgotten” has limits

ENISA’s study on the “Right to be Forgotten” contains useful reminders that once information is published on the Internet it may be impossible to completely remove it. Implementing a right to be forgotten would involve four stages: Identifying and locating the information to be removed; Tracking all copies that may have been made, including unauthorised […]

Categories
Articles

EU DP Supervisor on Cloud Computing

A new Opinion of the EU Data Protection Supervisor discusses some of the problems in applying the current Data Protection Directive to public cloud services, and how these might be done better under the proposed Data Protection Regulation. Particular challenges include Although the Directive claims to regulate “transfers” of personal data out of the EEA, […]

Categories
Articles

Legal issues in dealing with Botnets

An interesting paper from ENISA and the NATO Cyberdefence Centre illustrates the narrow space that the law allows for incident response, and the importance of ensuring that new laws don’t prevent incident response teams from protecting networks, systems, their users and information against attack. By comparing the details of German and Estonian law, the report […]

Categories
Articles

Justice Committee: “Back to the drawing board” on Data Protection Regulation

The House of Commons’ Justice Committee has published a critical report on the European Commission’s proposals for a new Data Protection Regulation and Directive. While recognising the potential benefits to be had from reducing the current differences between Data Protection laws in different Member States the Committee considers the current text to be much too […]

Categories
Articles

Information Commissioner Guide to Cloud Computing

The Information Commissioner has published new Guidance on the Use of Cloud Computing for organisations who are, or are considering, using cloud services to process personal data. The benefits of clouds are recognised: these may include “increased security, reliability and resilience for a potentially lower cost”. However cloud customer organisations may also “encounter risks to […]

Categories
Articles

Progress on a European approach to Cloud Computing

The ASPIRE study on the future of National Research and Education Networks calls for European NRENs to work together on a common approach to cloud computing. The European Commission has just published a Cloud Strategy that also seeks a common European approach, noting that “faced with 27 partly diverging national legislative frameworks, it is very […]

Categories
Articles

ENISA on cyber incident reporting

ENISA have  published an interesting report on cyber incident reporting. Their scope is wide – incidents range from the failure of a certificate agency to storms creating widespread power (and therefore connectivity) outages. In each of these areas they find a common pattern, where governments are trying to encourage (or mandate) notification of incidents in […]

Categories
Presentations

Cooperation between CERTs and Law Enforcement

I participated in an interesting discussion last week at ENISA’s Expert Group on Barriers to Cooperation between CERTs and Law Enforcement. Such cooperation seems most likely to occur with national/governmental CERTs but I’ve been keen to avoid recommendations that they be given special treatment, not least because of the risk that such treatment might actually […]

Categories
Articles

MoJ Summary of Data Protection Responses

The Ministry of Justice have published a summary of the responses to their consultation on European Data Protection proposals. On the issues we raised around Internet Identifiers, Breach Notification and Cloud Computing there seems to be general agreement with our concerns. No one else seems to have mentioned Incident Response specifically, but there was a […]

Categories
Articles

Pseudonymous Identifiers and the DP Regulation

Statewatch have published what appears to be a document from the Council of (European) Ministers containing comments on the proposed Data Protection Regulation. It’s interesting to see that there seems at last to be a recognition that the current legal treatment of indirectly linked identifiers is unsatisfactory. At the moment European law has been interpreted […]