PRIVACY AND SECURITY IN LIGHT OF THE EUROPEAN DIGITAL AGENDA
Privacy and Security in Light of the European Digital Agenda
- Έκδοση: 2022
- Σχήμα: 17x24
- Βιβλιοδεσία: Εύκαμπτη
- Σελίδες: 248
- ISBN: 978-960-654-855-0
(Preface) Authors VII
K. Ujazdowski IX
A. Paschalides XI
G. Christofides XIII
Introduction 1
CHAPTER I
DIGITAL CRIME AND SECURITY
I. The EU security landscape 8
A. An overview of the EU Security Union Strategy 2020 - 2025 9
a. A future-proof security environment 9
i. Critical infrastructure protection and resilience 9
ii. Cybersecurity 10
iii. Protecting public spaces 11
b. Tackling evolving threats 11
i. Cybercrime 11
ii. Modern law enforcement 12
iii. Countering illegal content online 12
iv. Hybrid threats 13
c. Protecting Europeans from terrorism and organised crime 14
i. Terrorism and radicalisation 14
ii. Organised crime 14
d. A strong European security ecosystem 15
i. Cooperation and information exchange 15
ii. The contribution of strong external borders 16
iii. Strengthening security research and innovation 16
iv. Skills and awareness raising 17
B. An overview of the EU cybersecurity strategy 18
a. Resilience, technological sovereignty and leadership 18
i. Resilient infrastructure and critical services 18
ii. Building a European Cyber Shield 19
iii. An ultra-secure communication infrastructure 19
iv. Securing the next generation of broadband mobile networks 19
v. An Internet of Secure Things 20
vi. Greater global Internet security 20
vii. A reinforced presence on the technology supply chain 21
viii. A Cyber-skilled EU workforce 21
b. Building operational capacity to prevent, deter and respond 22
i. A Joint Cyber Unit 22
ii. Tackling cybercrime 22
iii. EU cyber diplomacy toolbox 23
iv. Boosting cyber defense capabilities 23
c. Advancing a global and open cyberspace 24
i. EU leadership on standards, norms and frameworks in cyberspace 24
ii. Cooperation with partners and the multi-stakeholder community 24
iii. Strengthening global capacities to increase global resilience 25
d. Cybersecurity in the EU Institutions, Bodies and Agencies 25
II. NIS 2 Directive Proposal 26
III. PNR Directive 29
CHAPTER II
PRIVACY AND SECURITY IN ELECTRONIC COMMUNICATIONS
I. Freedom of Expression: A Controversial Notion 36
a. The European approach: Interpretation of the term according to the European
Convention on Human Rights (ECHR) 36
b. The international approach 37
c. Regulating Internet: risks and challenges 38
d. The theoretical dimension of e-governance 38
e. The legal framework 40
II. The new challenges: the Digital Services Act 40
a. What is the future of our digital rights? 42
b. Recent evolutions on freedom of speech’ governance 44
c. What’s next? 46
III. Regulating disinformation 46
IV. Emergence of new rights in the digital age 50
a. Establishment of the right to be forgotten 50
b. Constitutional dilemmas pertaining to freedom of expression 52
c. Abusing RtbF 53
d. Jurisdiction and interpretation challenge 53
e. Expanding jurisprudence on RtbF 53
f. Is RtbF a viable new right for the Digital Era? 54
CHAPTER III
DIGITAL ECONOMY AND E-COMMERCE
I. The modernization of digital services and commerce: DSA and DMA 56
a. A brief description 56
b. An intense analysis of the Digital Services Act Package 57
i. Exploring the Digital Services Act 57
ii. Exploring the Digital Markets Act (DMA) 60
iii. Guaranties of compliance of gatekeepers 60
c. A critical approach to the Digital Services Package 61
d. Latest evolutions on the adoption of DSA and DMA 64
i. What is illegal offline, should be illegal online 64
ii. A list of “do’s” and “don’ts” for gatekeepers 65
iii. Gatekeepers can no longer: 65
iv. Sanctions 66
II. Cryptocurrency: towards a new mode of economic transactions? 66
a. A descriptive approach of the phenomenon 66
i. A. Prolegomena: Cryptocurrencies’ anatomy and their particularities 66
ii. Tracing the problematic of defining legal nature of cryptocurrencies 67
b. Data privacy issues regarding to the use of cryptocurrencies 70
i. Generalities 70
ii. Data protection under the spotlight 71
iii. Current evolutions 72
iv. Instead of conclusions: Ultima cogitation 73
III. Chatbots, digital security and privacy: an interactive relationship
or a source of risks? 74
a. Chatbots in Customet Relations Management (CRM) 74
i. CRM: An Introduction 74
ii. CRM Use 75
b. The Rise of Chatbots 77
c. Chatbots Classification 79
i. Knowledge Domain 79
ii. Service provided 80
iii. Goals 80
iv. Input processing and Response generation method 81
d. Chatbots and CRM Systems 81
e. Reshaping E-Commerce 83
f. Privacy Issues 85
i. Legal Framework 87
CHAPTER IV
DIGITAL PRIVACY AND SECURITY IN THE ERA OF ARTIFICIAL INTELLIGENCE
I. Defining AI at European and international level 97
II. Serious concerns raised by the use of AI technology 102
a. What is the nature of Artificial Intelligence? 102
b. AI and face recognition: seeking the right balance 104
i. The European regulatory framework on face recognition 105
ii. View and opinions on face recognition 107
iii. The Alicem project 109
iv. New security law 111
III. A critical approach on draft AI Regulation 114
a. AI Regulation and General Data Protection Regulation 119
CHAPTER V
ONLINE PRIVACY AND SECURITY IN THE ERA OF COVID-19.
SPECIAL LEGAL ISSUES
I. Data protection in the era of the pandemic 128
a. Data rights processing at social level in the context of coronavirus 132
b. Remarks-Conclusions 144
c. Recent evolutions in COVID-19 era 145
II. Regulating cookies: EU Cookies policy 146
a. Types of Cookies 148
b. Duration 148
c. Provenance 148
d. Purpose 149
e. Legal nature of cookies 149
f. Cookie walls 152
g. Whitelisting service providers 152
h. Cookies for audience measurement 152
CONCLUSIONS 155
BIBLIOGRAPHY 159
ANNEX I
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL LAYING DOWN HARMONISED RULES
ON ARTIFICIAL INTELLIGENCE (ARTIFICIAL INTELLIGENCE ACT)
AND AMENDING CERTAIN UNION LEGISLATIVE ACTS 175
INDEX 229
Σελ. 1
INTRODUCTION
Stephen Hawking:“We are all now connected by the Internet, like neurons in a giant brain”
On 9 March 2021 the European Commission issued a Communication named “2030 Digital Compass: the European way for the Digital Decade”. The COVID-19 pandemic has radically reformed the nature of our societies and led to unpredictable situations. In the new environment, digital technologies are imperative for working, learning, entertaining, socialising, shopping and accessing everything from health services to culture. On the other hand, the massive procession of data accompanied by their circulation to undefined number of recipients in order to restrain the spread of the coronavirus, the huge and increasing use of non-European technologies, the great evolution of digitalization in almost every level of private and public life as well as the expansion of disinformation and misinformation in times of a pandemic, set serious concerns about our digital privacy and security.
This is why Europe needs to develop a digital sovereign policy ensuring the protection of fundamental rights and freedoms and promoting sustainability, prosperity, productivity and innovation.
Σελ. 2
Under those circumstances the European Commission on 26 January 2022 issued a Declaration on Digital Rights and Principles aiming at the promotion of a digital transition shaped by European values. The Declaration provide a guide for policy makers and companies when dealing with new technologies. The rights and freedoms enshrined in the EU’s legal framework, and the European values expressed by the principles, should be respected online as they are offline.
The text covers key rights and principles for the digital transformation, such as placing people and their rights at its centre, supporting solidarity and inclusion, ensuring the freedom of choice online, fostering participation in the digital public space, increasing safety, security and empowerment of individuals, and promoting the sustainability of the digital future.
These rights and principles should accompany people in the EU in their everyday life: affordable and high-speed digital connectivity everywhere and for everybody, well-equipped classrooms and digitally skilled teachers, seamless access to public services, a safe digital environment for children, disconnecting after working hours, obtaining easy-to-understand information on the environmental impact of our digital products, controlling how their personal data are used and with whom they are shared.
In short terms, the principles are shaped under the following schema and orientations:
• Putting people and their rights at the centre of the digital transformation
• Supporting solidarity and inclusion
• Ensuring freedom of choice online
• Fostering participation in the digital public space
• Increasing safety, security and empowerment of individuals
• Promoting the sustainability of the digital future
The above framework constitutes the main pillars of the EU’s Digital Agenda which has been drafted following the aforementioned legal initiatives of EU’s actors. Via the Digital Compass for the EU’s digital decade (2020-2030), the European Commission pursues to establish a trustworthy and powerful digital environment, promoting in parallel fundamental rights and freedoms. As it is explicitly declared “the EU will pursue a human-centric, sustainable vision for digital society throughout the digital decade to empower citizens and businesses”.
Σελ. 3
Digitalisation is the most indicative and consequent element which penetrates the perception of the EU’s Digital Agenda. The introduction and mass use of technology contributes essentially in the reshaping of public administration, the update of the relations between citizens and local authorities, the interactive communication between them and the enhancement of the democracy. The appropriate terms which ideally describe those processes are the following: electronic administration, electronic government or governance and electronic or digital democracy.
E-governance constitutes a reality and defines decisively the quality of our democracy. Respectfully, according to the Organisation for Economic Cooperation and Development (OECD) the use of ICT in the public sector is fundamental to serve the needs of citizens and businesses, and can bring governments closer to their citizens and businesses and enhance transparency. Transparency and better accessibility to services increases trust in government.
Regarding the interaction between e-governance and democracy it is crucial to underline that the large use and exchange of technology tools in public administration defines the relation between citizens and state’s leaders. Information and Communication Technologies offer local authorities and public administration new and original opportunities to improve their effectiveness of their services and increase citizens’ participation in public policy making. A recent report of MEPs concerning e-democracy provides a simple and clear definition of the relative terms:
E-democracy refers to the use of information and communications technology (ICT) to create channels for public consultation and participation, for example for elections, consultations or referendums.
Σελ. 4
E-governance refers to the use of ICT to establish communication channels that enable the inclusion of the various stakeholders with something to say about the policy-making process. This could be for example a consultation on whether a specific speed limit should be kept.
E-government refers to the use of ICT in the public sector, particularly to provide people with information and services electronically. This could be for example to enable to pay their speeding ticket online.
It becomes apparent from the perception of the nature of the EU’s Digital Agenda that the most crucial issue is to find the right balance between technological progress and innovation and protection of online privacy and security.
The term “privacy” has been translated in various forms. Initially, it is defined as the “right to let to be alone” and is strongly connected with the right to personality. At the same time, it refers to the separation between private and public life, which can only be restricted under the principle of proportionality. Following the interpretation by the European Convention on Human Rights privacy falls into the scope of article 8 which corresponds to the protection of private and family life as well as individual’s home and correspondence. As such it encompasses several dimensions of individual’s physical and social identity, including the protection of his personal data and autonomy in the internet.
According to the Organisation for Economic Co-operation and Development (OECD) Digital security refers to the economic and social aspects of cybersecurity, as opposed to purely technical aspects and those related to criminal law enforcement or national and international security.
The term “digital” is consistent with expressions such as digital economy, digital transformation and digital technologies. It forms a basis for constructive international dialogue between stakeholders seeking to foster trust and maximise opportunities from ICTs.
The re-examination of the concept of privacy in the digital age is necessary, initially, due to the continuous and explosive development of new technologies. Serious risks and concerns arise not because of their application but of how they are used, since they are often used either as tools to tackle various problems, such as cybercrime or cyber piracy, or as drivers of the economy and innovation, as in the case of artificial intelligence.
Σελ. 5
Finding the right balance between technological advancement and security and digital privacy is therefore a laborious process. At the same time, global developments with a significant impact on the legal field, such as Snowden’s revelations about the mass surveillance of US communications by US and British secret services, the revision of the institutional framework for data sharing between the European Union and the US through the abolition of the regime. Safe Harbor ”and the introduction of a new“ privacy shield ”framework, following the important ruling of the European Court of Justice in the Max Schrems case and the enormous impact of the coronavirus pandemic on all levels of private and public life, create new conditions for the right to digital privacy.
At the same time, the current reality attributes a special meaning to the regulatory perception of the above right, as it is defined and described in the modern “information society”. On the one hand, the guarantee of self autonomy should be pursued in every reform, legislative and scientific, taking place in digital environment. This goal becomes even more important by taking into account the huge impact of the internet on our daily lives. At the second level, the special current challenges in many levels, such as those referred to security and economy, urge a decisive and powerful intervention in digital privacy.
This book aims to illuminate the extent of the protection of individual’s online privacy and security in the light of the adoption and application of the EU’s Digital Agenda in accordance with the ongoing technological evolutions. It is divided into six chapters on the basis of the fields where internet and new information technologies mostly affect the exercise of the above fundamental rights and freedoms. Certainly, those areas ideally coincide with the main themes covered by the EU’s Digital Agenda.
Consequently, our study will be focused on the analysis of the following issues:
a) Digital crime and security – Chapter I
b) Privacy and security in electronic communications – Chapter II
c) Digital economy and electronic commerce – Chapter III
d) Artificial Intelligence (ΑΙ) and digital privacy and security – Chapter IV
e) Online privacy and security in the era of COVID-19 – Chapter V
It is apparent that the analysis of the above theme rationale follows an interdisciplinary approach. Our research and critical study will be not only focused on the legislative measures at EU and state level, but also on practical and technological tools that are adopted to meet the pursued goals. Through the thorough and critical investigation of the lawfulness of
Σελ. 6
the technological intervention by sector as well as via the indication of the potential risks and challenges, it will be possible to put down fruitful proposals aiming at the shaping of a safer digital environment.
Σελ. 7
CHAPTER I
DIGITAL CRIME AND SECURITY
Introduction
Existence in today’s world is difficult to imagine without technology. While technology fosters incredible potential for human development such as enabling creativity and innovation, new means of delivering knowledge and education, establish and improving upon social interactions, a new environment for business opportunities, it also comes with innate drawbacks such as data harvesting and selling, dissemination of false narratives and disinformation, mainstreaming hate speech and polarization of public opinion, as well surveillance intrusion into privacy. The reach and speed at which technology impacts our everyday lives is inviting the ill intent to profit of these features, to commit offences through or with the use of digital, whether by action or omission.
In a span of more than half a century, the world went from being marveled by the invention of the cell phone, harnessing of photovoltaic solar energy and the first electric car, DNA testing, precision GPS and 3D printing to witnessing novel crimes using smart devices, social networks, electronic financial instruments, DDos and cyber-terrorism. Nowadays, it is futile to speak about crime and criminality, without the involvement of technology. Whether it used to commit it or to discover it – technology has embedded itself in all aspects pertaining to it.
The digital component of crime has become more and more pronounced, when humanity and the legal order had to rely heavily on technology for the proper functioning of day-to-day life. Digital services, especially those relating to health and wellbeing, became invaluable during the Covid-19 pandemic.
As authors, we strongly believe that digital crime is an inevitable consequence of the digital revolution. As more companies adopt technology such as artificial intelligence (AI), big data, and cloud computing, they become more vulnerable to hackers who want to gain access to the valuable information stored on their systems. Robert S. Mueller, III, former Director of the FBI once said: “There are only two types of companies: Those that have been hacked and those that will be hacked”. This is why the adoption of an update, solid and uniform legislation at a European level is imperative in order to consolidate security and enhance productivity.
Σελ. 8
In the following chapter we will examine the recent developments in the framework of digital crime.
I. The EU security landscape
From the moment of its inception Europe has envisioned security as one of the cornerstone elements of the Union. With the advent of the Maastricht Treaty, the complexity of provisions dealing with security, alongside other detrimental domains, enabled the introduction of the pillar system – the Common Foreign and Security Policy being the second pillar, while Justice and Home Affairs was established as the third. Institutional change was also enacted in order to comfort this vision. An agency model was central in enacting the prime role of the Union in key areas such as information security and fundamental rights, alongside other key domains such as maritime and aviation safety.
Currently, the care for security is embroiled into the nature of the EU. As established by the Treaty on European Union, lies the promise that the Union shall offer its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured in conjunction with appropriate measures with respect to external border controls, asylum, immigration and the prevention and combating of crime.
The EU security landscape has been reshaped repeatedly, in an effort to keep up with the novelty and complexity of threats that the EU has been facing. The versatility and volatility of these threats kept European institutions in a state of dynamic and proactive state. As maintaining security is detrimental to the political idea of Europe primed on prosperity, innovation and growth, through a continuous transformative process. Furthermore, the promise of security is strongly linked with democratic idea of unity of member states, founded on the confidence that only in a joint effort can intricate threats be tackled at a level that can provide and consolidate the glue that holds together the realization of the ideal of the Union.
Enabling such a vision for security comes at a substantial cost, associated with the risks of dealing with evolving threats. The EU has paid the toll for ensuring this vision and is continuing to maintain a strong commitment to ensuring a reliable environment for its citizens. Against the backdrop of globalization, climate change, demographic decline, political instability outside its borders, terrorism and the ongoing process of hybridization of threats, the EU has managed to produce viable responses. Nevertheless, these responses have been, at times, latent and did not provide all encompassing, timely and strategic answers to stringent concerns. One of the lackluster aspects in the regard, is the ability to capitalize on the strengths of working together, provide an efficient crisis
Σελ. 9
management system, base on cross-border and interconnectivity actions, as well as establish a rounded common effort to provide the necessary tools to work together both inside and outside of the EU. This inert characteristic is linked with the notable design that security always remains grounded in the respect for the rule of law, equality, fundamental rights and democratic control. While security and the guarantee of the aforementioned are complementary to each other, actions are envisioned and enacted while having in mind necessity, proportionality, legality, accountability and judicial redress. Security safeguards are envisaged to protect individuals, especially those that are most vulnerable.
The impact of this innate trait can be best perceived within the Covid-19 pandemic. The crisis tested the resilience of Europe, by enabling a rapid need to remodel its security policy in the face of a swift and nimble threat to its citizens both in the physical and digital environment. While there was limited capability to foresee the extent of the pandemic, the flat policy response that the EU initially provided and the lack of proper tools to jointly tackle the threat, exposed critical infrastructure and supply chain vulnerabilities.
A. An overview of the EU Security Union Strategy 2020 - 2025
Having in mind the plethora of ever-growing threats, in 2016, the EU introduced the concept of the Security Union as part of the European Commission Communication “Paving a way towards an effective and genuine Security Union”. This concept was built on the 2015 European Agenda on Security. It proposed a new approach based on shared responsibility between the European Union and the EU countries. To lead the process, a dedicated Security Union Commissioner portfolio was created in September 2016, assisted by a task force that drew on the expertise of the entire European Commission.
The Strategy is structured around 4 pillars aimed at building capabilities and capacities for early detection, prevention and rapid response to crises, linking all players in the public and private sectors in a common effort and a strong focus on performance. Each pillar encompasses several themes. The pillars are as follows: (i) a future proof security environment, (ii) tackling evolving threats, (iii) protecting Europeans from terrorism and organised crime, (iv) a strong European security ecosystem.
a. A future-proof security environment
i. Critical infrastructure protection and resilience
As mentioned above, critical infrastructure plays a detrimental role in the landscape of European security. This role is proliferated by the exponential economic and social growth and the transition to the digital environment. The strategy sets out to provide a much-needed
Σελ. 10
upgrade to the legislative framework in order to foster interconnectedness and interdependency. This encourages systems and services to be more resilient in terms of planning, absorbing and recovering from adverse events.
According to EU self-assessment, existing framework for protection and resilience of critical infrastructures has not kept pace with evolving risks. Furthermore, guided by the principle of subsidiarity, member states have implemented legislation at their own discretion resulting in a fragmentary approach to the issue, as well as a various level of preparedness, the most incremental developments being attested in border regions, due to less efficient coordination.
The EU has set out a priority to build new resilience boosting tools in connection to the increasing role of the internet. The centerpiece of this priority is to put in place a certified secure end-to-end quantum infrastructure, terrestrial and space-based, in combination with the secure governmental satellite communications system laid out in the Space Programme regulation.
ii. Cybersecurity
Cyber space, under the Security Union concept, is considered an indispensable part of the security landscape. While we examine more thoroughly this theme in the next part of the chapter, it is worthwhile to mention that the main focus of the Union is pinned to the European Cybersecurity Strategy.
The Commission envisions a long-term shift towards a cybersecurity culture model, within a new cybersecurity certification framework under the Cybersecurity Act, with a prime role for the EU Agency for Cybersecurity (ENISA), the data protection authorities and the European Data Protection Board is of key importance in this area.
In order to strengthen its position within the international legal order, the Commission is providing a cyber diplomacy toolbox as a set of measures under the Common Foreign and Security Policy, aimed at the activities that harm its political, security and economic interests.
Σελ. 11
Lastly, cybersecurity cooperation is to be fostered horizontally within EU institutions, bodies and agencies, with a principal role for a Joint Cyber Unit, a novel structure that will become operational by the beginning of 2023. The unit will provide a sandbox for civilian, law-enforcement, diplomatic and cyber defense communities to cooperate in order to prevent, deter and respond to cyberattacks.
iii. Protecting public spaces
In light of the 2016 Brussels bombings, aimed at the heart of the EU, protection of public spaces, especially those of worship and transport, has become detrimental. The Commission sets out to bolster both stronger physical protection of such places and adequate detection systems, without undermining citizens’ freedoms. This theme is congruent with the potential miscues of drones by criminals and terrorists.
Key actions under the future-proof security environment pillar are resumed to:
• Legislation on the protection and resilience of critical infrastructure
• Revision of the Network Information Systems Directive
• An initiative on the operational resilience of the financial sector
• Protection and cybersecurity of critical energy infrastructure and network code on cybersecurity for cross-border electricity flows
• A European Cybersecurity Strategy
• Next steps towards the creation of a Joint Cyber Unit
• Common rules on information security and cybersecurity for EU institutions, bodies and Agencies
• Stepped up cooperation for the protection of public spaces, including places of worship
• Sharing of best practices on addressing misuse of drone
b. Tackling evolving threats
i. Cybercrime
The Commissions response to cybercrime focuses on improving the judiciary and law enforcement – Joint Cybercrime Action Task Force in Europol and the Law Enforcement Emergency Response Protocol created to coordinate response to large-scale cyber-attacks. Furthermore, full implementation of the current legal framework is detrimental in offering an appropriate response.
Σελ. 12
The EU acknowledges the extent that cybercrime has. In this regard, strong support and confidence is shown to Council of Europe’s Budapest Convention on cybercrime, which establishes the objective of a common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international co-operation, conditioned by the profound changes brought about by the digitalization, convergence and continuing globalization of computer networks.
ii. Modern law enforcement
Stepping up efforts in tackling the ever-evolving threat spectrum is conditioned by the adaptability of law enforcement and justice practitioners to apply new technology. The Commission envisages that that technological developments and emerging threats require law enforcement authorities to have access to new tools, acquire new skills and develop alternative investigative techniques. By connecting scientific evaluations and testing methods, through the Joint Research Centre, new tools are to be created in order to enhance law enforcement capacity in digital investigations. These tools imply the integration of artificial intelligence, space capabilities, Big Data and High Performance Computing into security policy in a way which is effective both in fighting crimes and in ensuring fundamental rights. Artificial intelligence could act as a powerful tool to fight crime, creating enormous investigative capabilities by analyzing large amounts of information and identifying patterns and anomalies.
A particular accent is put on electronic evidence for criminal investigations, as means of tackling cross-border crime, through bi- and multilateral negotiations. Also, encryption is a explored theme as means of securing digital systems and transactions and also protecting a series of fundamental rights, including freedom of expression, privacy and data protection.
iii. Countering illegal content online
The Commission recognize the looming threat of terrorism, extremism or child sexual abuse delivered through the digital environment. In order to prevent and counter the spread of illegal hate speech online, the Commission launched, in 2016, the Code of Conduct on countering illegal hate speech online. Being a non-binding document, it recommended IT companies remove content deemed to be illegal hate speech. Although, according to data 71% of flagged content is removed within 24 hours, issues regarding transparency need to be addressed.
Σελ. 13
An emphasis on the Digital Service Act (DSA) is made with the rationale that it will clarify and upgrade the liability and safety rules for digital services and remove disincentives holding back actions to address illegal content, goods or services. The DSA is extensively analyzed in the following chapters of the book.
Launched in 2015, the European Union Internet Forum (EUIF), has proliferated its role in reducing accessibility to terrorist content online and increasing the volume of effective alternative narratives online. In the framework of the strategy, EUIF mission to provide a collaborative environment for governments in the EU, the internet industry, and other partners to discuss and address the challenges posed by the presence of malicious and illegal content online, the EUIF is envisaged as means of fighting child sexual abuse online.
iv. Hybrid threats
As mentioned previously, the Covid-19 pandemic has reignited the flame of the Commission towards the hybridization of threats to security. Building upon the 2015 Joint Framework on Countering Hybrid Threats and the 2018 Joint Communication on bolstering hybrid resilience actions are underpinned by a sizeable toolbox covering the internal-external nexus, based on a whole-of-society approach and on close cooperation with strategic partners, notably NATO and G7
Due to the complex nature of hybrid threats, the Commission targets a cross-border effort, that will integrate horizontally with member state security and defense policies. This effort will be sustained within the EU structure where the Commission services and the European External Action Service will explore options to streamline information flows from different sources, including Member States, as well as EU agencies such as ENISA, Europol and Frontex. This will improve the effect of EU action by swiftly bringing together sectoral responses and ensuring seamless cooperation with partners, especially within NATO members. Integration will also apply thematically by exploring unbeaten paths such as education, technology and research.
Key actions under the tackling evolving threats pillar are resumed to:
• Ensuring that the cybercrime legislation is implemented and fit for purpose
• A Strategy for a more effective fight against child sexual abuse
• Proposals on the detection and removal of child sexual abuse material
• An EU approach on Countering Hybrid Threats
• Review of the EU operational protocol for countering hybrid threats (EU Playbook)
• Assessment of how to enhance law enforcement capacity in digital investigations
Σελ. 14
c. Protecting Europeans from terrorism and organised crime
i. Terrorism and radicalisation
At its core, the threat of terrorism and radicalization is rooted in the polarisation of society, real or perceived discrimination and other psychological and sociological factors that can reinforce people’s vulnerability to radical discourse. Tackling this threat requires a combined approach, that the Commission envisages through several hard policies, such the Radicalisation Awareness Network and the EU Cities against Radicalisation Initiative, as well as soft policies such as education, culture, youth and sports could contribute to the prevention of radicalization. Priority areas include work on early detection and risk management, resilience building and disengagement, as well as rehabilitation and reintegration in society.
In respect to the terrorist threat, the EU boasts state of the art legislation that is aimed at restricting access to explosives precursors and detects suspicious transactions aiming to build improvised explosive devices. In order to enact it, as well as diminish the potential of chemical, biological, radiological and nuclear (CBRN) attacks, the Commission is looking to expand the list of restricted ss to certain dangerous chemicals that could be used.
In order to tackle the external terrorist threat, the EU is looking to improve upon multilateral cooperation, working with the leading global actors in this field, such as the United Nations, NATO, the Council of Europe, Interpol and the OSCE.
Although member states are primarily responsible the fight against terrorism and radicalization, the Commission considers the implementation of counter-terrorism legislation, including restrictive measures, a cornerstone in tackling this threat. In this regard one of the main objectives of the Union, is to extend the mandate of the European Public Prosecutor’s Office to cross-border terrorist crimes.
ii. Organised crime
Organised crime and terrorists are key groups that are active in production, trafficking or distribution of drugs, trade of illegal firearms, migrant smuggling, corruption as well as adopting online crime (i.e., online scams on vulnerable groups). The losses from their illegal activity amounts in both economic downfall and human lives.
In tackling this threat, the Commission is considering revising the purpose of old legislation, such as the Environmental Crime Act, as well as adopting new legislative instruments
Σελ. 15
such as the EU Agenda on Drugs, EU Action Plan against migrant smuggling for 2021-2025, EU Action Plan against firearms trafficking.
The Commission will also support the development of expertise and of a legislative framework in emerging risks, such as crypto-assets and new payment systems. In particular, the Commission will look at the response to the emergence of crypto-assets such as bitcoin and the effect these new technologies will have on how financial assets are issued, exchanged, shared and accessed.
Key actions under the protecting Europeans from terrorism and organised crime pillar are resumed to:
• Counter-Terrorism Agenda for the EU, including renewed anti-radicalisation actions in the EU
• New cooperation with key third countries and international organisations against terrorism
• Agenda on tackling organised crime, including trafficking in human beings
• EU Agenda on Drugs and Action Plan 2021-2025
• Assessment of the European Monitoring Centre for Drugs and Drug Addiction
• 2020-2025 EU Action Plan on Firearms trafficking
• Review of legislation on freezing and confiscation and on Asset Recovery Offices
• An assessment of the Environmental Crime Directive
• An EU Action Plan against Migrant Smuggling, 2021-2025
d. A strong European security ecosystem
i. Cooperation and information exchange
Under the last pillar of the strategy the EU is building a professional centered environment able to sustain the actions of the previous three pillars. As most of the legal framework underpinning operational law enforcement cooperation was designed 30 years ago, accompanied by a complex web of bilateral agreements between member states, many outdated or underused, there is a need to improve upon available instruments by means of streamlining and upgrading.
The Commission is looking to enact a Police Cooperation Code, in order to bolster law enforcement efficiency. Europol is foreseen to expand its cooperation with third countries to counter crime and terrorism in coherence with other EU external polices and tools. The strategy provides the further development of Eurojust to maximise the synergy between law enforcement cooperation and judicial cooperation.
The EU is intent to streamline the processes, involving security and border management. In addition, the Commission will look into the possibility to exchange police records to
16
help identify if any police record on a person exists in other Member States, and facilitate access to these records once identified, with all the necessary safeguards.
The Passenger Name Records Directive (PNR) designed to improve border controls, reduce irregular migration, and identify persons posing security risks, is the primary legislative act in allowing for more effective use of the information, while ensuring compliance with data protection legislation and facilitating the flow of passengers, that is spearheading this effort. We will examine the PNR Directive more closely in the following chapters of the book, in light of the Court of Justice of the European Union judgement.
Judicial cooperation is envisaged to compliment law enforcement efforts in tackling cross-border crime. Having in mind, the changes that this cooperation underwent in last two decades, the Commission is considering to extend and reinforce the roles of the European Public Prosecutor’s Office and Eurojust. Interpol, one of the largest inter-governmental criminal police organisations, will also be reinforcing cooperation, including possible access to Interpol databases and the strengthening of operational and strategic cooperation
The Commission will explore a possible EU-level coordination mechanism for police forces in case of force majeure events such as pandemics
ii. The contribution of strong external borders
Management of the borders is an integral part of EU security that contributes to the prevention and detection of cross-border crime at the forefront and beyond. The strategy establishes the modernization of external border control in the framework of the forthcoming Action Plan on the Customs Union which will be aimed at strengthening risk management and enhancing internal security, including in particular by assessing the feasibility of a link between relevant information systems for security risk analysis.
The border framework improvement envisages fighting identity fraud, interoperability of information for the benefit of law enforcement officers, border guards and migration officials and combating travel document fraud.
The Commission will explore how to extend existing work on the security standards of EU residence and travel documents, including through digitalisation. As of August 2021, Member States will start issuing identity cards and residence documents according to harmonised security standards, including a chip containing biometric identifiers that can be verified by all EU border authorities.
iii. Strengthening security research and innovation
Cybersecurity is, perhaps, tied the most and relies heavily to the advancement of science. EU research, innovation and technological development offers the opportunity to
Σελ. 17
take the security dimension into account as these technologies and their application are developed.
The ability to overcome security challenges and crisis’s is heavily dependent on EU’s ability to generate innovation, attract talent and use it to create new tools to help law enforcement and other security actors.
While ongoing efforts to empower researchers across Europe, through various programmes, are underway, the EU is, currently, a net importer of cybersecurity products and services.
iv. Skills and awareness raising
Even basic knowledge of security threats and how to combat them can have a real impact on society’s resilience. Consciousness of the risks of cybercrime and the need to protect oneself from it can work together with protection from service providers to counter cyber-attacks. Challenges to IT infrastructure and e-systems have, subsequently, revealed the need to improve our human capacity for cybersecurity preparedness and response. The pandemic has also highlighted the importance of digitalisation across all areas of the EU economy and society. It is for this reason, as part of the strategy, the Commission has set out improve upon the security matters through the Digital Education Action Plan. Updating the aforementioned document will present a vision for improving digital literacy, skills and capacity at all levels of education and training and for all levels of digital skills (from low to advanced). Based on lessons learnt from the COVID-19 crisis in areas such as online learning, the Action Plan aims to support the development of robust digital competences and organisational capabilities in education and training systems (including for distance-learning) while fully harnessing the potential of emerging technologies, data, content, tools and platforms to make education and training fit for the digital age.
The reinvigoration of European Research Area and European Education Area, alongside the Digital Europe Programme, will contribute to the unfolding of this theme.
Key actions under the strong European security ecosystem pillar are resumed to:
• Strengthening of Europol mandate
• Exploring an EU ‘Police Cooperation Code’ and police coordination in times of crisis
• Strengthening Eurojust to link judicial and law enforcement authorities
Σελ. 18
• Revision of the Advance Passenger Information Directive
• Communication on the external dimension of Passenger Name Records
• Strengthening cooperation between the EU and Interpol
• A framework to negotiate with key third countries on sharing of information
• Better security standards for travel documents
• Exploring a European Innovation hub for internal security
B. An overview of the EU cybersecurity strategy
On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy. The strategy represents an integral part of European’s security, being a continuation of the EU Security Union Strategy.
The aims to safeguard a global and open Internet, while at the same time offering safeguards, not only to ensure security but also to protect European values and the fundamental rights of everyone.
Following the progress achieved under the previous strategies, it contains concrete proposals for deploying three principal instruments –regulatory, investment and policy instruments – to address three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace.
a. Resilience, technological sovereignty and leadership
i. Resilient infrastructure and critical services
As mentioned in the overarching EU Security Strategy, at the core the cybersecurity paradigm lies the Network and Information Systems Directive (NIS). In order to ensure a consistent approach as announced under the Security Union Strategy 2020-2025, the reformed Directive is proposed together with a review of the legislation on the resilience of critical infrastructure. Energy technologies embedding digital components and the security of the associated supply chains are important for the continuity of essential services and for the strategic control of critical energy infrastructure. The Commission will therefore propose measures, including a ‘network code’ setting rules for cybersecurity in cross-border electricity flows for adoption by end 2022. The review is necessary to reduce inconsistencies
Σελ. 19
across the internal market by aligning scope, security and incident reporting requirements, national supervision and enforcement and the capabilities of competent authorities. The draft proposal of NIS 2 will be presented in the following chapter of the book.
ii. Building a European Cyber Shield
With the spread of connectivity and the growing sophistication of cyberattacks, Information Sharing and Analysis Centres, or ISACs, perform a valuable function, including at the sectoral level, in allowing information exchange between multiple stakeholders on cyber threats. In addition to this, networks and computer systems require constant monitoring and analysis to detect intrusions and anomalies in real time. Many private companies, public organisations and national authorities have therefore set up Computer Security Incident Response Teams (CSIRTs) and Security Operations Centres, or ‘SOCs’.
The Commission proposes to build a network of Security Operations Centres across the EU, and to support the improvement of existing centres and the establishment of new ones. It will also support the training and skill development of staff operating these centres.
Through sustained collaboration and cooperation, this network will provide timely warnings on cybersecurity incidents to authorities and all interested stakeholders, including the Joint Cyber Unit. It will serve as a real cybersecurity shield for the EU, providing a solid mesh of watchtowers, able to detect potential threats before they can cause large-scale damage.
iii. An ultra-secure communication infrastructure
The European Union Governmental Satellite Communications, a component of the Space Programme, will provide secure and cost-efficient space-based communication capabilities to ensure the security- and safety- critical missions and operations managed by the EU and its member states, including national security actors and EU institutions bodies and agencies.
In this perspective, and going further, the Commission will explore the possible deployment of a multi-orbital secure connectivity system. Building on GOVSATCOM and QCI, it would integrate cutting edge technologies (Quantum, 5G, AI, edge computing) adhering to the most restrictive cybersecurity framework in order to support secure-by-design services such as reliable, secure and cost-effective connectivity and encrypted communication for critical governmental activities.
iv. Securing the next generation of broadband mobile networks
EU citizens and companies using advanced and innovative applications enabled by 5G and future generations of networks should benefit from the highest security standard. Member
Σελ. 20
states, together with the Commission and with the support of ENISA, have established with the EU 5G Toolbox of January 2020 a comprehensive and objective risk-based approach to 5G cybersecurity that is based on an assessment of possible mitigation plans and identification of the most effective measures. Moreover, the EU is consolidating its capabilities in 5G and beyond to avoid dependencies and to foster a sustainable and diverse supply chain.
Looking forward, the EU should ensure that the identified risks have been mitigated adequately and in a coordinated way, in particular as regards the objective of minimising the exposure to high-risk suppliers and of avoiding dependency on these suppliers at national and Union level, and that any new significant development, or risk, is taken into account.
v. An Internet of Secure Things
Every connected thing contains vulnerabilities that can be exploited with potentially widespread ramifications. As the Internet of Things proliferates, enforceable rules require strengthening, both to ensure overall resilience and boost to cybersecurity.
The Commission will consider a comprehensive approach, including possible new horizontal rules to improve the cybersecurity of all connected products and associated services placed on the Internal Market. Such rules could include a new duty of care for connected device manufacturers to address software vulnerabilities including the continuation of software and security updates as well as ensuring, at the end of life, deletion of personal and other sensitive data.
vi. Greater global Internet security
A set of core protocols and supporting infrastructure ensures the functionality and integrity of the Internet worldwide. This set includes the DNS and its hierarchical and delegated system of zones, starting, at the top of the hierarchy, with the root zone and the thirteen DNS root servers on which the World Wide Web depends. The Commission intends to develop a contingency plan, supported by EU funding, for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system.
With a view to reducing security issues related to market concentration, the Commission will encourage relevant stakeholders including EU companies, Internet Service Providers and browser vendors to adopt a DNS resolution diversification strategy.