At a 29 April Cybersecurity and Privacy conference in Brussels, Keynote Speaker and recently appointed European Data Protection Supervisor (EDPS) Giovanni Buttarelli was given the opportunity to comment on his 5-year strategy, published last month.

Particular attention was paid to cybersecurity and the challenges posed by it on a technical and policy level. While acknowledging the importance of cybersecurity for the sustainability of our digitally supported economy and society, Buttarelli stated that the privacy challenges cybersecurity entails are not to be minimalized, and that its objective is not to be misused to justify measures weakening the protection of data protection rights.

Buttarelli explicity addressed the tension between cybersecurity and data protection, stating that “The rights to privacy and data protection have long been perceived as conflicting with the objective of cybersecurity. I believe this is a misperception.” The EDPS believes that instead, the momentum of contemplating about measures for ensuring a high level of cybersecurity should be grasped to ensure that such measures help improve the security of all the information processed, including personal data. Work on cybersecurity can play a fundamental role in contributing to ensuring the protection of individuals’ rights to privacy and data protection in online and networked environments.

He continued by warning that “cybersecurity must not become an excuse for disproportionate processing of personal data“. To find the right balance, data protection principles such as necessity and proportionality can be applied to help guide privacy-by-design and privacy-by-default for cybersecurity solutions.

Buttarelli also addressed the ongoing efforts to reform the EU data protection framework, noting that a key plank of the reform is data security. While under the current legal framework, (i) the risk of the processing, (ii) the state of the art, and (iii) the cost of the measures are the three elements to determine the selection of adequate technical and organization measures, he noted that the third element must not be overstated given the importance of appropriate data security. “A proper cost benefit analysis would demonstrate that data security benefits not only individuals whose personal information is processed, but also the professional reputation of the organization processing the data.

Reference was made in this respect to the ruling of the ECJ last year regarding the invalidity of the Data Retention Directive, and the interpretation by some that the ruling advocated a stricter determination of the storage location of data. Buttarelli disagreed with such interpretation, noting that “Phyical location is not the determining factor in security. Rather, it is the degree of control, accountability and responsibility which data controllers demonstrate when processing personal information. They must take full responsibility for all the measures they implement, regardless of the technology they use. As we put it in our opinion around the time of the judgment, ‘responsibility must not vanish in the clouds’.”

Sectors which were explicitly mentioned as expected to needing to deal with cybersecurity more intensively were the banking and health sector, and IT fields such as the Internet of Things, Bring Your Own Devices and wearables, as these attacks would have a significant impact on privacy and the protection of personal data.

The EDPS concluded on a positive note, mentioning that there is more awareness of security issues in the world and more investment in cybersecurity than ever before, as companies and organization realize what is at stake.

For the EDPS’ 5-year strategy, please click here: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2015/15-04-28_Keynote_Cybsersecurity_EN.pdf

For the full keynote speech of the EDPS, please click here: https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/Strategy2015