What does this cover?
The EDPS has published an opinion (the Opinion) regarding intrusive surveillance technology in which it states that "the use of these tools implies by default the processing of personal data and a possible intrusion of privacy".
The Opinion arose as a result of an incident in July 2015 concerning an Italian company which, as a consequence of a significant data hack, found that details of its client lists, emails and employee passwords had been published online by cyber attackers. Significantly, also published were source code and technical design details for an intrusive data surveillance technology which allowed the user to bypass a variety of online security measures (including encryption software).
Whilst the EDPS acknowledges that surveillance technology has a place in legitimate monitoring and law enforcement it is made clear that there is need for "an alert to tighten up the regulation in this market, to clarify the criteria for legal trading, export and usage, for instance by security researchers".
Recommendations by the EDPS in consideration of the above include:
- An assessment of the existing European I.T. standards;
- Appropriate regulation attaching to surveillance technology which adequately takes into account the risk posed by breach of such rules;
- Consistent and more effective technology policies within Europe and as it relates to exports within and outside Europe; and
- Consistent approach to grant international protection to whistle-blowers.
To view the Opinion, please click here.
To view the EDPS press release, please click here.
What action could be taken to manage risks that may arise from this development?
Organisations should monitor any developments which flow from this Opinion and which could involve much stricter and more specific technological regulation in respect of surveillance technologies.