Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by admin on novembre 15, 2017

Accountability, Privacy

(No comments)

The following is an analysis of a proposal for a regulation “for a framework on the free flow of non-personal data in the European Union”.

The objective of the regulation is the liberalisation of data flows. It is worth noting that this liberalisation suffers from two intrinsic limitations in the proposal: on the one hand it only refers to non-personal data, which, for clear reasons of consistency, are defined as “data other than those defined in art. 4, Regulation EU 2016/679”; and on the other hand it solely pertains to the movement of data within the European Union borders, whereas it in no way affects the exchange of data outside the Union.

The Commission identifies two main obstacles to businesses and public administrations having full freedom to choose the location where they store and manage their data.

The first obstacle is represented by the unjustified restrictions on data localisation imposed by public authorities in Member States. Over the years, the reasons which have moved Member States to impose the mandatory local storage of their data on national businesses and public administrations, include maintaining higher levels of security and facilitating easier monitoring by national authorities. For example, this includes the storage measures for financial statements and accounting data provided for in Germany, Denmark, Belgium and other northern European countries, which require that data be filed within national borders. In the same way, in countries such as Bulgaria, Poland and Romania data localisation requirements are imposed on winnings and user transactions. In Bulgaria for example, an applicant for a gaming license must assure that all data related to operations in Bulgaria is retained on a server located within the country. In addition, even when no specific territorial restriction is in place, business practice and common sense have in any case led in the direction of favouring localised data storage, turning down the chance of alternative cross- border offers.

The second obstacle to data liberalisation derives from private market limitations, which prevent data portability across IT systems by means of so-called vendor lock-in (aka proprietary lock-in or customer lock-in) practices. This widespread business phenomenon (e.g. Microsoft, Apple, Google, Nvidia, even hotels!) has its origin in providers wanting to create a condition of artificial dependence, which makes customers virtually totally dependent on them for the goods or services they provide. Customers are put in such a position that they cannot purchase goods or services from a competitor without incurring both the substantial costs and cumbersome and inconvenient organisational difficulties involved in switching to a new provider. Providers implement this sort of “forced loyalty” both by means of adopting technologies or standards differ from those used by competitors and the inclusion of contractual conditions which are particularly penalising in case of a switch.

Thus, in order to curb the spread of such practices and arrangements, with this proposal the Commission wants to tackle the problems through four lines of action.

Firstly, the proposal introduces a general principle of free circulation of data among Member States which allows businesses free choice of where to process or store their data. Legally provided restrictions will have to be be carefully scrutinised and will only be legitimate in cases when public and/or national security are at stake.

Secondly, with the intention of reassuring national legislators, the proposal guarantees that the competent authorities (of each Member State) will have access to data stored or processed in another Member State on the same conditions of access guaranteed nationally.

Thirdly, the proposal encourages the elaboration of self-regulatory codes of conduct which would smooth portability conditions and therefore, for example, switches of cloud service providers. The aim is that of also building a sort of “right to data portability” for non-personal data, in the same way as that provided for by the privacy Regulation for personal data. The need is to make sure that that customers’ freedom of choice is in place not only at the start of a contractual relationship, but that it is maintained and made technically possible for the entire duration of the relationship.

Lastly, the proposal establishes a central point of contact for each Member State, in order to guarantee the successful application of the new rules on the free flow of non-personal data.

In conclusion, there is no doubt that the regulation proposal is aimed first and foremost at businesses and public administrations, with significantly lower impact on individual citizens. However, if it is seen in the light of and in coordination with the European data framework, the proposal takes on much more general relevance. In fact, thanks to this new formulation, a number of the principles contained in the privacy Regulation, such as those regarding free data circulation and data portability, would be strengthened as a result of an extension of their scope of application.

 

 

posted by admin on marzo 15, 2017

computer crimes

(No comments)

The latest report from Clusit (the Italian Association of Internet and IT Security) states that 2016 was the worst year ever for the evolution in cyber threats and their impact. The Interministerial Commitee for the Security of the Republic, chaired by Prime Minister Gentiloni, has devised a national cyber security plan.

Clusit stresses the phenomenal rise (+1,166%) in phishing attacks – by means of which cyber scammers persuade victims to hand over personal and financial data or login credentials by masquerading as bona fide companies – and social engineering scams – i.e. techniques of studying individual people’s behaviour in order to extort information. Malevolent common malware virus attacks also rose (+116%), and were not only small scale attacks, but also aimed at attacking important targets with significant impact.

There was a dramatic rise even in cyber warfare related attacks (+ 117%), which aim to increase geopolitical pressure or manipulate public opinion. Examples of cyber warfare attacks include those on political parties’ or institutions’ email accounts, but potential targets also include critical infrastructure such as energy, water, communications and transport services, attacks on which rose by + 15% compared to 2015.

So-called cybercrime – i.e. offences committed in order to extort money or information – represented 72% of global attacks in 2016. There has been a consistent upward trend in cybercrime since 2011, when the percentage was 36%. 32% of attacks use unknown techniques, which is 45% up on 2015.

In 2016 the healthcare sector was under increased serious attack (+ 102%) from ransomware – i.e. viruses that encrypt data on victims’ devices only released if the victims pay a ransom – and data theft. There was also a substantial rise in attacks against large scale retail distribution (+70%) and the banking and financial sector (+64%).

In geographical terms, in the second half of 2016 attacks against European targets rose from 13% to 16% and against Asian targets from 15% to 16%, whereas the number of victims in the USA seems to have dropped slightly, even if the USA remains the area most hit by cyber attacks. The tendency to attack mostly important and transnational targets was confirmed. An example of one of the most important global attacks was that against the Italian Ministry of Foreign Affairs.

The Interministerial Commitee for the Security of the Republic (Cisr) has launched a multi phase national plan for cyber security with a new decree – “indications for cybernetics protection and national information security”, which replaces the old Council of Ministers Presidential Decree of January 24th, 2013.

The new measure acknowledges the NIS (Network and Information Security) European Directive and reinforces the role of the Cisr which will issue directives with the aim of raising the level of national cyber security and will avail itself of the support of interministerial coordination on the part of the so-called “Cisr tecnico” (the Technical Interministerial Commitee for the Security of the Republic) and the Security Intelligence Department (Dis).

The new decree assigns the Director General of the DIS the task of defining appropriate courses of action to ensure the required levels of security in both public and private strategic systems and networks, identifying and removing their vulnerabilities. So as to successfully carry out these initiatives the involvement of both the academic world and the world of research is envisaged, as is the idea to use top quality resources in addition to setting up extensive co-operation with businesses in the cyber sector.

At an operational level, the Cyber Security Unit (Nsc) – now part of the Dis – will guarantee a coordinated joint response to any significant cyber attack on national security, together with specialists from all relevant Government Departments.

 

 

  • Recent comments

  • Popular posts

    • None found