The EU's draft data protection legislation represents a great effort on the part of governments to recognise and control information security risk. With this, the EU’s cyber security strategy has woken up to the risks that citizens and businesses face in today’s connected and technology-dependent world.
However, this does not mean that they have the experience required to understand the impact and response that may be needed. Legislators are playing catch up while they craft the legal framework for security and data protection that is going to affect us all. It is essential therefore that the information security community not only make the effort to be aware and prepare, but also recognise and exert influence over what eventually passes into legislation.
This is a significant task. Our first step is to get to know the legislation itself, the intent as well as the actual measures and directives so that we may apply our own assessment as to their feasibility, and then speak up as we identify elements that seem infeasible. For example, the right to be ‘forgotten’ - the infamous flagship measure in favour of Europe’s values around privacy - is in today’s socially-networked market place technically impossible to achieve. In the most recent version outlined in a speech delivered earlier this month, the right to be forgotten has graduated to become the ‘right to erasure.’ (Article 17.)
This new development may be far more defined in what government is looking to achieve, but it is no more possible from a technical point of view. It states that an individual has the right to have his/her data erased if: a) the data processing does not comply with EU rules; b) the data are no longer necessary for the purposes for which they were collected or; c) the person objects or withdraws his/her consent for the processing of that personal data.
This nice sentiment certainly reflects our cultural respect for privacy. However, the way data is published in today’s cloud-enabled corporate and socially-enabled consumer environments means our data lives in a system that makes it impossible to trace or know the purpose behind its collection and/or whether it remains necessary. Consent can be withdrawn but only from the original collector. This is a piece of legislation written for a more traditional, more static data management environment. While it may gain political support, it is not enforceable in all cases and therefore could undermine the very security it is meant to promote.
The job ahead for legislators, privacy and compliance professionals as well as technology and information security professionals is to understand the intent of what needs to be achieved , and then come together to understand the structures required to govern and properly manage the intent. There is a unique opportunity to do this at the upcoming International Association of Privacy Professionals European Data Protection Congress in December. The event itself is designed to be a genuine forum on the legislative reform, with interactive workshops and presentations.
As a speaker from the information security community, I look forward to interacting with privacy and legal advisors that shape the frameworks to come. As a delegate, I am looking forward to learning from them and recognising more of what we need to understand within the security community.
Yves Le Roux, policy group lead (ISC)2 EMEA advisory board