4.2.2014 |
EN |
Official Journal of the European Union |
C 32/19 |
Executive summary of the Opinion of the European Data Protection Supervisor on the Joint Communication of the Commission and of the High Representative of the European Union for Foreign Affairs and Security Policy on a ‘Cyber Security Strategy of the European Union: An open, safe and secure cyberspace’, and on the Commission proposal for a directive concerning measures to ensure a high common level of network and information security across the Union
(The full text of this Opinion can be found in English, French and German on the EDPS website: http://www.edps.europa.eu)
2014/C 32/10
1. Introduction
1.1. Consultation of the EDPS
1. |
On 7 February 2013, the Commission and the High Representative of the European Union for Foreign Affairs and Security Policy adopted a Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a ‘Cyber Security Strategy of the European Union: An open, safe and secure cyberspace’ (1) (hereafter ‘the Joint Communication’, ‘the Cyber Security Strategy’ or ‘the Strategy’). |
2. |
On the same date, the Commission adopted a proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (2) (hereafter ‘the proposed directive’ or ‘the proposal’). This proposal was sent to the EDPS for consultation on 7 February 2013. |
3. |
Before the adoption of the Joint Communication and of the proposal, the EDPS was given the possibility to provide informal comments to the Commission. He welcomes that some of his comments have been taken into account in the Joint Communication and in the proposal. |
4. Conclusions
74. |
The EDPS welcomes that the Commission and the High Representative of the EU for Foreign Affairs and Security Policy have put forward a comprehensive Cyber Security Strategy complemented by a proposal for a directive on measures to ensure a high common level of network and information security (NIS) across the EU. The Strategy complements the policy actions already developed by the EU in the area of network and information security. |
75. |
The EDPS welcomes that the Strategy goes beyond the traditional approach of opposing security to privacy by providing for the explicit recognition of privacy and data protection as core values which should guide cyber security policy in the EU and internationally. The EDPS notes that the Cyber Security Strategy and the proposed directive on NIS can play a fundamental role in contributing to ensure the protection of individuals’ rights to privacy and data protection in the online environment. At the same time, it must be ensured that they do not lead to measures that would constitute unlawful interferences with individuals’ rights to privacy and data protection. |
76. |
The EDPS also welcomes that data protection is mentioned in several parts of the Strategy and is taken into account in the proposed directive on NIS. However, he regrets that the Strategy and the proposed directive do not underline better the contribution of existing and forthcoming data protection law to security and fail to fully ensure that any obligations resulting from the proposed directive or other elements of the Strategy are complementary with data protection obligations and do not overlap or contradict each other. |
77. |
Furthermore, the EDPS notes that due to the lack of consideration and taking full account of other parallel Commission initiatives and ongoing legislative procedures, such as the data protection reform and the proposed regulation on electronic identification and trust services, the Cyber Security Strategy fails to provide a really comprehensive and holistic view of cyber security in the EU and risks to perpetuate a fragmented and compartmentalised approach. The EDPS also notes that the proposed directive on NIS does not yet permit a comprehensive approach of security in the EU either and that the obligation set forth in data protection law is probably the most comprehensive network and security obligation under EU law. |
78. |
The EDPS also regrets that the important role of data protection authorities in the implementation and enforcement of security obligations and in enhancing cyber security is not properly considered either. |
79. |
As to the Cyber Security Strategy, the EDPS underlines that:
|
80. |
As to the proposed directive on NIS, the EDPS advises the legislators to:
|
Done at Brussels, 14 June 2013.
Peter HUSTINX
European Data Protection Supervisor
(1) JOIN(2013) 1 final.
(2) COM(2013) 48 final.