Article submitted 2010/01/01 (no new revision available)

The Global Challenge of Cloud Computing and EU Law

Laviero Buono Laviero Buono AS
Published in printed Issue 3/2010 pp 117 – 124

Introduction

In the world of information and communication technologies (ICTs), the phenomenon of cloud computing is almost inescapable these days,1 and it seems to indicate the direction in which information infrastructures are moving. The concept, relatively simple, implies the migration of computing hardware, software infrastructures, and applications to third-party service providers’ data centres which, to end users, appear to exist somewhere “in the clouds” of cyberspace. Cloud computing is therefore a new way of delivering computing resources and services, a new segment of the overall ICT portfolio, rather than a new technology per se.2 The advantages of such a business model are readily identifiable and result in considerable cost savings (companies do not have to invest in new infrastructures, thereby reducing capital expenditure on hardware, software, licensing, and other services), location independence (users can access systems from anywhere, regardless of their location), multi-tenancy benefits (sharing of resources and costs among a large pool of users), low barriers to entry, and immediate access to a broad range of applications. Moreover, organisations using cloud models can take advantage of the best and latest technology without any upgrade of internal ICT infrastructures. Forward-thinking companies launched their business experiments based on cloud computing, and it is foreseen that massive investment will take place on a global scale in the coming years.3

However, the many benefits of cloud computing may be offset by certain technical risks and legal concerns linked, in primis, to security privacy and the protection of confidential data. How best to ensure that personal information stored in data centres, in cyberspace, is properly managed and controlled by the host in order to avoid the leakage or manipulation of sensitive data?

Jurisdictional issues are another major area of legal difficulty in the domain of cloud computing. How should the jurisdiction that is necessary to initiate a criminal investigation of cloud computing-related offences be established when cyberspace is, by definition, transnational and borderless in nature? Is the “territoriality principle” applicable? To this extent, there is little doubt that traditional jurisdictional concepts, such as lex loci delicti commissi and the principle of the “natural” judge, are seriously challenged here.

At the European Union (EU) level, the adoption of the multi-annual Stockholm Programme,4 providing the overall policy agenda for 2010-2014 in the area of freedom, security and justice in the EU, as well as the entry into force of the Treaty of Lisbon5 on 1 December 2009 have substantially enhanced the EU’s mandate with regard to the fight against cybercrime. Art. 83 of the Treaty on the Functioning of the European Union (TFEU) enables the Union to establish minimum rules concerning the definition of criminal offences and sanctions in relation to serious crime with a cross-border dimension. Art. 83, paragraph 1 of the TFEU lists, inter alia, computer crime among the serious crimes. This means that the Union can adopt legally binding acts in this field of law in the near future if they are deemed appropriate.6

This paper will first look at the cloud computing phenomenon, framing the concept and shedding light on the most relevant pros and cons. It will then discuss the main legal implications of cloud computing with a particular focus on data protection and criminal jurisdictional issues, leaving aside other problems that may be associated with security “in the clouds”7 and the most recent debate on the environmental impact of cloud computing (also known as green computing).8 Finally, it will assess the preparedness of EU legislation to address these legal issues rebus sic stantibus and in light of the entry into force of the Lisbon Treaty.

Cloud Computing: The Phenomenon

Every day, thousands of Internet users engage in cloud computing activities without even realising it. In order to save a text file on the Google Docs website, to maintain an album of photos on Flickr, to store some profile photos on Facebook, to upload videos on YouTube, to use the email services of Yahoo!, and to blog and post comments from everywhere in the world using Blogger and Twitter − just to mention some of the most popular worldwide websites − requires the transmission of data and applications in cyberspace. Users no longer need to store photos and documents in traditional physical paper albums, CDs, mobile phones, or notebooks; these data can reside “in the clouds,” and users can access them online through any web-connected device when and how they want. “In the clouds” is, of course, a metaphor to describe the worldwide platforms and data centres that host such data and applications, making them available on demand. A CNN report of 4 November 2009 entitled: “A trip into the secret, online cloud”9 showed how, in cloud computing environments, de facto, data still remains in someone’s building rather than in fluffy clouds. The author of the report visited an IBM cloud computing centre in California and reported that it was “nearly the size of a football field. It is in a metal building, part of an office complex. Inside, rows of black, refrigerator-sized computer towers, 4.000 of them in all”. The conclusion can be reached that: “The cloud is an energy-sucking and fallible machine.”10 However, many international companies, like Amazon, Google, and Microsoft, do not only have one cloud computing centre but dozens of them located in every corner of the globe (often kept hidden for security reasons). Customers and clients can total millions.11 In such a miasma of cloud platforms, where geography loses all meaning and where information flows ignore boundaries and time zones, it is difficult to be sure that personal data are adequately protected.

Turning now from the individual Internet user who, often unwittingly, avails himself of cloud computing to stay in contact with friends on Facebook or to upload photos and videos on Flickr, MySpace ,and Youtube, to the multinational corporations that, in the wake of the economic downturn, consciously entered cloud platforms to reduce the impact of falling sales, revenues, and profit margins, one notices that, over the past months, cloud computing has gained significant momentum. A recent survey conducted by the Computer Associates12 (CA) in February 2010, with the intent to better understand the perspective of European enterprises on cloud computing, showed that interest in cloud platforms grows dramatically as company size grows. 63% of companies with between 1000 and 3000 employees have little interest in cloud computing, with that number dropping to 43% for businesses with over 3000 employees.13 One of the most publicised success stories for cloud computing concerns the New York Times case.14 The idea was to make the 1922-1951 New York Times archive available online. This required plenty of computer capacity that was not available in-house. As a result, capacity was outsourced to Amazon. By so doing, the New York Times achieved significant additional cost savings that could be converted into investment in internal capacity expansion.

Why are legal issues inextricably linked to cloud computing? Cloud platforms collect tremendous amounts of sensitive data and personal information. The countries in which they operate may address privacy and security issues in very different ways. At a macroscopic level (which means at the level of business and governments, rather than that of young social networks users), the risks of inappropriate disclosure, exploitation, unfair appropriation, or misuse of information are potential threats to the companies’ competitiveness or reputation, or even to the sovereignty of the State if national governments decide to store information on cloud platforms.15 Business are generally very reluctant to enable direct competitors to have access to their commercially sensitive data, such as customer contact lists, detailed sales data, and know-how.

Legal Implications of Cloud Computing

Transnational data flows trigger legal obligations in different jurisdictions. These legal questions are only just beginning to emerge, but they could develop into major points of contention in the near future. The sharing and transfer of data “in the clouds” is a crucial issue that gives rise to legal problems. In many cases, it is difficult for the cloud customer to check the data handling practices of the cloud provider and to be sure that the data are processed in a lawful way.

Some countries have comprehensive and strong data protection frameworks and, in the absence of specific compliance mechanisms, they are reluctant to (or in some cases even prohibit) transfer personal data to countries where data protection standards are considerably lower.16

Since location is irrelevant in cloud computing, in cases of dispute, complex legal jurisdictional issues arise. In fact, illegal access followed by illegal use of data or the manipulation of or interference with data flows can potentially lead to the commission of a number of (cyber)crimes related to identity theft, unauthorized access for the purpose of sabotage, intellectual property violations, online fraud, and other forms of crime. To this extent, one of the crucial challenges to which cloud computing gives rise is the question of how to resolve jurisdictional issues as a result of irregular online conduct that produces legal effects in multiple jurisdictions. If more than one State asserts jurisdiction, a dispute or even a conflict may occur among the States involved. It is therefore difficult to identify the authorities and the courts that are competent to launch an investigation, prosecute, and eventually adjudicate the case. For such criminal acts, committed through the extended use of ICT facilities, the different elements of the criminal plan may affect not one but various countries.

The discussion on cybercrime and Internet jurisdiction is an ongoing legal issue in public international law, particularly within the Council of Europe.17 Arrangements for the settlement of jurisdictional conflicts, ne bis in idem, and the transfer of proceedings are also dealt with within the EU (see infra part 5).

Brief Overview of EU Policy on Cybercrime

For the past decade, the EU has worked on different legal measures in the field of cybercrime. Already in 2000, in order to ensure that the targets set by the Lisbon European Council18 would be reached by defining the necessary measures, the Council of the European Union and the Commission prepared the “eEurope Action Plan,”19 which included actions to enhance network security and the establishment of a coordinated and coherent approach to cybercrime. In January 2001, the first Communication on cybercrime entitled: “Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating computer-related crimes”20 was published.

Moreover, in the former so-called ‘third pillar,’ the Union tried to approximate the laws and regulations of the Member States in the field of cybercrime with different framework decisions, notably the 2001 Framework Decision on combating fraud and counterfeiting of non-cash means of payment,21 the 2002 Framework Decision on combating terrorism,22 the 2003 Framework Decision on combating the sexual exploitation of children and child pornography,23 and the 2005 Framework Decision on attacks against information systems.24 In late 2008, the Justice and Home Affairs Council discussed cybercrime again in the context of European cooperation on internal security. It adopted conclusions on setting up national alert platforms and a European alert platform for reporting offences detected on the Internet as well as conclusions on promoting closer operational cooperation among the law enforcement authorities of the Member States.25 On the wave of these Council conclusions, in January 2010, the Spanish presidency proposed an action plan for a concerted strategy to combat cybercrime,26 calling upon the Member States to consider and discuss the next steps to be taken, examining which of the alternatives proposed best define the general guidelines that will serve as a basis for implementing the Union’s anti-cybercrime strategy.

Recently, the 3010th General Affair Council meeting,27 held in Luxembourg on 26 April 2010, adopted new Conclusions on the implementation of a concerted strategy to combat cybercrime. The Conclusions included short and medium term actions to be taken in order to specify how the main points of the strategy should be implemented.28

Finally, specific reference to the fight against cybercrime is made in the third multi-annual Programme in the area of freedom, security and justice, known as the Stockholm Programme,29 which was endorsed by the European Council in December 2009.30 Special attention to the fight against cybercrime is also evident in the the trio (Spanish, Belgian and Hungarian) presidency’s Justice and Home Affairs programme for 2010-2011, presented in January 2010.31

Aside from developments in the legislative process, the EU in 2004 endeavoured to strengthen cyber-security by launching an ad hoc agency, ENISA (the European Network and Information Security Agency),32 with the aim of enhancing information exchange and cooperation on network and information security as well as stimulating cooperation between the public and private sectors, thereby ultimately providing assistance to the Commission and the Member States.33

The entry into force of the Lisbon Treaty34 on 1 December 2009 provides for a solid mandate for the EU with regard to computer crimes, listed among crimes with a cross-border dimension.35

Cloud Computing and EU Law

Data protection issues

The preceding sections highlighted two main legal aspects related to cloud computing: data protection and jurisdictional issues. Is European Union legislation adequate to face the potential challenges presented?

The protection of personal data in the European Union is laid down in Art. 8 of the Charter of Fundamental Rights of the European Union36 and is further detailed in three main legal instruments: the 95/46/EC Data Protection Directive,37 the 2002/58/EC Directive on privacy and electronic communications,38 and, within the framework of the former ‘third pillar,’ the 2008 Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (to be implemented by November 2010).39 With the entry into force of the Treaty of Lisbon, the legal basis for secondary legislation to ensure the protection of personal data in the Union has now been laid down in Art. 16, paragraph 2, which provides that the European Parliament and the Council shall, acting in accordance with the ordinary legislative procedure:

“lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data”.40

For the purpose of cloud computing, the key principle in the 95/46/EC Data Protection Directive is contained in Chapter IV on “Transfer of personal data to third countries”. In particular, Art. 25, paragraph 1, states that:

“The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection”.41

This means that a company that does its processing “in the clouds” may be violating EU law if data are processed (this might include operations, such as recording, storage, use, disclosure by transmission, erasure, or destruction, etc.) in servers located in third countries that do not meet the Union’s adequacy standards for data protection.

In 2000, in order to bridge the different data protection approaches and provide a streamlined means for American companies to comply with EU law, the US Department of Commerce, in consultation with the European Commission, developed the ‘Safe Harbour’ framework.42 On 26 July 2000, the Commission adopted Decision 520/2000/EC43 recognising that the Safe Harbour respected international privacy principles. Since 2000, the overall operation of the Safe Harbour has been periodically monitored by the European Commission through staff working papers,44 which provided assessments on the functioning of the agreement. However, the Safe Harbour certification allows data transfer exclusively from the EU to the United States but not from the EU to other countries. As a result, cloud computing often circumvents the scope of such a framework.

For the transfer of personal data to third countries outside the United States, a different scheme is offered to multinational companies to meet their legal obligations and ensure a proper level of protection of personal information: the so-called Binding Corporate Rules (BCRs). The Art. 29 Data Protection Working Party,45 in its documents WP7446 and WP108,47 provided guidance on the necessary content of BCRs. Moreover, to improve the communication on BCRs and to allow companies concerned with international data transfers to receive more precise information on the structures of the BCRs, the Art. 29 Working Party has developed a toolbox designed both for companies and for data protection authorities, which is composed of Frequently Asked Questions and a checklist.48 The aim of the toolbox is to provide operational answers to concrete questions regarding the international transfer of data.

Recently, on 15 May 2010, a new set of European Union standard contract clauses for processing European personal data abroad, known as “model contracts,” came into effect by means of the Commission Decision of 5 February 2010,49 which repealed Decision 2002/16/EC.50 The latter was originally adopted in order to facilitate the transfer of personal data from a data controller in the EU to a processor in a third country but, unfortunately, without an adequate level of protection. Regarding cloud computing, a major change from the 2002 model contracts is that, with the new Decision, the data importer may not disclose the personal data to a third party without the prior written consent of the data exporter. In this context, however, it is also crucial to establish the obligations of “controllers” and “processors,” which is not always clear in cloud computing services.51 In a recent paper entitled “Data Protection and Cloud Computing under EU law,” presented at the Third European Security Awareness Day on 13 April 2010, the European Data Protection Supervisor, Peter Hustinx, stressed that, in many cases, cloud providers are data processors. However, when they determine not only the means but also the purpose of the processing, they are also data controllers.52 Besides the unclear role played by cloud providers, in his paper Mr. Hustinx also emphasised other challenges like, inter alia, the applicability of EU law in cloud computing and how to monitor the processing of data for purely personal purposes. In his view, in relation to the proposed updating of the Data Protection Directive, four areas may require amendments: applicable law, international data transfers, accountability, “privacy by design,” and the need to impose “processor” obligations where services are provided to individuals acting in a purely personal capacity.53

Criminal jurisdictional issues

Where online and Internet-related crimes are committed as a result of transnational data flows, numerous jurisdictional scenarios can arise. The lex loci delicti commissi principle requires that, in order to apply the territoriality principle, it is necessary to establish the place where the crime has been committed, and this is not always evident or is subject to plural interpretation. Where the locus delicti is uncertain (this is very frequent in cloud computing), there is a major risk that more than one country can assert jurisdiction. Moreover, even if the place where the crime has been committed is precisely determined, this often does not coincide with the place where perpetrators are physically located.

In order to increase efficiency in criminal proceedings and improve the proper administration of justice in an area of freedom, security and justice, the EU has put in place instruments that contribute to mitigating the legal uncertainty. Such instruments are, inter alia, the 2000 Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union,54 the 2009 Council Framework Decision on prevention and settlement of conflicts of exercise of jurisdiction in criminal proceedings,55 and the 2009 proposal for a Council Framework Decision on transfer of proceedings in criminal matters presented by a group of 16 Member States.56 Aside from these legal instruments, the EU agency Eurojust stimulates and improves the coordination of investigations and prosecutions between competent authorities of the Member States. Under Art. 6, paragraph 2 of the new Eurojust Council Decision,57 the agency is now entitled to put forth a non-binding opinion on how a jurisdictional conflict between two or more EU Member States should be settled. If a Member State does not accept this opinion, it must explain and reason its argument.

The aim of these legal instruments, however, is to contribute to the fight against cross-border crime (including cybercrime) and to create a common solution exclusively for the 27 Member States of the EU. But what about specific jurisdictional cybercrime conflicts or disputes over concurring jurisdictional claims involving countries outside the EU? In this regard, the central piece of legislation remains the 2001 Council of Europe Convention on Cybercrime,58 which, in Art. 22, specifies the criteria under which the contracting States are obliged to assert jurisdiction over criminal offences as provided in Arts. 2 to 11 of the Convention.59

Concluding Remarks

Cloud computing is a phenomenon still in its infancy, but it represents an impressive shift away from the “traditional” methods of delivering ICT services. Consistent investment will take place worldwide in the coming years, and the legal impact of the cloud computing models needs to be carefully scrutinised. Framing legal relations “in the clouds” may prove to be a labour of Sisyphus, since the transborder and instantaneous flows of data makes cloud computing a constant “moving target.” From among the range of different legal issues, this paper focused on the safeguarding of data protection and jurisdictional aspects of cloud computing within the context of existing EU legislation. Regarding data protection, the paper showed that, besides the comprehensiveness of the EU’s data protection framework, ad hoc legal instruments also exist, such as the Safe Harbour Certification, the Binding Corporate Rules (BCRs), and the new set of EU standard contract clauses (SCCs or “model contracts”). However, the role played by cloud providers is not always clear. The distinction between “controller” and “processor” becomes blurred. Moreover, it is not always easy to determine whether EU law applies. In fact, this is subject to precise conditions (such as the establishment of the cloud provider in the EU) and might not cover a range of services.60 Since the Data Protection Directive is in the process of being reviewed and modernised in response to the latest technological developments,61 these lacunae can hopefully be filled, thus enabling the Union’s legal framework to be better equipped to deal with the challenges brought about by cloud computing.

As ICTs have developed, so have criminal offences associated with their use. As a result of the migration of personal data in cyberspace, new methods of perpetrating crimes have developed. National criminal codes were not written with the language of the Internet in mind. In this regard, ICT has a universal, technically harmonised, standard language. Legislators and regulators are trying hard to keep pace. Even relatively modern legal instruments, such as the Council of Europe Convention on Cybercrime, do not address phenomena, such as “skimming,” “phishing,” or “cloud computing,” since such phenomena were not as relevant in 2001 as they are today. Despite the legal instruments that are in place at the EU level, as referred to in this paper, jurisdictional issues remain unclear in cases of disputes over information technology crimes. The ubiquity of cloud computing undermines legal certainty as regards the locus delicti and other traditional principles of jurisdiction. This can lead to a multiplication of assertions of jurisdiction with the consequent involvement of not one but a range of States. At any rate, due to their nature, cybercrime jurisdictional issues cannot be addressed solely within the EU but must be addressed at the international level. In this regard, the insertion of “computer crimes” in the list of serious crimes with a cross-border dimension by means of Art. 83 of the TFEU provides a much needed opportunity to reflect on the main challenges in the fight against cybercrime and on how the EU intends to address these challenges in the future.

  1. The 5th Internet Governance Forum (IGF) 14-17 September 2010 in Vilnius, Lithuania, continuing from the Sharm El Sheikh IGF of November 2009, has devoted an entire workshop to the topic: “Emerging issue: Cloud Computing”. More information can be found at: http://www.intgovforum.org/cms/.↩︎

  2. See the European Network and Information Security Agency report of November 2009: Cloud Computing – benefits, risks and recommendations for information security, p. 4. Available at: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment.↩︎

  3. According to the International Data Corporation's (IDC) analysis “Western European Software-as-a-Service Forecast 2009-2013”, April 2009 (Doc # LT02R9, 2009), $44.2 billion will be invested in cloud computing worldwide by 2013, with the European market ranging from €971 million in 2008 to € 6,005 million in 2013.↩︎

  4. The Stockholm Programme − An open and secure Europe serving and protecting the citizens. Presidency Conclusions − Brussels, 10-11 December 2009 (Council of the European Union, Brussels, 3 March 2010, 5731/10).↩︎

  5. For the consolidated versions of the Treaty on European Union and of the Treaty on the Functioning of the European Union, together with the annexes and protocols thereto, incorporating the amendments introduced by the Treaty of Lisbon, see O.J. C 83, 30 March 2010, p. 1.↩︎

  6. On this point, see Gercke, M.: Impact of the Lisbon Treaty on Fighting Cybercrime in the EU – the redefined role of the EU and the change in approach from patchwork to comprehensiveness, 2010 Computer Law Review International 3, pp. 75-80.↩︎

  7. In 2000, in response to certain legal aspects of information society services and, inter alia, on the liability of Internet Service Providers (ISPs), the European Union adopted Directive/2003/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (e-commerce Directive), (O.J. L 178, 17 July 2000, p. 1).↩︎

  8. The Organisation for Economic Cooperation and Development (OECD) is analysing the emerging impact of cloud computing and related policy implications as well as its environmental benefits, such as energy efficiency and energy use. A policy recommendation on ICTs, the environment, and climate change was issued in 2010. Available at: http://webnet.oecd.org/oecdacts/Instruments/ShowInstrumentView.aspx?InstrumentID=259&InstrumentPID=259&Lang=en.↩︎

  9. Watch the entire CNN video here: http://edition.cnn.com/2009/TECH/11/04/cloud.computing.hunt/index.html.↩︎

  10. Sutter, J.: A trip into the secret, online ‘cloud’. CNN report of 4 November 2009. Available at: http://edition.cnn.com/2009/TECH/11/04/cloud.computing.hunt/index.html.↩︎

  11. According to the Google Apps official website, more than two million businesses run Google Apps with thousands more signing up every day. Source: http://www.google.com/apps/intl/en/business/index.html (last visited: 10 July 2010).↩︎

  12. An independent private IT management software company.↩︎

  13. Computer Associates (CA) Survey: Unleashing the Power of Virtualization 2010 – Cloud Computing and the Perceptions of European Business, February 2010, p. 5. Available at: www.ca.com/mediaresourcecentre.↩︎

  14. For an illustration of this and other cloud computing cases, see Petri, G.: Shedding light on Cloud Computing. Computer Associates (CA), January 2010, p. 5. Available at: http://www.ca.com/files/whitepapers/mpe_cloud_primer_0110_226890.pdf.↩︎

  15. To this extent, see C. Arthur, Government to set up own cloud computing system. The Guardian, 27 January 2010. On the British Government strategy to create an internal cloud computing system as a plan that it claims could save up to £3.2 billion a year on an annual bill of at least £16 billion. Available at: http://www.guardian.co.uk/technology/2010/jan/27/cloud-computing-government-uk.↩︎

  16. Under certain circumstances, prohibition of transfer of personal data is explicitly provided for in the EU Data Protection Directive, see infra part 5.↩︎

  17. On this point, see the (draft) discussion paper of H. Kaspersen, Cybercrime and Internet jurisdiction. Council of Europe, Project on Cybercrime, version 5 March 2009. Available at: http://www.coe.int/t/dghl/standardsetting/t-cy/T-CY%20(2009)%20draft%20discussion%20paper%20Cybercrime%20and%20jurisdiction.pdf.↩︎

  18. The Lisbon Special European Council, Lisbon, 23-24 March 2000: Towards a Europe of Innovation and Knowledge. Available at: www.consilium.europa.eu/ueDocs/cms_Data/docs/pressData/en/ec/00100-r1.en0.htm.↩︎

  19. Action Plan: eEurope − An Information Society for all, Brussels, 14 June 2000. Available at: http://ec.europa.eu/information_society/eeurope/i2010/docs/2002/action_plan/actionplan_en.pdf.↩︎

  20. Communication from the Commission to the European Parliament, the Council and the Committee of the Regions − Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-Related Crimes (COM(2000) 890 final).↩︎

  21. Council Framework Decision 2001/413/JHA on combating fraud and counterfeiting of non-cash means of payment (O.J. L 149, 2 June 2001, p. 1).↩︎

  22. Council Framework Decision 2002/475/JHA on combating terrorism (O.J. L 164, 22 June 2002, p. 1) and Framework Decision amending the framework decision on terrorism (O.J. L 330, 9 December 2008, p. 21).↩︎

  23. Council Framework Decision 2004/68/JHA on combating the sexual exploitation of children and child pornography (O.J. L 13, 20 January 2004, p. 44). A new proposal to repeal this measure is currently under discussion.↩︎

  24. Council Framework Decision 2005/222/JHA on attacks against information systems (O.J. L 69, 16 March 2005, p. 67).↩︎

  25. Council of the European Union, Justice and Home Affairs, 2899th Council meeting, Luxembourg, 24 October 2008.↩︎

  26. Council of the European Union, Multidisciplinary Group on Organised Crime (MDG): “Proposal by the Spanish presidency for an action plan on the concerted strategy to combat cybercrime” (Council of the European Union, 5071/10, 8 January 2010)↩︎

  27. 3010th General Affairs Council meeting: Conclusions concerning an Action Plan to implement the concerted strategy of combat cybercrime, Luxembourg, 26 April 2010. Available at: http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/114028.pdf.↩︎

  28. Among the medium term actions, the Council conclusions include, inter alia, the Ratification of the Council of Europe Cybercrime Convention and the improvement of the training of the police, judges, prosecutors, and forensic staff to a level appropriate for carrying out cybercrime investigations.↩︎

  29. The Stockholm Programme – An open and secure Europe serving and protecting the citizens (Council of the European Union 17024/09).↩︎

  30. European Council 10-11 December 2009 – Conclusions, Brussels, 11 December 2009 (EUCO 6/09).↩︎

  31. Council of the EU “JHA trio Presidency Programme (January 2010 - June 2011)” (Council of the EU, 5008/10, p. 14).↩︎

  32. Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency (O.J. L 77, 13 March 2004, p. 1). More information at: www.enisa.europa.eu.↩︎

  33. To this extent, it is worth noting ENISA’s work in the field of CERTs (Computer Emergency Response Teams). Ideally established in each country to effectively respond to information security incidents, CERTs must act as primary security service providers for government and citizens. ENISA gives support to EU Member States and other stakeholders with the establishment and operation of CERTs. More information at: www.enisa.europa.eu/act/cert.↩︎

  34. For the consolidated versions of the Treaty on European Union and of the Treaty on the Functioning of the European Union, together with the annexes and protocols thereto, as they result from the amendments introduced by the Treaty of Lisbon, see O.J. C 83, 30 March 2010, p. 1.↩︎

  35. On the impact of the Lisbon Treaty on the fight against cybercrime, see M. Gercke, Impact of the Lisbon Treaty on Fighting Cybercrime in the EU – the redefined role of the EU and the change in approach from patchwork to comprehensiveness, 2010 Computer Law Review International 3, pp. 75-80.↩︎

  36. Charter of Fundamental Rights of the European Union (O.J. C 83, 30 March 2010, p. 389).↩︎

  37. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. L 281, 23 November 1995, p. 31).↩︎

  38. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (O.J. L 201, 31 July 2002, p. 37).↩︎

  39. Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (O.J. L 350, 30 December 2008, p. 60).↩︎

  40. See the consolidated versions of the Treaty on European Union and of the Treaty on the Functioning of the European Union in conjunction with Declaration 21, attached to the Lisbon Treaty, which states, however, that specific rules “may prove necessary because of the specific nature of these fields” (O.J. C 83, 30 March 2010, p. 1).↩︎

  41. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. L 281, 23 November 1995, p. 31).↩︎

  42. For more information on the Safe Harbor arrangement, see http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/adequacy-faq1_en.htm. A full list of companies that have signed up for the ‘Safe Harbour’ and details of how to sign up can be found on the website of the US Department of Commerce, available at http://www.export.gov/safeharbor/.↩︎

  43. Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Safe Harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.) (O.J. L 215, 25 August 2000, pp. 7-47).↩︎

  44. Commission staff working paper: the application of Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Safe Harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, (SEC(2002) 196) and Commission staff working document: the implementation of Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Safe Harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (SEC (2004) 1323).↩︎

  45. Article 29 Data Protection Working Party was set up as an independent European advisory body on data protection under Article 29 of Directive 95/46/EC. Tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. More information available at: http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm.↩︎

  46. Working Document WP 74: Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers, adopted on 3 June 3 2003. Available at: http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2003_en.htm.↩︎

  47. Working Document WP 108: Establishing a model checklist application for approval of Binding Corporate Rules, adopted on 14 April 2005. Available at:

    http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2005_en.htm.↩︎

  48. Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, adopted on 24 June 2008 http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp153_en.pdf and Working Document on Frequently Asked Questions (FAQs) related to Binding Corporate Rules, adopted on 24 June 2008 as last revised and adopted on 8 April 2009. Available at: http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp155_rev.04_en.pdf.↩︎

  49. Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (Text with EEA relevance) (O.J. L 39, 12 February 2010, p. 5).↩︎

  50. 2002/16/EC: Commission Decision of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC (Text with EEA relevance) (notified under document number C(2001) 4540) (O.J. L 6, 10 January 2002, p. 52).↩︎

  51. In this regard, see Article 29 Working Group Opinion 1/2010 on the concepts of "controller" and "processor". Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp169_en.pdf.↩︎

  52. P. Hustinx, Data Protection and Cloud Computing under EU law. Third European Cyber Security Awareness Day, BSA, European Parliament, 13 April 2010, Panel IV – Privacy and Cloud Computing. Available at: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2010/10-04-13_Speech_Cloud_Computing_EN.pdf.↩︎

  53. P. Hustinx, pp. 5-6.↩︎

  54. Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union (O.J. C 197, 12 July 2000, p. 3).↩︎

  55. Council Framework Decision of 30 November 2009 on prevention and settlement of conflicts of exercise of jurisdiction in criminal proceedings (O.J. L 328, 15 December 2009, p. 42).↩︎

  56. Proposal for a Framework Decision on the Transfer of proceedings in criminal matters (Council of the European Union, Brussels, 26 November 2009, 16437/1/09 REV 1, COPEN 231).↩︎

  57. Council Decision 2009/426/JHA of 16 December 2008 on the strengthening of Eurojust and amending Decision 2002/187/JHA setting up Eurojust with a view to reinforcing the fight against serious crime (O.J. L 138, 4 June 2009, p. 14).↩︎

  58. Council of Europe Convention on Cybercrime, Budapest 21.XI.2001 (ETS 185) and the Protocol on Xenophobia and Racism (ETS 189). Further information about the Convention, including the text of the instrument itself, the text of its Explanatory Report, and a current list of signatories and ratifying States, are available at: http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CM=1&DF=07/01/2010&CL=ENG.↩︎

  59. On this point see H. Kaspersen, Cybercrime and Internet Jurisdiction, Discussion paper (draft), version 5 March 2009, prepared in the framework of the Project on Cybercrime of the Council of Europe. Available at: http://www.coe.int/t/dghl/standardsetting/t-cy/T-CY%20(2009)%20draft%20discussion%20paper%20Cybercrime%20and%20jurisdiction.pdf.↩︎

  60. Article 3 of the The Data Protection Directive excludes from the scope of application the data processing carried out “by natural persons in the course of a purely personal or household activity”. As pointed out by Mr. Hustinx in his paper (see supra footnote 52): “In the context of the review of the data protection Directive, it is necessary to consider a way to fill this gap”.↩︎

  61. On this point see Commissioner Reding paper: V. Reding, Data Protection in the EU – Challenges Ahead, 2010 eucrim 1, p. 25. Available at: http://www.mpicc.de/eucrim/archiv/eucrim_10-01.pdf.↩︎

Download PDF BibTeX DOI

Author

Buono_Laviero_Ausschnitt_2_sw
Laviero Buono

Institution:
Academy of European Law (ERA)

Department:
Criminal Law

Position:
Head of Section

AS

All comments and views expressed in this article are those of the author only.