Examination of Witnesses (Questions 940
TUESDAY 17 APRIL 2007
Q940 Lord Sutherland of Houndwood:
Commissioner, the security breach notification laws, for example,
apply in over 30 US states and I wondered if you or your colleagues
have a view about the value of such security breach notification
laws and what the position is within the Commission on that?
Commissioner Reding: That was exactly what I
said to your colleague, my Lord, just before. That is what I will
propose in the new Regulatory Framework for Electronic Communications.
That will be one of the points. We are going also to look at penalties
for not implementing appropriate standards in Internet security.
You will probably ask when I propose to do this. I propose to
do this in the summer. Summer is an extensive time and I cannot
tell you yet the exact date but it will be on the table this year
and then of course it is a Court decision procedure which means
--- (Video link broken) I will repeat my last sentence. You know
that the Commission has the right to propose legislation but it
is then for the Member States and for the European Parliament
as legislator to decide in a co-decision majority vote on this.
I would like to add also, because that is also a partial response
to what your colleagues have asked, it is not only on legislation
and on the public/private partnership that we are working. In
our ICT research programme we have just launched a 2 billion
call for proposals for collaborative European research and we
have a research priority on security. (Video link broken)
We are back again, Commissioner, sorry about this.
Commissioner Reding: There is better technology
available; I have already seen it! What I wanted to say is that
we have devoted a part of our European research in ICT to the
Q942 Lord Sutherland of Houndwood:
Thank you very much. Can I press you just one little bit further.
How far are the draft proposals on breach notification limited
to telecoms and would it not be more sensible to extend it to
all companies that own large data sets?
Commissioner Reding: Yes, the Regulatory Framework
is just on telecoms, unfortunately. When I am speaking to you
now what I propose in the summer as a reform of the telecoms package
is going to be on electronic communications.
Q943 Lord Sutherland of Houndwood:
We understand that but is there any way in which the broader issue
could be raised so this might apply to all companies holding personal
data in electronic form? There have been some spectacular cases
reported in the press recently where legislation of this sort
would be important.
Commissioner Reding: You are absolutely right
that this would be necessary. I can give you an example of how
we are working on RFID, the radio frequency identification tags,
where the problem does not yet exist but where we have proactively
started to bring together the stakeholders in order to discuss
not only the economic benefits of RFID tags but also the possible
problems to personal privacy, so to find the solutions at European
level on standards and security before RFID becomes a landslide
application. If I want to go further than the telecom rules, I
will have to go on a stand-alone regulation, as I propose to do
for RFID for instance.
Lord Sutherland of Houndwood: Thank you,
I think that clarifies the position but perhaps leaves us wanting
Q944 Earl of Erroll:
Sorry I just wanted to add to that. Surely from a personal point
of view it is not just a privacy issue, it is the loss of financial
information that is really worrying people and it is when the
credit card details get lost by large organisations that really
causes the financial grief to the ordinary citizen much more than
the breach to their privacy through telecoms data being lost?
Commissioner Reding: Yes, we are looking at
penalties for not implementing appropriate standards in Internet
security. We are working on our Internet security issue and also
on the software providers' liability. You know also that the London
Action Plan is high in our priorities. I have very much welcomed
the fact that the American President has now signed the SAFE WEB
Act so that we can also at an international level start to collaborate.
Chairman: We are going to return to Lord
Harris now please.
Q945 Lord Harris of Haringey:
I would like to come back to the draft Payment Services Directive,
which I appreciate is not your responsibility but where we have
received evidence that the effect of this would be to level down
the level of protection offered to consumers who fall victim to
card fraud by allowing banks essentially to pass on the risks
to customers. What is your view as Commissioner with responsibility
for the well-being of the information society of this Directive?
Do you not feel that it would be better to move towards the position
of the United States where the banks are legally liable for losses
due to on-line fraud?
Commissioner Reding: Payment services do not
fall under my direct responsibility. That is the responsibility
of my colleague McCreevy, the Commissioner for the Internal Market,
and here what is concerned is mostly very small payments, so I
am not now in a position to give you a very precise answer to
your question. I have not studied this question in depth.
Lord Harris of Haringey: I appreciate
that and thank you for your frankness, Commissioner, but under
those circumstances, given that we are being told that the impact
of this would be unfortunate in terms of the transfer of the risk
and the impact that this could have on the health of the information
society, may we ask that you look at this further and perhaps
come back to us? (Video link broken)
Chairman: We are back again.
Q946 Lord Harris of Haringey:
I do not know whether you heard but my final point was that given
that we are told that this draft Directive could have a negative
effect on people's confidence because of the way in which risk
will be transferred, perhaps you can give us your assurance that
you will look at this further, and if you are able to come back
to us with your views that would be helpful, even though it is
the direct responsibility of your colleague?
Commissioner Reding: I am certainly going to
speak about this with Charlie McCreevy and have a look at this
also with Kuneva, because, as you know, we have a Commissioner
especially for consumer protection, so I think together with her
we should have a look at what you have just said I am just aware
that we go there for the micro payments but not for the bigger
payments and I will have to have a look, together with my two
colleague Commissioners, at the effect of such legislation and
also have a look at where this legislation is in the pipeline
for the moment.
Lord Harris of Haringey: Thank you very
Let me ask a question about where we feel responsibility should
be placed. At the moment the majority of the risk in using the
Internet is really dumped on the consumers, for instance by means
of end user licence agreements that people will sign without really
understanding them. However, it has been suggested to us that
the key players in the industrysoftware manufacturers,
retailers, ISPs and so onshould be made liable for the
consequences of security breaches, at least insofar as they can
be shown to be negligent. The answers that your officials gave
us suggested that you might be considering trying to place some
responsibility upon some of these players. Could we get your views
on this please?
Commissioner Reding: I have already informed
you about the information security awareness day and we do have
the debate on the software providers' liability, and here I have
invited the private sector, in partnership with the public sector,
to be more proactive than it has been in the past. Among other
things, the private sector should promote the use and the development
of standardised processes that would meet commonly agreed security
standards to provide adequate and auditable levels of security
and support and an appropriate definition of responsibility. We
will follow the development of the industry-led initiatives in
this area and we plan to organise a business event to stimulate
the industry commitment to adopt effective approaches to implement
a culture of security in industry. My Lords, the way we normally
proceed is as follows: we do not like to come in immediately top
down with heavy regulation. If industry, if the market can sort
out the problem we leave the market to do that, but we also say
to the market or to the industry, "We do not want this to
happen for a very long period of time, so if you can sort it out,
do it, and if after one or two years you have not managed to sort
it out then we will have to come in with regulation," because
here we believe that self-regulation is the best way out, if it
is possible. If not, then we have to go to a binding regulation
which is potentially costly to the industry.
Chairman: Thank you, Commissioner. Lady
Q948 Baroness Sharp of Guildford:
Commissioner, you have spoken in relation to the new Regulatory
Framework that you are going to be introducing this summer about
the need to improve enforcement mechanisms. I would like to ask
you, if I might, about the E-Privacy Directive which requires
communication providers to keep their own networks secure. Are
you satisfied with the enforcement of these provisions? Do you
think that the national enforcement bodies such as the Information
Commissioner in the UK have sufficient teeth?
Commissioner Reding: No, we are not 100 per
cent satisfied with the level of implementation. We think that
you have to improve the implementation, and, as I said before,
it is not only deciding on the piece of legislation, it is the
enforcement mechanisms in order to ensure that the regulators
have adequate and flexible powers to implement and enforce the
law because in all these cases I am working together with the
national regulators. They are responsible for enforcing the European
Regulation and I think, for instance, that there should be the
possibility for ISPs to protect the interests of their customers
by taking direct action against spammers. That is one of the cases.
Concerning the national regulators, not in all Member States do
the national regulators have enough powers. You have Ofcom in
the United Kingdom which is a well-functioning, serious body,
but I tell you that I have a lot of cases in front of the European
Court of Justice because of very inconsistent application of European
law by the different national regulators. One of my proposals
in this new piece of legislation is that I would like to impose
an obligation on the Member States to have real independent regulatory
bodies. When I say independent, I mean from business, from industry
and from government, so that is the basis of the fair implementation
of regulation in its full consistency.
Baroness Sharp of Guildford: Thank you
Q949 Lord Harris of Haringey:
You told us earlier that you had been pressing for more resources
to be put into enforcement of action against spammers. Do you
think that there is more that could be done at EU level in terms
of counteracting spam? In particular, would you like to see a
raising of the level of fines for spamming and a blocking of loopholes
such as business-to-business spam?
Commissioner Reding: Spam is a real problem;
we know that. We know also that we have to solve this problem
at a world level. We know the countries where most of the spam
is coming from and I have started discussions with my American
counterparts and I have started discussions with my Russian counterparts
on this because one strategy is to have anti-spam action inside
Europe and another one on the spam coming into Europe in a massive
way. Member States and competent authorities will be called upon
to lay down clear lines of responsibility for national agencies
which are involved in fighting spam and to have effective co-ordination
between competent authorities and involve the market players at
national level drawing on their expertise and available information
to ensure that adequate resources are made available to enforcement
efforts. When I am speaking about international I mean outside
of Europe relations, where I speak up very loudly each time I
meet my counterparts.
Q950 Lord Harris of Haringey:
In the USA many of the anti-spam cases have been brought to court
by private companies such as AOL or Microsoft taking action themselves.
Would you like to see it being made easier for this type of legal
action taking place in the EU on behalf of third parties?
Commissioner Reding: Well, most of the spam
is coming out of the United States, that is for sure. We want
companies to ensure that the standard of information for the purchase
of software applications is in accordance with data protection
laws and for companies to contractually prohibit illegal use of
software in advertising and monitor how advertisements reach consumers
and follow up malpractice and email service providers to provide
a filtering policy which ensures compliance with the recommendation
and guidance on email filtering, so there is a very strong responsibility
on the private sector. By the way, I am in a relationship with
all the providers in security applications, with those from the
United States but also those from Europe.
Q951 Lord Harris of Haringey:
Can I change the subject again perhaps to another area where this
is outside your direct responsibility which is the question of
the policing of Internet security. I appreciate that there are
other Commissioners with a direct responsibility but do you as
Commissioner for Information and Society see there being a case
for establishing a European cyber police force?
Commissioner Reding: I know from very intensive
discussions with my colleague responsible for internal security
and from discussions with the ministers of the interior for many
Member States and with those responsible for Europol and Interpol,
that police forces indeed have already established, even if it
is not in law, but they are already pursuing those goals and they
have very strong international co-operation. I had to look to
them for the protection of children, so I was working together
with them and I know how they work. At this moment this question
you have asked has become a hot topic in Germany. I believe that
one has to have equilibrium between protecting our society against
crime and thus giving the law enforcement authorities the possibility
to utilise (as those who commit crime do) the new technologies
but at the same tine we have to pay attention to privacy and data
protection. To have this in equilibrium is not an easy task.
Q952 Lord Harris of Haringey:
Okay. Some of the evidence we have received has said that a lot
of the organised criminal activity on line is emerging from Eastern
Europe. Do you see there being a problem in so far as some of
the newly joined Member StatesRumania, Bulgaria and so
onare concerned and do you think there is more that should
be done to provide support to the authorities in those countries
to deal with the problem?
Commissioner Reding: That is exactly what Europe
is for and if you see where the countries which have joined the
European Union shortly were some years ago and where they are
now, the difference is extraordinarily strong. We help those countries
to build up law enforcement and to build up also an independent
judiciary system, which is the basis of all democratic development,
and the fact that they are members of the Union, they are members
of a big family makes the progress here much quicker than if they
were outside. We have of course a problem with those countries
which are now the new neighbours and on which we do not have the
same means of influence. There we can only exercise the necessary
pressure in our international relations so that they understand
that we understand that they are a problem in security issues.
ENISA is also helping with respect to those activities to set
up a computer emergency response team and to promote best practice
on network security.
Lord Harris of Haringey: Thank you, Commissioner.
Q953 Baroness Sharp of Guildford:
Commissioner, you spoke at the beginning of our discussions about
the importance of being able to protect children from paedophilia
and of the awareness-raising programmes that you are promoting
amongst both parents and children themselves. Can I ask you whether
you are taking any further action? For example, in the UK the
Internet Watch Foundation has been very successful in closing
down child abuse sites. Is anything analogous being proposed within
the European framework?
Commissioner Reding: Yes. We have the Safer
Internet Programme which is very efficient in helping private
organisations, which are the ones who fight against criminality
against children. In 2007 this has been supporting the international
actions which have been targeted at combating the distribution
of child sexual abuse images by developing a network of international
hotlinesand I just read now the 116000 telephone number
for abducted childrento have a Europe-wide linked telephone
number so that we can find abducted children more quickly. We
are promoting co-operation between law enforcement agencies. We
have helped in our research the development of technological tools
for the specific needs of the police to analyse more quickly and
more efficiently child abuse materials and we have been engaging
with the European financial institutions so that they collaborate
in a chain of distribution of evidence of child abuse. Our Keep
Safe awareness network now has notes in 24 countries in Europe.
We have also this year started public consultations in order to
find appropriate ways all together in a shared responsibility
between public and partner institutions. We will follow up with
four workshops on this and I think I already told you about the
memorandum of understanding by the mobile phone operators which
has been signed on 6 February this year. I will have a look on
6 February next year at what has happened there. If the operators
manage to set up the necessary security measures for the parents,
I do not need to come in. If they do not, I will come in. I plan
also to arrange the same kind of round table with the handset
manufacturers to see if they can in build the security measures
that parents and grandparents would like to have. I am also planning
this year to promote co-operation with Russia in this sphere.
I have already discussed with my Russian counterparts in order
to see some action coming up on the on-line distribution of child
Q954 Baroness Sharp of Guildford:
Thank you very much.
Commissioner Reding: So we are very active on
Baroness Sharp of Guildford: Good, thank
Commissioner, those are all of our questions. It has been extremely
useful to hear your views and your answers. Is there anything
else you think we should consider before we close the session?
Commissioner Reding: Well, Chairman just consider
that you have an open door here in Brussels and that myself or
my collaborators will provide you all the answers which we can
to your oral or written questions in the future. Thank you very
much for the work that you are doing and I will certainly have
a look at your conclusions.
Thank you, Commissioner. Your answers have been concise and extremely
useful to us, so thank you very much indeed.
Commissioner Reding: Thank you,