Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 940 - 956)



  Q940  Lord Sutherland of Houndwood: Commissioner, the security breach notification laws, for example, apply in over 30 US states and I wondered if you or your colleagues have a view about the value of such security breach notification laws and what the position is within the Commission on that?

  Commissioner Reding: That was exactly what I said to your colleague, my Lord, just before. That is what I will propose in the new Regulatory Framework for Electronic Communications. That will be one of the points. We are going also to look at penalties for not implementing appropriate standards in Internet security. You will probably ask when I propose to do this. I propose to do this in the summer. Summer is an extensive time and I cannot tell you yet the exact date but it will be on the table this year and then of course it is a Court decision procedure which means --- (Video link broken) I will repeat my last sentence. You know that the Commission has the right to propose legislation but it is then for the Member States and for the European Parliament as legislator to decide in a co-decision majority vote on this. I would like to add also, because that is also a partial response to what your colleagues have asked, it is not only on legislation and on the public/private partnership that we are working. In our ICT research programme we have just launched a €2 billion call for proposals for collaborative European research and we have a research priority on security. (Video link broken)

  Q941  Chairman: We are back again, Commissioner, sorry about this.

  Commissioner Reding: There is better technology available; I have already seen it! What I wanted to say is that we have devoted a part of our European research in ICT to the security questions.

  Q942  Lord Sutherland of Houndwood: Thank you very much. Can I press you just one little bit further. How far are the draft proposals on breach notification limited to telecoms and would it not be more sensible to extend it to all companies that own large data sets?

  Commissioner Reding: Yes, the Regulatory Framework is just on telecoms, unfortunately. When I am speaking to you now what I propose in the summer as a reform of the telecoms package is going to be on electronic communications.

  Q943  Lord Sutherland of Houndwood: We understand that but is there any way in which the broader issue could be raised so this might apply to all companies holding personal data in electronic form? There have been some spectacular cases reported in the press recently where legislation of this sort would be important.

  Commissioner Reding: You are absolutely right that this would be necessary. I can give you an example of how we are working on RFID, the radio frequency identification tags, where the problem does not yet exist but where we have proactively started to bring together the stakeholders in order to discuss not only the economic benefits of RFID tags but also the possible problems to personal privacy, so to find the solutions at European level on standards and security before RFID becomes a landslide application. If I want to go further than the telecom rules, I will have to go on a stand-alone regulation, as I propose to do for RFID for instance.

  Lord Sutherland of Houndwood: Thank you, I think that clarifies the position but perhaps leaves us wanting more action.

  Q944  Earl of Erroll: Sorry I just wanted to add to that. Surely from a personal point of view it is not just a privacy issue, it is the loss of financial information that is really worrying people and it is when the credit card details get lost by large organisations that really causes the financial grief to the ordinary citizen much more than the breach to their privacy through telecoms data being lost?

  Commissioner Reding: Yes, we are looking at penalties for not implementing appropriate standards in Internet security. We are working on our Internet security issue and also on the software providers' liability. You know also that the London Action Plan is high in our priorities. I have very much welcomed the fact that the American President has now signed the SAFE WEB Act so that we can also at an international level start to collaborate.

  Chairman: We are going to return to Lord Harris now please.

  Q945  Lord Harris of Haringey: I would like to come back to the draft Payment Services Directive, which I appreciate is not your responsibility but where we have received evidence that the effect of this would be to level down the level of protection offered to consumers who fall victim to card fraud by allowing banks essentially to pass on the risks to customers. What is your view as Commissioner with responsibility for the well-being of the information society of this Directive? Do you not feel that it would be better to move towards the position of the United States where the banks are legally liable for losses due to on-line fraud?

  Commissioner Reding: Payment services do not fall under my direct responsibility. That is the responsibility of my colleague McCreevy, the Commissioner for the Internal Market, and here what is concerned is mostly very small payments, so I am not now in a position to give you a very precise answer to your question. I have not studied this question in depth.

  Lord Harris of Haringey: I appreciate that and thank you for your frankness, Commissioner, but under those circumstances, given that we are being told that the impact of this would be unfortunate in terms of the transfer of the risk and the impact that this could have on the health of the information society, may we ask that you look at this further and perhaps come back to us? (Video link broken)

  Chairman: We are back again.

  Q946  Lord Harris of Haringey: I do not know whether you heard but my final point was that given that we are told that this draft Directive could have a negative effect on people's confidence because of the way in which risk will be transferred, perhaps you can give us your assurance that you will look at this further, and if you are able to come back to us with your views that would be helpful, even though it is the direct responsibility of your colleague?

  Commissioner Reding: I am certainly going to speak about this with Charlie McCreevy and have a look at this also with Kuneva, because, as you know, we have a Commissioner especially for consumer protection, so I think together with her we should have a look at what you have just said I am just aware that we go there for the micro payments but not for the bigger payments and I will have to have a look, together with my two colleague Commissioners, at the effect of such legislation and also have a look at where this legislation is in the pipeline for the moment.

  Lord Harris of Haringey: Thank you very much.

  Q947  Chairman: Let me ask a question about where we feel responsibility should be placed. At the moment the majority of the risk in using the Internet is really dumped on the consumers, for instance by means of end user licence agreements that people will sign without really understanding them. However, it has been suggested to us that the key players in the industry—software manufacturers, retailers, ISPs and so on—should be made liable for the consequences of security breaches, at least insofar as they can be shown to be negligent. The answers that your officials gave us suggested that you might be considering trying to place some responsibility upon some of these players. Could we get your views on this please?

  Commissioner Reding: I have already informed you about the information security awareness day and we do have the debate on the software providers' liability, and here I have invited the private sector, in partnership with the public sector, to be more proactive than it has been in the past. Among other things, the private sector should promote the use and the development of standardised processes that would meet commonly agreed security standards to provide adequate and auditable levels of security and support and an appropriate definition of responsibility. We will follow the development of the industry-led initiatives in this area and we plan to organise a business event to stimulate the industry commitment to adopt effective approaches to implement a culture of security in industry. My Lords, the way we normally proceed is as follows: we do not like to come in immediately top down with heavy regulation. If industry, if the market can sort out the problem we leave the market to do that, but we also say to the market or to the industry, "We do not want this to happen for a very long period of time, so if you can sort it out, do it, and if after one or two years you have not managed to sort it out then we will have to come in with regulation," because here we believe that self-regulation is the best way out, if it is possible. If not, then we have to go to a binding regulation which is potentially costly to the industry.

  Chairman: Thank you, Commissioner. Lady Sharp?

  Q948  Baroness Sharp of Guildford: Commissioner, you have spoken in relation to the new Regulatory Framework that you are going to be introducing this summer about the need to improve enforcement mechanisms. I would like to ask you, if I might, about the E-Privacy Directive which requires communication providers to keep their own networks secure. Are you satisfied with the enforcement of these provisions? Do you think that the national enforcement bodies such as the Information Commissioner in the UK have sufficient teeth?

  Commissioner Reding: No, we are not 100 per cent satisfied with the level of implementation. We think that you have to improve the implementation, and, as I said before, it is not only deciding on the piece of legislation, it is the enforcement mechanisms in order to ensure that the regulators have adequate and flexible powers to implement and enforce the law because in all these cases I am working together with the national regulators. They are responsible for enforcing the European Regulation and I think, for instance, that there should be the possibility for ISPs to protect the interests of their customers by taking direct action against spammers. That is one of the cases. Concerning the national regulators, not in all Member States do the national regulators have enough powers. You have Ofcom in the United Kingdom which is a well-functioning, serious body, but I tell you that I have a lot of cases in front of the European Court of Justice because of very inconsistent application of European law by the different national regulators. One of my proposals in this new piece of legislation is that I would like to impose an obligation on the Member States to have real independent regulatory bodies. When I say independent, I mean from business, from industry and from government, so that is the basis of the fair implementation of regulation in its full consistency.

  Baroness Sharp of Guildford: Thank you very much.

  Q949  Lord Harris of Haringey: You told us earlier that you had been pressing for more resources to be put into enforcement of action against spammers. Do you think that there is more that could be done at EU level in terms of counteracting spam? In particular, would you like to see a raising of the level of fines for spamming and a blocking of loopholes such as business-to-business spam?

  Commissioner Reding: Spam is a real problem; we know that. We know also that we have to solve this problem at a world level. We know the countries where most of the spam is coming from and I have started discussions with my American counterparts and I have started discussions with my Russian counterparts on this because one strategy is to have anti-spam action inside Europe and another one on the spam coming into Europe in a massive way. Member States and competent authorities will be called upon to lay down clear lines of responsibility for national agencies which are involved in fighting spam and to have effective co-ordination between competent authorities and involve the market players at national level drawing on their expertise and available information to ensure that adequate resources are made available to enforcement efforts. When I am speaking about international I mean outside of Europe relations, where I speak up very loudly each time I meet my counterparts.

  Q950  Lord Harris of Haringey: In the USA many of the anti-spam cases have been brought to court by private companies such as AOL or Microsoft taking action themselves. Would you like to see it being made easier for this type of legal action taking place in the EU on behalf of third parties?

  Commissioner Reding: Well, most of the spam is coming out of the United States, that is for sure. We want companies to ensure that the standard of information for the purchase of software applications is in accordance with data protection laws and for companies to contractually prohibit illegal use of software in advertising and monitor how advertisements reach consumers and follow up malpractice and email service providers to provide a filtering policy which ensures compliance with the recommendation and guidance on email filtering, so there is a very strong responsibility on the private sector. By the way, I am in a relationship with all the providers in security applications, with those from the United States but also those from Europe.

  Q951  Lord Harris of Haringey: Can I change the subject again perhaps to another area where this is outside your direct responsibility which is the question of the policing of Internet security. I appreciate that there are other Commissioners with a direct responsibility but do you as Commissioner for Information and Society see there being a case for establishing a European cyber police force?

  Commissioner Reding: I know from very intensive discussions with my colleague responsible for internal security and from discussions with the ministers of the interior for many Member States and with those responsible for Europol and Interpol, that police forces indeed have already established, even if it is not in law, but they are already pursuing those goals and they have very strong international co-operation. I had to look to them for the protection of children, so I was working together with them and I know how they work. At this moment this question you have asked has become a hot topic in Germany. I believe that one has to have equilibrium between protecting our society against crime and thus giving the law enforcement authorities the possibility to utilise (as those who commit crime do) the new technologies but at the same tine we have to pay attention to privacy and data protection. To have this in equilibrium is not an easy task.

  Q952  Lord Harris of Haringey: Okay. Some of the evidence we have received has said that a lot of the organised criminal activity on line is emerging from Eastern Europe. Do you see there being a problem in so far as some of the newly joined Member States—Rumania, Bulgaria and so on—are concerned and do you think there is more that should be done to provide support to the authorities in those countries to deal with the problem?

  Commissioner Reding: That is exactly what Europe is for and if you see where the countries which have joined the European Union shortly were some years ago and where they are now, the difference is extraordinarily strong. We help those countries to build up law enforcement and to build up also an independent judiciary system, which is the basis of all democratic development, and the fact that they are members of the Union, they are members of a big family makes the progress here much quicker than if they were outside. We have of course a problem with those countries which are now the new neighbours and on which we do not have the same means of influence. There we can only exercise the necessary pressure in our international relations so that they understand that we understand that they are a problem in security issues. ENISA is also helping with respect to those activities to set up a computer emergency response team and to promote best practice on network security.

  Lord Harris of Haringey: Thank you, Commissioner.

  Q953  Baroness Sharp of Guildford: Commissioner, you spoke at the beginning of our discussions about the importance of being able to protect children from paedophilia and of the awareness-raising programmes that you are promoting amongst both parents and children themselves. Can I ask you whether you are taking any further action? For example, in the UK the Internet Watch Foundation has been very successful in closing down child abuse sites. Is anything analogous being proposed within the European framework?

  Commissioner Reding: Yes. We have the Safer Internet Programme which is very efficient in helping private organisations, which are the ones who fight against criminality against children. In 2007 this has been supporting the international actions which have been targeted at combating the distribution of child sexual abuse images by developing a network of international hotlines—and I just read now the 116000 telephone number for abducted children—to have a Europe-wide linked telephone number so that we can find abducted children more quickly. We are promoting co-operation between law enforcement agencies. We have helped in our research the development of technological tools for the specific needs of the police to analyse more quickly and more efficiently child abuse materials and we have been engaging with the European financial institutions so that they collaborate in a chain of distribution of evidence of child abuse. Our Keep Safe awareness network now has notes in 24 countries in Europe. We have also this year started public consultations in order to find appropriate ways all together in a shared responsibility between public and partner institutions. We will follow up with four workshops on this and I think I already told you about the memorandum of understanding by the mobile phone operators which has been signed on 6 February this year. I will have a look on 6 February next year at what has happened there. If the operators manage to set up the necessary security measures for the parents, I do not need to come in. If they do not, I will come in. I plan also to arrange the same kind of round table with the handset manufacturers to see if they can in build the security measures that parents and grandparents would like to have. I am also planning this year to promote co-operation with Russia in this sphere. I have already discussed with my Russian counterparts in order to see some action coming up on the on-line distribution of child abuse materials.

  Q954  Baroness Sharp of Guildford: Thank you very much.

  Commissioner Reding: So we are very active on this.

  Baroness Sharp of Guildford: Good, thank you.

  Q955  Chairman: Commissioner, those are all of our questions. It has been extremely useful to hear your views and your answers. Is there anything else you think we should consider before we close the session?

  Commissioner Reding: Well, Chairman just consider that you have an open door here in Brussels and that myself or my collaborators will provide you all the answers which we can to your oral or written questions in the future. Thank you very much for the work that you are doing and I will certainly have a look at your conclusions.

  Q956  Chairman: Thank you, Commissioner. Your answers have been concise and extremely useful to us, so thank you very much indeed.

  Commissioner Reding: Thank you, goodbye.

previous page contents

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007