SECURITY AND LAW SECURITY AND LAW Legal and Ethical Aspects of Public Security, Cyber Security and Critical Infrastructure Security Anton Vedder Jessica Schroers Charlotte Ducuing Peggy Valcke (eds.) Cambridge – Antwerp – Chicago Intersentia Ltd Sheraton House | Castle Park Cambridge | CB3 0AX | United Kingdom Tel.: +44 1223 370 170 | Fax: +44 1223 370 169 Email: [email protected] www.intersentia.com | www.intersentia.co.uk Distribution for the UK and Ireland: NBN International Airport Business Centre, 10 Th ornbury Road Plymouth, PL6 7 PP United Kingdom Tel.: +44 1752 202 301 | Fax: +44 1752 202 331 Email: [email protected] Distribution for Europe and all other countries: Intersentia Publishing nv Groenstraat 31 2640 Mortsel Belgium Tel.: +32 3 680 15 50 | Fax: +32 3 658 71 21 Email: [email protected] Distribution for the USA and Canada: Independent Publishers Group Order Department 814 North Franklin Street Chicago, IL60610 USA Tel.: +1 800 888 4741 (toll free) | Fax: +1312 337 5985 Email: [email protected] Security and Law. Legal and Ethical Aspects of Public Security, Cyber Security and Critical Infrastructure Security © Anton Vedder, Jessica Schroers, Charlotte Ducuing en Peggy Valcke (eds.) 2019 First published in hardcover in 2019, ISBN 978-1-78068-889-3 PDF edition, 2019 Th e editors have asserted the right under the Copyright, Designs and Patents Act 1988, to be identifi ed as editors of this work. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, without prior written permission from Intersentia, or as expressly permitted by law or under the terms agreed with the appropriate reprographic rights organisation. Enquiries concerning reproduction which may not be covered by the above should be addressed to Intersentia at the address above. Cover image: Th atsaphon Saengnarongrat / Alamy Stock Photo ISBN 978-1-78068-890-9 NUR 827 British Library Cataloguing in Publication Data. A catalogue record for this book is available from the British Library. CONTENTS List of Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Chapter 1. Introduction: Security and Law in a Digitizing World Charlotte Ducuing, Jessica Schroers and Anton Vedder . . . . . . . . . . . . . 1 Chapter 2. Safety, Security and Ethics Anton Vedder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2. Defi nitions and distinctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3. Security and safety as values in ethics and normative political theory . . 15 4. Security and safety in confl ict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Chapter 3. National and Public Security within and beyond the Police Directive Plixavra Vogiatzoglou and Stefano Fantin . . . . . . . . . . . . . . . . . . . . . . . 27 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2. Th e scope of the Data Protection Law Enforcement Directive . . . . . . . . . . 29 3. Security in international law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.1. Th eoretical bases from philosophy of law . . . . . . . . . . . . . . . . . . . . . . 32 3.2. International law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.3. Council of Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4. Security in European Union law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.1. EU treaties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.2. Jurisprudence on security as derogation . . . . . . . . . . . . . . . . . . . . . . . 41 4.3. EU Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.4. Security and personal data in secondary EU law . . . . . . . . . . . . . . . . 44 4.5. EU Member States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 5. Competent authorities under the DPLE Directive . . . . . . . . . . . . . . . . . . . . 48 5.1. General guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Intersentia v Contents 5.2. National implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 United Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Republic of Ireland. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Italy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Belgium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 France . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Germany . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Chapter 4. Criminal Profi ling and Non-Discrimination: On Firm Grounds for the Digital Era? Laurens Naudts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 2. Criminal and algorithmic profi ling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3. Th e Law Enforcement Directive: special categories of data as non- discrimination grounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 4. Equality and non-discrimination in the European Convention of Human Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.1. Discrimination grounds and the European Court of Human Right’s case law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.2. Ground or status: a divergent approach by the ECtHR . . . . . . . . . . . 76 4.3. Recent illustrations: settling on the past? . . . . . . . . . . . . . . . . . . . . . . 79 4.4. Big data profi ling: new grounds? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.5. Diff erential treatment: reasonable and objective justifi cation . . . . . 84 4.6. Ethnic profi ling: an example? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 5. Future research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Chapter 5. Operationalization of Information Security through Compliance with Directive 2016/680 in Law Enforcement Technology and Practice Th omas Marquenie and Katherine Quezada . . . . . . . . . . . . . . . . . . . . . . 97 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 2. Principles of information security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 2.1. Confi dentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 2.2. Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 2.3. Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 3. Information security in data protection for law enforcement . . . . . . . . . 103 vi Intersentia Contents 3.1. Th e EU legal framework on cybersecurity and data protection . . . 104 3.2. Data protection principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 3.3. Data processing obligations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 3.4. Data protection impact assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 3.5. Reporting of data breaches and supervisory oversight . . . . . . . . . . 113 3.6. Representation of IS requirements in the DPLE . . . . . . . . . . . . . . . . 114 3.7. Th e scope and purpose of information security and data protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4. Operationalization of security in law enforcement . . . . . . . . . . . . . . . . . . 119 5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Chapter 6. Protecting Human Rights through a Global Encryption Provision Danaja Fabčič Povše . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 2. Encryption, (cyber)security and human rights . . . . . . . . . . . . . . . . . . . . . . 131 3. Fragmented provisions in international human rights law . . . . . . . . . . . . 137 3.1. General human rights framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 3.2. Security measures and standards in data protection laws . . . . . . . 140 3.2.1. European Union (EU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 3.2.2. Convention no. 108 of the Council of Europe . . . . . . . . . . . 143 3.2.3. Economic Community of West African States (ECOWAS) . . 144 3.2.4. Asia-Pacifi c Economic Cooperation (APEC) . . . . . . . . . . . . 144 3.3. Recommendations of expert bodies . . . . . . . . . . . . . . . . . . . . . . . . . . 145 3.4. Other upcoming initiatives by regional organisations . . . . . . . . . . 148 4. Enabling global encryption obligations in the absence of specifi c treaty provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 4.1. Option 1 – a global treaty with encryption requirements . . . . . . . . 149 4.2. Option 2a – globalisation by means of accession . . . . . . . . . . . . . . . 151 4.3. Option 2b – globalisation by GDPR’s ‘adequate protection’ standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 4.4. Option 3 – maintain the status quo . . . . . . . . . . . . . . . . . . . . . . . . . . 153 5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Chapter 7. Identity Management and Security Jessica Schroers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 2. What is identity management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Intersentia vii Contents 2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 2.2. Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 2.3. PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 2.4. Identity management systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 2.5. Levels of Assurance (LoA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 3. Examples of diff erent systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 4. Security obligations for users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 4.1. Exclusive control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 4.2. Notifi cation obligation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 4.3. No longer using electronic identifi cation means in case of withdrawal/revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 4.4. Secure environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 5. Can and should users be responsible? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 6. Some aspects to take into account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 7. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Chapter 8. Towards an Obligation to Secure Connected and Automated Vehicles “by Design”? Charlotte Ducuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 2. Technological developments in CAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 2.1. Increased connectivity of vehicles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 2.2. Driving automation, towards vehicle autonomy . . . . . . . . . . . . . . . . 188 3. Overview of vehicle technical regulations and type-approval legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 3.1. EU type-approval process legislation in a nutshell . . . . . . . . . . . . . . 190 3.2. Th e proposal for a General Safety Regulation: cybersecurity as part of safety requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 3.3. Th e UNECE mandate to develop vehicle technical regulations . . . 193 4. Legal analysis of the proposed recommendations of UNECE on cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 4.1. An extensive interpretation of ‘the CAM vehicle’ in space . . . . . . . 194 4.2. Extending the scope of vehicle technical regulations to the whole lifecycle of vehicles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 4.3. Extension of the scope of technical regulation to the manufacturer’s organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 5. Is type-approval legislation fi t for the purpose of securing CAM vehicles? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 5.1. Where technical regulation calls for further regulation of the manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 5.2. A limit of type-approval legislation: the integration of the CAM vehicle in its spatial environment . . . . . . . . . . . . . . . . . . . . . . . 204 viii Intersentia Contents 6. Implications of the analysis beyond type-approval legislation . . . . . . . . 207 6.1. Th e extension of the role as manufacturer… or an emerging role as fl eet operator? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 6.2. Consequences for liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 7. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Chapter 9. Th e Cybersecurity Requirements for Operators of Essential Services under the NIS Directive – An Analysis of Potential Liability Issues from an EU, German and UK Perspective Daniela Brešić . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 2. Th e scope of CI protection on an EU and national level . . . . . . . . . . . . . . 217 2.1. Th e EU regulatory Framework of CI protection compared to the scope of the NIS Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 2.2. Th e scope of CI protection from the German perspective . . . . . . . 220 2.3. Th e scope of CI protection from the UK perspective . . . . . . . . . . . . 221 3. Th e security requirements and incident notifi cation for operators of essential services from an EU and national perspective . . . . . . . . . . . . . . 223 3.1. Th e security requirements and incident notifi cation set out by the NIS Directive, Article 14 and 15 . . . . . . . . . . . . . . . . . . . . . . . . . . 223 3.2. Th e security requirements set out by the German BSI Act, section 8, 8a and 8b BSI Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 3.3. Th e security requirements set out by the UK NIS Regulation, section 10 and 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 4. Deliberations on liability issues from an EU and national perspective . 228 4.1. Th e uncertain meaning of the NIS Directive, Article 14 NIS Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 4.2. Th e national implementation of Article 14 NIS Directive from an UK and German perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 4.3. Th e problem of fault / the burden of proof . . . . . . . . . . . . . . . . . . . . 233 4.4. State liability in the context of CI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Chapter 10. Th e ‘by Design’ Turn in EU Cybersecurity Law: Emergence, Challenges and Ways Forward Domenico Orlando and Pierre Dewitte . . . . . . . . . . . . . . . . . . . . . . . . . 239 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 2. Decoding ‘security by design’: a tale of ‘security’ and ‘design’ . . . . . . . . . 239 Intersentia ix