Security and privacy are not mutually exclusive says Europe’s privacy watchdog – and people should stop saying they are.
The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, told a Brussels conference he was concerned that “the objective of cyber-security may be misused to justify measures which weaken protection of [data protection] rights.”
“Cyber-security must not become an excuse for disproportionate processing of personal data. Let’s not forget that when the European Court of Justice (ECJ) last year found the Data Retention Directive to be invalid, one of the reasons was concern about the inadequacy of the data security provisions in the directive,” he continued.
Although some commentators interpreted the ECJ ruling to mean that data must be stored within national borders, Buttarelli disagreed.
“Physical location is not the determining factor in security. Rather, it is degree of control, accountability and responsibility which data controllers demonstrate when processing personal information. They must take full responsibility for all the measures they implement, regardless of the technology they use. Responsibility must not vanish in the clouds,” said the newly appointed EDPS.
Negotiations on a new Data Protection Regulation are currently underway and Buttarelli says that accountability should not be sacrificed in the inevitable compromise.
“One tool for reinforcing accountability is the introduction of a general data breach notification obligation, which will force controllers take the necessary organisational and procedural measures,” he said, pinning his colours to at least one legislative mast.