Home Tags EU law

Tag: EU law

ICO boss calls for EU-style data protection rules post-Brexit

Plus ça change The UK’s new information commissioner reckons that a post-Brexit Britain should adopt data protection laws similar to those of, er... the EU. Elizabeth Denham made the comments during her first speech (transcript here) as UK information Commissioner at an event in London last week.

Denham said the EU’s General Data Protection Regulation (GDPR) directive will almost certainly come into force in the UK before Brexit is effected.
Something similar will be needed to replace it even after the UK leaves the EU, she argued. “The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow.
It is fundamental to the digital economy,” Denham said. “In a global economy we need consistency of law and standards.

The GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent. “Whatever data protection law we have post-Brexit, I expect to see organisations taking responsibility for their actions, no matter how quick the technological change,” she added. The GDPR will introduce tougher breach disclosure rules and much higher fines for security screwups – of up to four per cent of a business’s annual turnover.

Denham put a positive spin on the tougher regulations, arguing that compliance ought to act as a catalyst for positive change. “We believe that future data protection legislation, post-Brexit, should be developed on an evolutionary basis, to provide a degree of stability and clear regulatory messages for data controllers and the public,” she explained. “GDPR is an incentive to improve your practices, to sharpen things up, and encourage organisations to look at things afresh. “Legislative change does bring nervousness, but it also brings opportunity.

These changes – stronger data protection law and enforcement – are aimed at inspiring public trust and confidence,” she concluded. Janine Regan, a data protection specialist at law firm Charles Russell Speechlys, said: “These comments from the ICO are not surprising; the digital single market is worth billions and streamlined EU data protection laws is a fundamental component of that.

Brexit from data protection will mean that the UK will lose significant influence over policy, strategy and a piece of the incredibly profitable digital single market pie. “The UK needs to mirror EU law post Brexit in order to be an effective place to offer data analytics, data centres and international data management services,” she added. ®

US sends nastygram to European Union over alleged Apple tax dodging

EnlargeSnow White, Disney Films reader comments 47 Share this story Apple's battle with the European Union’s competition watchdog has been backed by the US government, which on Wednesday waded into the complaint over the iPhone maker's tax arrangements. The US treasury warned in a white paper that Brussels' ongoing investigation into Apple’s tax deal with Ireland could “create an unfortunate international tax policy precedent.” On Thursday, the European Commission responded that there was “no bias” against US companies. After two years of investigations, antitrust chief Margrethe Vestager is expected to issue a decision on allegations of tax dodging by Apple in the autumn. The commission is considering whether the company used so-called “transfer pricing arrangements” to move profits around in order to avoid tax.
Ireland is implicated in letting Apple pay a tiny amount of tax.

Technically, this means that it may have benefited from illegal state aid. “Tax rulings may involve state aid within the meaning of EU rules if they are used to provide selective advantages to a specific company or group of companies,” the commission states. But the US treasury warned that Vestager's office was in danger of overstepping its bounds “beyond enforcement of competition and state aid law under the TFEU [Treaty on the Functioning of the EU] into that of a supra-national tax authority.” It said it was considering “potential responses should the commission continue its present course,” adding: “a strongly preferred and mutually beneficial outcome would be a return to the system and practice of international tax cooperation that has long fostered cross-border investment between the United States and EU member states.” Vestager has already ordered the payment of more than €20 million in back taxes from Starbucks and Fiat Chrysler over similar tax deals with the Netherlands and Luxembourg, and Ireland could be instructed to reclaim up to tens of billions of dollars from Apple. The US government's bean counters are worried about the crackdown, however: There is the possibility that any repayments ordered by the commission will be considered foreign income taxes that are creditable against US taxes owed by the companies in the United States.
If so, the companies’ US tax liability would be reduced. To the extent that such foreign taxes are imposed on income that should not have been attributable to the relevant member state, that outcome is deeply troubling, as it would effectively constitute a transfer of revenue to the EU from the US government and its taxpayers. Put another way, the US treasury appears to be saying: "we get to tax our multinationals, not the EU." Apple CEO Tim Cook has always denied any wrongdoing. The commission has also been pursuing a similar investigation against Amazon in Luxembourg and has warned that other cases may be on the way. “A substantial number of additional cases against US companies may lead to a growing chilling effect on US-EU cross-border investment,” the treasury hit back. On Thursday, the commission's spokesperson, Alexander Winterstein, said that it had taken note of the white paper, before drily saying that EU state aid rules have been in place for years. “With regard to the insinuation of bias, let me repeat what commissioner Vestager has been saying, which is that EU law and competition rules apply indiscriminately to all companies operating in Europe, whether they are big companies or small companies, whether they are companies that are European or companies from outside Europe.

There is absolutely no trace of a bias here,” he added. This post originated on Ars Technica UK

Euro cops, Intel and Kaspersky slay Shade ransomware

No More Ransom campaign kicks off A joint operation by Europol, the Dutch National High Tech Crime Unit, Intel, and Kaspersky has seized the command and control servers for the Shade ransomware strain and published code that allows anyone hit by the malware to decrypt their files. Shade has been in circulation since 2014, and has predominantly targeted European computer users. Once downloaded via an email attachment or unpatched browser, the malware encrypts the computer's files using a 256-bit AES (advanced encryption standard) key, and a second to encrypt the file names themselves. The command and control servers were identified and raided by police, and Intel and Kaspersky have worked to develop tools to disable the encryption system used and allow users to take back control of their data. Many thousands of computers are thought to be infected by the ransomware. "We, the Dutch police, cannot fight against cybercrime, and ransomware in particular, alone.

This is a joint responsibility of the police, the justice department, Europol, and ICT companies, and requires a joint effort," said Wilbert Paulissen, director of the national criminal investigation division of the National Police of the Netherlands. "This is why I am very happy about the police's collaboration with Intel Security and Kaspersky Lab.

Together we will do everything in our power to disturb criminals' money-making schemes and return files to their rightful owners without the latter having to pay loads of money." The announcement was made to kick off a new initiative between police and tech firms to fight the increasing scourge of ransomware.

Dubbed the No More Ransom initiative, the participants want to focus on attacking the control systems for ransomware infections and limit the ability of criminals to extort money via malware. "For a few years now, ransomware has become a dominant concern for EU law enforcement.
It is a problem affecting citizens and business alike, computers and mobile devices, with criminals developing more sophisticated techniques to cause the highest impact on the victim's data," said Wil van Gemert, deputy director of Europol's operations department. "Initiatives like the No More Ransom project show that linking expertise and joining forces is the way to go in the successful fight against cybercrime. We expect to help many people to recover control over their files, while raising awareness and educating the population on how to maintain their devices clean from malware." The initiative is asking those infected by ransomware to get in contact with the police before paying any funds to the infectors.

They will then work with victims to try and retrieve files and trace down the source of the infection before shutting it down. "The biggest problem with crypto-ransomware today is that when users have precious data locked down, they readily pay criminals to get it back," said Jornt van der Wiel, security researcher at Kaspersky Lab. "That boosts the underground economy, and we are facing an increase in the number of new players and the number of attacks as a result. We can only change the situation if we coordinate our efforts to fight against ransomware.

The appearance of decryption tools is just the first step on this road." The group is now looking for other tech companies to get involved. Microsoft would be a logical choice; given Redmond's campaign against botnet, which has had some success. ® Sponsored: 2016 Cyberthreat defense report

Ransomware Advice Service To Tackle Extortion Gangs

European police agency Europol is teaming up with cybersecurity companies in an initiative aimed at slowing an "exponential" rise in ransomware.The scheme revolves around a website that connects victims and police, gives advic...

UK-led cyber crime taskforce proving its worth, says top EU cyber...

Just one month into a six-month pilot, a UK-led international cyber crime looks set to become permanent, according to Troels Oerting, head of Europol’s European Cybercrime Centre (EC3). EC3 is hosting the Joint Cybercrime Action Taskforce (J-CAT) set up in September 2014 to co-ordinate international investigations with partners, targeting key cyber crime threats and top targets. Initiated by EC3, the EU Cybercrime Taskforce, the FBI and the National Crime Agency (NCA), the J-CAT is made up of cyber liaison officers from EU states, non-EU law enforcement partners and EC3. Oerting said the unit, which is led by deputy director of the UK’s National Cyber Crime Unit (NCCU) Andy Archibald, is due for its first evaluation at the end of February 2015. “There are already indications it will be extended for at least another six months, but I think it is likely to become permanent as it keeps acquiring cases and we are trying to get European Union (EU) funding for it,” he said. Operation Imperium In just one month, the unit notched up its first success by co-ordinating Operation Imperium, which resulted in 31 arrests and 42 house searches by Spanish and Bulgarian police, supported by EC3. The raids took place mainly in Malaga, Spain and the three Bulgarian cities of Sofia, Burgas, and Silistra. The operation was aimed at taking down an organised crime network suspected of a variety of crimes, including large-scale automated-teller-machine (ATM) skimming, electronic payment fraud and forgery of documents. Eight criminal labs, including two very complex modern production sites for skimming equipment and counterfeit documents in Sofia and Malaga, were discovered and dismantled. More than 1,000 devices – including micro-camera bars, card readers, magnetic-strip readers and writers, computers, phones and flash drives, as well as plastic cards ready to be encoded – were seized. The cyber crime gang was using 3D printing equipment to produce fake plastic card slot bezels ready to be installed on bank ATMs and manipulated point-of-sale (POS) terminals. “This was probably the most advanced print shop I have ever seen, including 3D-printing equipment,” Oerting told Computer Weekly. Police officers also confiscated dozens of forged payment cards with records of PIN numbers, ready to be used at other ATMs. Mobile offices set up by EC3 enabled direct access to Europol's databases for the cross-checking, analysis and exchange of intelligence in real time. The cyber criminals were harvesting financial data from ATMs or compromised POS terminals in Italy, France, Spain, Germany and Turkey that was used to create fake payment cards. The fake cards could then be used to withdraw large amounts of cash from ATMs outside the EU, in countries like Peru and the Philippines. The case illustrates the cross-jurisdictional nature of cyber crime that typically adds a layer of complexity for law enforcement, particularly when non-European or allied states are involved. “We are using J-CAT to highlight obstacles we encounter,” said Oerting. “Even in the EU difficulties are caused by differences between member states in what is required for law enforcement officers to acquire an internet protocol (IP) address, for example. “In some counties a police officer can do this, while in other countries police officers have to go to a prosecutor to obtain a warrant from a judge, which can lose valuable time,” he said.  Cyber criminals operating outside the EU The biggest challenge, however, is when cyber criminals are operating from outside the EU. “We are trying to solve this by engaging with several states outside the EU to enable joint investigations and, so far, we have been able to achieve results,” said Oerting. “We will continue to pursue this and I hope we will be able to report the success on four test cases soon, and they will be the catalyst for more joint cases in future." It is a myth law enforcement agencies want to know everything about everyone – we are only interested in targeted information about criminal suspects that we can use Troels Oerting, EC3 Oerting again underlined the importance of sharing information, not only with other authorities but also with private companies. In this regard, J-CAT also has a role to play. The unit is currently working on an encryption system that is designed to facilitate the exchange of data. “J-CAT is working on encrypting data sets in such a way that they can be compared to see if there are any matches,” said Oerting. The aim is to reduce concerns about privacy because all the data will be encrypted, and will also reduce the volume of data exchanged. “Only if there is a match between the data sets – say of an IP address or particular kind of malware linked to a case, for example – will we put in an official request for that data, which we can then use,” explained Oerting. This means law enforcement will not have access to the full data set of collaborators, but only to specific information that relates to ongoing cases. “This the philosophy behind the project, but it is still very much a work in progress, so it is difficult to say at this stage exactly how it will work,” Oerting said. “J-CAT will continue to work on this because we know there are private companies that would be willing to exchange cyber attack information with us on this basis,” he added. This approach means there will be no exchanges of bulk data, nor any disclosures of personal or proprietary information that is not directly relevant to a criminal investigation. “It is a myth law enforcement agencies want to know everything about everyone – we are only interested in targeted information about criminal suspects that we can use,” said Oerting. The system is expected to be up and running by March 2015 to facilitate a stream of highly targeted information to J-CAT to support international anti-cyber crime operations. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK