One of the key tools used to build trust in the online domain was the protection of fundamental rights, particularly the right to personal privacy. As stated in the EUCSS, cyber security itself can only be sound and effective if
it is based on fundamental rights and freedoms as enshrined in the Charter of Fundamental Rights of the European Union and EU core values. Reciprocally,
individuals' rights cannot be secured without safe networks and systems. Any information sharing for the purposes of cyber security, when personal data is at stake, should be compliant with EU data protection law and take full account of the individuals' rights in this field (European Commission, 2013a, p. 4).
According to Clemente (Interview, Clemente, Chatham House, 2014), the logic behind this was, if citizens are protected from online fraud and if their privacy and personal data is secure, they will be encouraged to use the internet and cyberspace for business and social transactions. This will in turn promote economic growth.
Of the 148 references to the protection of fundamental rights made in Union acquis over the course of the 28 year timescape there are 60 references to the right to privacy alone. This includes the issue being cited as one of the central principles underpinning EU cyber security policy (European Commission, 2013a, p. 4). In the early stages of policy development, privacy was a concern for users of new digital technologies. It was of such concern that a regulatory framework to ensure privacy was proposed in 1993 (European Commission, 1993, p. 24). In a rare move in this policy sector, legislation in the form of a
Directive on electronic communications networks was passed (European Parliament and
Council of the European Union, 2002a, p. 42). This demonstrated the EU’s commitment to this policy goal.
Personal privacy as a fundamental right to be protected therefore has a longstanding presence throughout the EU’s cyber security policy-making timescape. This was recognised by the EU in a 1992 reference to Article 8 of the European Convention for the
Protection of Human Rights and Fundamental Freedoms (European Commission, 1992a,
p. 7). Such protection was vital to the functioning of the information society (European Commission, 1995, p. 85, 2000b, p. 9,12). It made no difference to the protection of privacy that personal information was being stored in digital formats.
The policy goal of protecting fundamental rights extended beyond ensuring data protection and personal privacy. One of the key principles for cyber security established by the EUCSS is “access for all” (European Commission, 2013a, p. 4). Digital illiteracy or a lack of access to the internet for individuals and businesses meant that citizens may be disadvantaged in an economic sense. They would not have access to the same economic opportunities as wired individuals or businesses. In addition, the unhindered flow of information translated into an avenue for freedom of expression and the exercise of fundamental rights. The EUCSS cites the use of ICT and the internet as mouthpieces for
protesters in the Arab Spring (European Commission, 2013a, p. 2) as an example of the effectiveness of wired technology in this regard.
Just as privacy was not a new concept for the EU, neither was ensuring access to the internet and its opportunities. Between 1985 and 2013 this access was recognised as a fundamental right in and of itself. It included the right to access new technology and to gain digital literacy (Bangemann, 1994, p. 11; European Council, 2001, p. 22). According to the Council of the European Union, a lack of access should not hinder the uptake of social and economic opportunities (Council of The European Union, 1997, p. 4). What changed by the time the EUCSS was published was the explicit recognition of this right to access as a core component of cyber security policy (European Commission, 2013a, p. 16). The internet and cyberspace were considered as tools not just for commercial and economic opportunities, but for promoting social justice.
Such an ideological standpoint represents a departure by the EU from the prevailing cyber security narrative, particularly when considering government surveillance. The EUCSS explicitly warned against government misuse of cyberspace for surveillance of and control over their own citizens (European Commission, 2013a, p. 3). This caution extended into the private sector with warnings against the mass collection of data by major corporations (Reding, 2012) and the right for citizens to have data removed from online searches under the so-called “right to be forgotten” (Bennett, 2012, p. 162). The focus for EU cyber security is not just the supranational concept of the economic viability of the internal digital space. That focus takes account of the individual citizens who use that space. This is reflected in the underlying purpose of critical infrastructure protection (CIP). The importance of protecting critical infrastructures from cyber incidents is included in the EUCSS (European Commission, 2013a, p. 7,16). The purpose of that protection, however, is to ensure usability and trust for the end-user rather than using such concepts as an excuse to invade privacy with heavy-handed surveillance (Deibert, 2009, p. 327). Over time, the EU has positioned itself in the cyber discourse not just as a champion of fundamental rights and freedoms but as a check on overzealous government monitoring.
The enduring focus of the EU on privacy is shown in the excerpts cited in Table 5-4 below. As with the previous ideational elements, these excerpts are taken from specific acquis milestones published between 1985 and 2013:
Table 5-4: Linear continuity of “protection of fundamental rights” as an ideational element
1994 – Bangemann Report; 1996 - illegal
and harmful content
2001 – NIS Proposal 2006 – SSIS 2013 - EUCSS
Certain issues do not involve protection of public order, but rather the protection of the rights of individuals (protection of privacy and reputation) and of an environment allowing creation of content to flourish (intellectual property). (European Commission, 1996a, p. 10) Protection of privacy is a key policy objective in the European Union. It was recognised as a basic right under Article 8 of the European Convention on human rights. Articles 7 and 8 of the Charter of Fundamental Rights of the European Union also provide the right to respect for family and private life, home and communications and personal data. (European
Commission, 2001a, p. 24)
A breach in NIS can generate an impact that transcends the economic dimension. Indeed, there is a general concern that security problems may lead to user discouragement and lower take-up of ICT, whereas availability, reliability and security are a prerequisite for guaranteeing fundamental rights on-line. (European Commission, 2006a, p. 5)
Support the promotion and protection of fundamental rights, including access to information and freedom of expression, focusing on: a) developing new public guidelines on freedom of expression online and offline; b) monitoring the export of products or services that might be used for censorship or mass surveillance online; c)
developing measures and tools to expand Internet access, openness and resilience to address censorship or mass surveillance by
communication technology; d) empowering stakeholders to use communication
technology to promote fundamental rights. (European Commission, 2013a, p. 16)