Skip to main content

Data Protection Law Compliance for Cybercrime and Cyberterrorism Research

  • 1829 Accesses

Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)

Abstract

Data protection is perhaps the most important area in which legal requirements determine whether and how research into cybercrime and cyberterrorism may take place. Data protection laws apply whenever personal data are processed for the purposes of research. There are legal risks of non-compliance with data protection regimes emanating from strict legal frameworks and from rules on data security and data transfer. Researchers are strongly recommended to explore the possibilities of anonymisation as well as all obligations relating to notification and consent, which affect the legitimacy of data processing. The presentation of findings, with implications for research carried out in the area of cybercrime and cyberterrorism, begins with exploring definitions of data protection and privacy. We introduce the most relevant aspects of data protection for cybercrime and cyberterrorism research before an overview of the applicable legal and regulatory frameworks is presented. The way in which data protection interacts with other fundamental rights, namely freedom of speech, academic freedom and security, is considered in order to highlight important issues which may affect researchers. Another key feature of data protection law is the difference between countries in the way it is applied; member states have a degree of autonomy in this respect which is summarised and an overview provided. General conclusions are drawn from all findings and implications of the research undertaken for this chapter and key recommendations for those involved in research are presented.

Keywords

  • Data protection
  • Data transfer
  • Data security
  • Privacy
  • Anonymisation
  • Notification
  • Consent
  • Data processing

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-38930-1_5
  • Chapter length: 16 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-38930-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Hardcover Book
USD   149.99
Price excludes VAT (USA)

Notes

  1. 1.

    For example a PESTLE or STEP approach.

  2. 2.

    EU data protection reform consists of a General Data Protection Regulation and a Data Protection Directive for the area of police and criminal justice, both of which received final agreement on 14 April 2016, will come into force 20 days after appearing in the Official Journal, and Member States have a further two years to achieve compliance.

  3. 3.

    Dan Svantesson (2010), A Legal Method for Solving Issues of Internet Regulation; Applied to the Regulation of Cross-Border Privacy Issues. EUI Working Papers LAW No. 2010/18. Via: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1785421.

  4. 4.

    Michael Friedewald, David Wright, Serge Gutwirth & Emilio Mordini: Privacy, data protection and emerging sciences and technologies: towards a common framework - Innovation: The European Journal of Social Science Research, Volume 23, Issue 1, March 2010, page 61–67, via: http://www.sciencedirect.com/science/article/pii/S0267364909001939.

  5. 5.

    Michael Friedewald, David Wright, Serge Gutwirth & Emilio Mordini: Privacy, data protection and emerging sciences and technologies: towards a common framework - Innovation: The European Journal of Social Science Research, Volume 23, Issue 1, March 2010, page 61–67.

  6. 6.

    Stefan Savage, Collaborative Center for Internet Epidemiology and Defenses (CCIED), “An Agenda for Empirical LCybercrime Research”, 2011 USENIX Federated Conferences Week, June 14–17, 2011, Portland-OR. via: https://www.youtube.com/watch?v=ILOtIMShi9s.

  7. 7.

    OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data – OECD Website. Via: http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.

  8. 8.

    Judith Strobl, Emma Cave and Tom Walley (2000) Data protection legislation: interpretation and barriers to research. Via: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1118686/ .

  9. 9.

    Judith Strobl, Emma Cave and Tom Walley (2000) Data protection legislation: interpretation and barriers to research. Via: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1118686/.

  10. 10.

    Christopher Millard & W. Kuan Hon (2011), Defining ‘Personal Data’ in e-Social Science, Information, Communication and Society, 2012 Vol 15(1) p 66.

  11. 11.

    ITU (2006), Research on legislation in data privacy, security and the prevention of cybercrime, via; http://www.itu.int/ITU-D/cyb/publications/2006/research-legislation.pdf.

  12. 12.

    M. Deng, K. Wuyts, R. Scandariato, B. Preneel and W. Joosen (2010): a Privacy Threat Analysis framework: supporting the Elicitation and Fulfilment of Privacy Requirements. Via: https://www.cosic.esat.kuleuven.be/publications/article-1412.pdf.

  13. 13.

    FP7, Privacy and emerging fields of science and technology: Towards a common framework for privacy and ethical assessment – PRESCIENT (2012).

  14. 14.

    European Union Agency for Fundamental Rights (2014) Access to data protection remedies in EU member states, via: http://fra.europa.eu/en/publication/2014/access-data-protection-remedies-eu-member-states & http://fra.europa.eu/sites/default/files/fra-2014-access-data-protection-remedies_en_0.pdf.

  15. 15.

    Porcedda, Maria Grazia (2012), Data Protection and the Prevention of Cybercrime: The EU as an area of security?

  16. 16.

    Network of Excellence on Engineering Secure Future Internet Software, see www.nessos-project.eu/.

  17. 17.

    ibid.

  18. 18.

    Dan Svantesson (2010), A Legal Method for Solving Issues of Internet Regulation; Applied to the Regulation of Cross-Border Privacy Issues. EUI Working Papers LAW No. 2010/18. Via: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1785421.

  19. 19.

    Since the Treaty of Lisbon 2009.

  20. 20.

    Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos 11 and 14, 4 November 1950, CETS 5.

  21. 21.

    Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, CETS 108 1981.

  22. 22.

    Art. 23 (2) of Convention 108 amended allowing the European Communities to accede, adopted by the Committee of Ministers on 15 June 1999.

  23. 23.

    Council of Europe, Additional Protocol to the Convention for the protection of individuals with regard to automatic processing of personal data, regarding supervisory authorities and transborder data flows, CETS 181 2001.

  24. 24.

    Recommendation of the Committee of Ministers to member states on the protection of individuals with regard to automatic processing of personal data in the context of profiling, CM/Rec (2010)13.

  25. 25.

    Charter of Fundamental Rights of the European Union [2010] OJ C 83/02.

  26. 26.

    Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31.

  27. 27.

    European Commission website, Justice, Data protection. Via: http://ec.europa.eu/justice/data-protection/.

  28. 28.

    European Commission, Experts Working Group on data protection and privacy (2009), EU - Data protection and Privacy Ethical Guidelines. Ethical review in FP7.

  29. 29.

    Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L 201/37.

  30. 30.

    Article 51 of the proposed Regulation.

  31. 31.

    See also: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2014/14-09-15_Article_EUI_EN.pdf.

  32. 32.

    Article 4(8) of the proposed Regulation.

  33. 33.

    Council of Europe, Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data, 28 January 1981, ETS 108.

  34. 34.

    J. Ritchie et al. Qualitative Research Practice (2nd edition): A Guide for Social Science Students and researchers (2013).

  35. 35.

    Opinion of the EDPS on the Joint Communication of the Commission and of the High Representative of the European Union for Foreign Affairs and Security Policy on a ‘Cyber Security Strategy of the European Union: an Open, Safe and Secure Cyberspace’, and on the Commission proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union (2013).

  36. 36.

    Ibid.

  37. 37.

    van den Hoven van Genderen, R. (2008), Discussion paper: Cybercrime investigation and the protection of personal data and privacy, p. 49.

  38. 38.

    http://www.legislation.gov.uk/ukpga/1998/29/contents.

  39. 39.

    S1(1)(b) Data Protection Act 1998.

  40. 40.

    Article 29 Working Party opinion 4/2007 on the concept of personal data, 20 June 2007, p. 3 (WP 136).

  41. 41.

    CJEU C-101/01 Bodil Lindqvist [2003] ECR I-1297, paras 96, 97.

  42. 42.

    Ibid.

  43. 43.

    Ibid.

  44. 44.

    Rosemary Jay, Angus Hamilton, Data Protection – Law and Practice, London, Sweet & Maxwell, 2003, section 18-09 (p. 414).

  45. 45.

    ICO’ s Anonymisation: managing data protection risk code of practice, p. 44.

  46. 46.

    S33(1)(a) and (b) Data Protection Act 1998.

  47. 47.

    Rosemary Jay, Angus Hamilton, Data Protection – Law and Practice, London, Sweet & Maxwell, 2003, section 18-09 (p. 413).

  48. 48.

    S33(5) Data Protection Act 1998.

  49. 49.

    Schedule 2 to the Data Protection Act 1998.

  50. 50.

    ibid.

  51. 51.

    Ground 1 of Schedule 3 to the Data Protection Act 1998.

  52. 52.

    Para. 1(2)(a) Data Protection (Processing of Sensitive Personal Data) Order 2000.

  53. 53.

    House of Lords, Common Services Agency v. Scottish Information Commissioner [2008] UKHL 47.

  54. 54.

    Anonymisation: managing data protection risk code of practice, available at http://ico.org.uk/for_organisations/data_protection/topic_guidelines/anonymisation.

  55. 55.

    Sections 3-16 of DEA amended the Communications Act 2003 by introducing the new sections 124A-N.

  56. 56.

    Loi relative à la protection de la vie privée à l’égard des traitements de données à caractère personne” of 8 December 1992 As amended by the Law of 11 December 1998 and the Royal Decree of 13 February 2001.

  57. 57.

    Ibid Art. 2.

  58. 58.

    http://www.privacycommission.be/fr.

  59. 59.

    Article 4 (2), Loi relative à la protection de la vie privée à l’égard des traitements de données à caractère personne” of 8 December 1992.

  60. 60.

    Ibid Art. 7.

  61. 61.

    Ibid Art. 8.

  62. 62.

    Royal Decree implementing the Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data.

  63. 63.

    ‘Anonymous’ shall be construed as relating to data that cannot be related to an individual or identifiable person.

  64. 64.

    Article 15, Royal Decree implementing the Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data.

  65. 65.

    Ibid Article 19.

  66. 66.

    Ibid Article 20(2).

  67. 67.

    Article 1(a) of the Wet bescherming persoonsgegevens (Dutch Data Protection Act).

  68. 68.

    Article 2(a) of the Data Protection Directive.

  69. 69.

    Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L 201/37.

  70. 70.

    http://www.vsnu.nl/files/documenten/Domeinen/Accountability/Codes/Bijlage%20Gedragscode%20persoonsgegevens.pdf.

  71. 71.

    http://www.realphantom.com/content/botnet-kaapt-16-miljoen-e-mailadressen-en-wachtwoorden. Also report ‘NSCS Cybersecuritybeeld Nederland 2013’, p. 66.

Acknowledgement

The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7-SEC-2013) as the COURAGE project under grant agreement no 607949.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Alison Lyle .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Roosendaal, A., Kert, M., Lyle, A., Gasper, U. (2016). Data Protection Law Compliance for Cybercrime and Cyberterrorism Research. In: Akhgar, B., Brewster, B. (eds) Combatting Cybercrime and Cyberterrorism. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-319-38930-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-38930-1_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-38929-5

  • Online ISBN: 978-3-319-38930-1

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)