Data Protection and the Prevention of Cybercrime: The EU as an area of security?

Abstract

Cybercrime and cyber-security are attracting increasing attention, both for the relevance of Critical Information Infrastructure to the national economy and security, and the interplay of the policies tackling them with ‘ICT sensitive’ liberties, such as privacy and data protection. This study addresses the subject in two ways. On the one hand, it aims to cast light on the (legal substantive) nature of, and relationship between, cybercrime and cyber security, which are currently ‘terms of hype’ (and therefore it is descriptive). On the other, it explores the possibility of reconciling data protection and privacy with the prevention of cybercrime and the pursuit of a cyber-security policy (and therefore it explores causation). As such, the subject falls in the ‘security vs. privacy’ debate, and wishes in particular to investigate whether it is possible to build ‘human rights by design’ security policies, i.e. a security policy that reconciles both security and human rights. My argument hinges on a clarification of the term ‘cybercrime’ (and cyber-security), both by building on the literature – which recognises the mix of traditional crimes committed by electronic means (broad cybercrime or off-line crimes), and novel crimes possible only in the online environment (narrow cybercrime or online crimes) –and on original interpretations as far as the relationship between cybercrime and cyber-security is concerned. I argue that narrow (or online) crimes and broad (or off-line) crimes are profoundly different in terms of underlying logics while facing the same procedural challenges, and that only narrow cybercrime pertains to cyber-security, understood as a policy. Yet, the current policy debate is focussing too much on broad cybercrimes, thus biasing the debate over the best means to tackle ICT-based crimes and challenging the liberties involved. I then claim that the implementation of data protection principles in a cyber-security policy can act as a proxy to reduce cyber threats, and in particular (narrow) cybercrime, provided that the following caveats are respected: i) we privilege a technical computer security notion; ii) we update the data protection legislation (in particular the understanding of personal data); and iii) we adopt a coreperiphery approach to human rights. The study focuses on the European Union. The interaction between privacy and data protection and other liberties involved, as well as purely procedural issues, are outside of the scope of this research.