Thursday 1 January 1970

Landing Page - Regulation for the Free Flow of Non-Personal Data


This is not a blogpost, which is why it appears to be published on Unix Epoch.

Here are my occasionally-updated notes on the Regulation for the Free Flow of Non-Personal Data and the other legislation in the growing family. Why keep private notes when all the world can keep them backed up for me?

Final Text is in Force November 2018: The text (all languages) is here.

Announcement in October 2018: I'm going to quote this in full because I admire the crazy headline writing :-)  Free flow of non-personal data: Parliament approves EU’s fifth freedom . I do think the other four freedoms are at the moment quite a lot more important. Maybe they won't be one day soon, and that will be interesting.


Landing Page - EU Cybersecurity Act

This is not a blogpost, which is why it appears to be published on Unix Epoch.

Here are my occasionally-updated notes on the EU Cybersecurity Act and the other legislation in the growing family. Why keep private notes when all the world can keep them backed up for me?

November 2018 - all finished. This is the Commission's announcement and explanations with links to all files and other handy places.

Final Text English: This is actually the 2017 text unchanged, but the big deal is that all 28 (yes, including the UK) states came to agreement not just on the text, but on all the things that the text calls for in each member state. Each state has a lot of work to do but there appears to be a lot of willingness.

Really Not Boring: Ok yes it is boring. But the impact really isn't. All member states have committed to implementing the security and privacy aspects of the other legislation in a uniform way. This really matters when it comes to mandatory notification of security breaches, and holding the major providers of infrastructure to a much higher standard - even if they no longer have water pipes, copper wires or radio masts.

Landing Page - European Electronic Communications Code

This is not a blogpost, which is why it appears to be published on Unix Epoch.

Here are my occasionally-updated notes on the European Electronic Communications Code and the other legislation in the growing family. Why keep private notes when all the world can keep them backed up for me?

What Is It? This is about protecting human-to-human conversation with old fashioned telcos and radio spectrum and the rollout of super-fast wireless broadband. And also... making sure a very large number of internet apps don't get cracked.

The  2016 Draft Text English was approved with lots of scrutiny, but the noise of the GDPR seems to have made it into a stealth law. That doesn't really matter because the companies most affected were involved, except smaller internet-age communications suppliers are likely in for a surprise.

Final November 2018 Text English is a consolidation of many updates and corrections, but all the substantive changes were to do with telecommunications operators, wireless spectrum and so on. The bits that affect privacy and other rights around TCP/IP remained more or less as they were.

Landing Page - ePrivacy Regulation

This is not a blogpost, which is why it appears to be published on Unix Epoch.

Here are my occasionally-updated notes on the ePrivacy Regulation and the other legislation in the growing family. Why keep private notes when all the world can keep them backed up for me?

January 2017 Texte Francais: Only available in PDF.

September 2018 English Text: Only available in PDF . I have seen extracts in French but I don't know where the entire version is.

PREMATURE VICTORY CELEBRATION, End-to-End Encryption is in: I have tracked down the different versions presented for Trilogue, which as of January 2019 has not yet finished due to arguments/lobbying from the online marketing people. ePrivacy appears to include EU Parliament LIBE Committee amendments from October 2017, including Article 26(a) “In order to safeguard the security and integrity of networks and services, the use of end-to-end encryption should be promoted and, where necessary, be mandatory. Member States should not impose... backdoors". Like all end-to-end solutions it will upset government spy agencies or any other party that might want to falsify the record through government-imposed backdoors, because such backdoors cannot work according to mathematics. I am astonished and delighted that this remains in the very late-stage text.

Landing Page - NIS Directive

This is not a blogpost, which is why it appears to be published on Unix Epoch.

Here are my occasionally-updated notes on the NIS Directive and the other legislation in the growing family. Why keep private notes when all the world can keep them backed up for me?

What Is It? This is about attacks on the computers in key infrastructure such as water and energy. And... a very large number of internet apps.


Legal text of the NIS Directive, all languages.

EU general information on the NIS Directive.

This is a small piece of legislation and is mostly aimed at harmonising standards and getting national security bodies up to speed. However it also has some legal detail on precisely who these standards apply to (on a per-country basis) and the mandatory nature of security responses, and whether it is about vulnerability or actual incidents, and if incidents, how big an incident is expected to be.

Landing Page - GDPR

This is not a blogpost, which is why it appears to be published on Unix Epoch.

Here are my occasionally-updated notes on the GDPR and the other legislation in the growing family. Why keep private notes when all the world can keep them backed up for me?


Official English text of the legislation , Text Francais

The most important thing about all of this is that neither a pure lawyer nor a pure technologist has the knowledge alone to be a GDPR specialist. Nor even a lawyer+technologist, because in addition there needs to be skills in the fields of privacy and computer science.

My Analysis of Automation of GDPR Article 28 Contracts . These mandatory contracts are surprising at first, in fact I didn't understand their significance for a long time. But they are detailed, mandatory and must be implemented.

French text as adopted into French law: for now this is a messy set of patches to existing French privacy law that will be replaced with a single piece of legislation "as soon as possible". The GDPR text from the EU is required reading, because for some time the French law will be this unreadable patch set.

Practical tricks to reduce the problem space in companies include creating internal search engines that index absolutely everything, and scrutinising documents on every File/Open and File/Save.

Penalties in France: The French recourse is potentially much tougher than in some other countries because groups representing individuals can bring a case and be awarded damages. (That was not how the January 2019 Google fines arose, that was the CNIL giving a straightforward penalty.)

CNIL: Compared to the UK and some other countries, the CNIL is less central so that Data Protection Officers have even more responsibility than they do in the UK.

English is Insufficient: I read this question about GDPR unstructured data as part of my own investigations on the topic, and found it confusing. It seemed quite plausible, because Recital 15 in English can feasibly be interpreted to say that unstructured filing systems are exempt. However, the German and Dutch and (to my mind to a lesser extent) the French text make it clear that this can only be physical files.