D7.4 – Legal Implementation Report
Total Page:16
File Type:pdf, Size:1020Kb
Establish Pan-European Information Space to Enhance seCurity of Citizens D7.4 – Legal implementation report Grant agreement 607078 Date of deliverable: 30.09.2017 number: Date of project start: 2014-06-01 Date of submission: 28.08.2017 Duration of project: 2017-10-01 Deliverable approved by: Marie-Christine Bonnamour (PSCE) Fiona Fletcher (TCCA) Lead Beneficiary: KU Leuven (Kristof Huysmans and Els Kindt) Contributing Frequentis Beneficiaries: 2017_09_01 EPISECC_WP7_D7.4 _ Legal implementation Report 67 | 1 Executive Summary The underlying objective of the D7.4 Legal implementation report is to provide recommendations to remedy potential legal, regulatory or policy related barriers to the evolution towards a European harmonized information space. This deliverable aims at providing recommendations to remedy these potential barriers. The first chapter introduces the objectives of the EPISECC project and provides and outlines the structure of this deliverable. The second chapter of the report will reflect on the relationship between the EPISECC CIS and the objectives pursued by the European Civil Protection Mechanism (ECPM). This chapter concludes by suggesting that it would be advisable to create a legal basis in the ECPM-decision that foresees the creation of a Pan-European mechanism to which national Member States can connect to exchange common operational pictures within the context of the ECPM-triggering mechanism to ensure that the resources that will be mobilized will effectively respond to the needs on the terrain. The third chapter will illustrate how ethical, legal and social issues (ELSI) have been integrated in the EPISECC project. This chapter is split into three different subsections. First, it discusses the ELSI initiative undertaken by EPISECC in collaboration with SECTOR and SecInCoRe resulting in the website www.isITethical.eu. Secondly, it deals with procedures taking place within the deployment of the research project itself that ensured adherence to the required legal and ethical standards. Thirdly, the chapter comprises a substantive legal analysis that identifies the complex network of legal norms that should be taken into account throughout the development of the CIS-technology. The fourth and final chapter will summarize the recommendations drawn from the analysis in the previous chapters as to amend the existing legal framework. It concludes that systems relying on a similar architecture as the EPISECC CIS architecture that envisage a pan-European deployment face a considerable number of regulatory hurdles. The common root of these problems relates to a lack of substantial harmonization of the applicable legislation. Further harmonization and guidance is required in the domains of data protection, intellectual property and liability to provide legal certainty for the implementation of CIS on a pan-European scale. 2017_09_01 EPISECC_WP7_D7.4 _ Legal implementation Report 67 | 2 Table of Contents 1. Introduction ............................................................................................................................. 6 1.1. Context of the EPISECC project ........................................................................................... 6 1.2. Objective of the deliverable ................................................................................................ 6 1.3. Structure of the document .................................................................................................. 7 2. European Civil Protection Mechanism .................................................................................... 8 2.1. Development of the ECPM .................................................................................................. 9 2.2. Functioning of the ECPM and its importance for CIS ........................................................ 12 2.3. Evaluation of the ECPM ..................................................................................................... 14 3. Embedding ELSI in EPISECC ................................................................................................... 15 3.1. ELSI initiative ..................................................................................................................... 17 3.2. ELSI implementation in EPISECC project ........................................................................... 18 3.2.1. EPISECC Inventory ......................................................................................................... 20 3.2.2. EPISECC Proof of Concept .............................................................................................. 21 3.3. ELSI implementation in EPISECC CIS .................................................................................. 22 3.3.1. Data Protection ............................................................................................................. 23 3.3.1.1. Identifying actors ....................................................................................................... 23 3.3.1.2. Lawful processing ...................................................................................................... 26 3.3.1.3. Trans-border data flows ............................................................................................ 28 3.3.1.4. Security requirements: implementation ................................................................... 31 3.3.2. Liability .......................................................................................................................... 35 3.3.2.1. Decentralised CIS-architecture and CIS exploitation model ..................................... 36 3.3.2.2. Product liability .......................................................................................................... 37 3.3.2.3. Intermediary liability ................................................................................................. 38 3.3.2.3.1. Mere Conduit ............................................................................................................. 40 3.3.2.3.2. Hosting ....................................................................................................................... 41 3.3.2.4. Data controller liability .............................................................................................. 43 3.3.3. Trust ............................................................................................................................... 44 3.3.4. Intellectual property rights ............................................................................................ 48 3.3.4.1. Use of open source components ............................................................................... 49 3.3.4.2. Viral effect of the AGPL ............................................................................................. 50 3.3.4.3. Nuancing the impact of the AGPL terms ................................................................... 53 4. Recommendations ................................................................................................................. 54 Annex I – Informed consent form for the EPISECC proof of concept ............................................ 58 Annex II – Data controller-processor agreement for the EPISECC proof of concept .................... 60 2017_09_01 EPISECC_WP7_D7.4 _ Legal implementation Report 67 | 3 List of Tables Table 1. Compliance with GDPR Securityrequirements……………………………………..………………………33 Table 2. Responsibility distribution for GDPR security implementation……….……………………..…….43 Table 3. Summary of the legal obstacles to the establishment of a CIS…………………..…………………55 List of Acronyms Abbreviation Description CGOR Communication Group Online Room CIS Common Information Space DOW Description of work EPISECC Establish a Pan-European Information Space to Enhance seCurity of Citizens GDPR General Data Protection Regulation ICT Internet Communication Technology NGO Non-governmental organization PPDR Public protection and disaster relief ECPM European Civil Protection Mechanism ELSI Ethical, Legal and Social Issues 2017_09_01 EPISECC_WP7_D7.4 _ Legal implementation Report 67 | 4 Imprint This document constitutes a formal deliverable D7.4 which evaluates the legal framework governing information sharing in public protection and disaster relief. Use of any knowledge, information or data contained in this document shall be at the user’s sole risk. Neither the EPISECC Consortium nor any of its members, their officers, employees, or agents shall be liable or responsible, in negligence or otherwise, for any loss, damage or expense whatever sustained by any person as a result of the use, in any manner or form, of any knowledge, information or data contained in this document, or due to any inaccuracy, omission or error therein contained. This document contains information that is protected by copyright. © EPISECC Consortium 2014-2017 2017_09_01 EPISECC_WP7_D7.4 _ Legal implementation Report 67 | 5 1. Introduction 1.1. Context of the EPISECC project The overarching aim of the EC funded project, titled “Establish Pan-European information space to Enhance seCurity of Citizens” (hereinafter “EPISECC”), grant no. 607078, is to establish a pan- European information space to enhance security of citizens (hereinafter “pan-European information space” or “common information space (CIS)”). The pan-European information space should improve data management practices and deployment of the European Union Mechanism for Civil Protection (hereinafter