by Joana Whyte, Editorial Team
“Technology … is a queer thing. It brings you great gifts with one hand, and it stabs you in the back with the other[i]”
Today’s society has become increasingly dependent on computer systems and the use of the Internet, making cybercrime an ever more pressing threat to the European Union (EU) and its Member States, being by nature a transnational type of crime, its complexity of its combat is undeniable. Nowadays we are all dependent on the internet and this dependency has made us vulnerable to the threat of cybercrime. There are several examples of this reality, the use of the email address as a preferential means of exchanging mail for personal or professional correspondence, store information in the cloud, publish personal and professional information on social networks, make payments or bank transfers, book trips or hotels and so on. If this dependence is accurate when speaking of our everyday lives, the same applies to the State and the European Institutions. They too have surrendered to the overwhelming power of the internet. For instance, our judicial system is totally dependent on computers and the internet.
Attacks on large-scale information systems are usually linked to organized crime groups making the threat more imminent. Based on this scenario, the adoption of standards at European level is essential. Ensuring the security of information systems is crucial in order to achieve a more secure information society and a genuine area of security, freedom and justice, which is fundamental to the development of the internal market and a competitive European economy.
The 2016 Internet Organised Crime Threat Assessment (IOCTA)[i] revealed that cybercrime is increasing in intensity, complexity and magnitude. Cybercrime exceeds traditional crime in some EU countries, it extends to other areas of crime, such as human trafficking, the use of encryption and anonymisation tools for criminal purposes is increasing and ransomware attacks outnumber traditional malware threats such as trojans.
It is alarmingly stated in the European Parliament resolution of 3 October 2017 on the fight against cybercrime (2017/2068(INI)) that there was an increase of 20% in the attacks on the Commission’s servers in 2016 compared to 2015[ii].
Regarding cybercrime the EU has already adopted measures in order to firmly combat it at European level: the European Cybercrime Centre (EC3) within Europol – a unit focused on various types of cybercrime; Directive 2011/92/EU on combating sexual abuse and sexual exploitation of children and child pornography; and Directive 2013/40/EU on attacks against information systems.
Recently, and in the aftermath of Panama Papers, Football Leaks and other infamous cases, the European Parliament has gone one step further by negotiating a Proposal for a Directive of the European Parliament and of the Council on the protection of persons reporting on breaches of Union law, also referred to as the “Whistleblowers” Directive.
The Proposal is divided into V Chapters:
- Chapter I (Articles 1 to 3) defines the scope of the Directive and sets out the definitions. Article 1 states that the new rules cover several areas of EU law, namely: combating money laundering, business taxation, data protection, protection of the EU’s financial interests, food and feed safety, animal health and welfare, public health, consumer protection, environmental protection and nuclear safety. EU countries can extend these standards to other areas and are encouraged to create a comprehensive framework for the protection of whistleblowers at a national level.
Article 2 defines the personal scope of application, it establishes that the Proposal applies to whistleblowers who, working in the public or private sectors, have obtained information on infractions in a professional context – workers, shareholders and persons belonging to the management body of an undertaking; any persons working under the supervision and direction of contractors, subcontractors and suppliers; persons whose work-based relationship is yet to begin in cases where information concerning a breach has been acquired during the recruitment process or other pre-contractual negotiation.
Article 3 advances the definition of whistleblower as the “individual or collective person who communicates or discloses information on infractions obtained in the professional context”.
- Chapter II (Articles 4 and 5) provides for an obligation for Member States to ensure that public and private sector legal entities establish appropriate internal communication channels and procedures for receiving and following up on communications. This obligation is intended to ensure that information on actual or potential breaches of EU law rapidly reach those closest to the source of the problem, who are in better conditions to investigate and have the power to solve the issue.
- Chapter III (Articles 6 to 12) obliges Member States to ensure that competent authorities have secure channels and external communication procedures to receive and follow-up on communications and sets the minimum standards applicable to such communications.
According to the Proposal, whistleblowers are encouraged to give the alert first internally whenever the violation in question can be effectively resolved within the organization and there is no risk of retaliation. They may also inform the competent authorities directly in the manner they deem appropriate, taking into account the circumstances of the case. If appropriate measures are not taken after the authorities have been warned or in case of imminent or manifest danger to the public interest, or if the complaint to the authorities is not effective, in particular because they are in connection with the perpetrator, the complainant may publicly disclose, including through the media.
- Chapter IV (Articles 13 to 18) lays down minimum standards for the protection of persons reporting irregularities and persons targeted in communications. Prevention of reprisals and effective protection: the new rules will protect the alert against dismissal, relegation or other forms of retaliation. They will also require the national authorities to inform citizens about the procedures in place to alert to irregularities as well as the protection provided. The alert will also be protected in legal proceedings.
- Chapter V (Articles 19 to 22) sets out the final provisions. Article 19 leaves under Member-States discretion the possibility of establishing a more favourable treatment “Member States may introduce or retain provisions more favourable to the rights of the reporting persons than those set out in this Directive, without prejudice to Article 16 and Article 17(2)”.
It is our understanding that this Proposal is insufficient.
First of all, it is of paramount importance to make clear that the personal scope of application of the Proposal only applies to “reporting persons working in the private or public sector who acquired information on breaches in a work-related context including”, which means that hackers (people who have illegally accessed the information) are excluded. Regarding the criminalization of hacking conducts, it is important to point out that Directive 2013/40/UE on attacks against information systems already establishes the crimes of illegal access to information systems, illegal system interference and illegal interception.
The Proposal does provide for an obligation for Member States to ensure that public and private sector entities establish appropriate internal communication channels and procedures for receiving and following up on communications. However, it is our understanding that external reporting should be mandatorily communicated to a supra national institution, for instance, the European Public Prosecutor’s Office (EPPO) in order to ensure the transparency and efficiency of the procedure.
Furthermore, we believe that proper protection should be granted to whistleblowers and their families. The Proposal limits itself to oblige Member States to grant protection against retaliation – e.g. suspension, lay-off, dismissal or equivalent measures; demotion or withholding of promotion; transfer of duties, change of location of place of work, reduction in wages, change in working hours; imposition or administering of any discipline, reprimand or other penalty, including a financial penalty; coercion, intimidation, harassment or ostracism at the workplace; discrimination, disadvantage or unfair treatment; damage, including to the person’s reputation, or financial loss, including loss of business and loss of income. We believe that these situations were already protected by labour law rules, courts and authorities. The Proposal fails to grant protection to whistleblowers and their families from more serious types of intimidation outside the workplace.
As we said before, this Proposal comes in the aftermath of WikiLeaks, Panama Papers, Football Leaks and other infamous cases. In our opinion the Proposal is insufficient. Such cases should be dealt at a European level, with guaranteed enhanced cooperation between Member States Authorities and offenders. In order to avoid exile, as happened to Rui Pinto who fled to Hungary and Julian Assange who lived in the Ecuadorian Embassy in London for seven long years, authorities should be focused on how we can get hackers to cooperate. Furthermore, we must bear in mind that one of the threats of cybercrime is the fact that perpetrators are always one step ahead from Authorities, being very difficult for the latter to keep pace.
We propose the creation of a system similar to the Leniency Programme of the European Commission in competition matters. Put simply, the Leniency programme (2006 Notice on immunity from fines and reduction of fines in cartel cases) allows full or partial reduction of fines applied to undertakings which cooperate with antitrust authorities in cartel investigations. The Leniency Programme allows the full or partial reduction of fines to undertakings which terminate their participation in the infringement of competition, who fully and continuously cooperate and provide information and evidence.
We propose a regime similar to leniency but yet different respecting the paramount principles of criminal law and exclusively applicable to cases similar to the ones which have been mentioned above, where cyber criminality is involved, awarding perpetrators who fully collaborate with the Authorities with a special regime granting certain warranties. Regarding offenders this regime would offer: the possibility of a reduction of the sentence (not immunity); effective protection of offenders and their families when necessary; and, a programme of social reintegration after serving the sentence. In the side of police and judicial cooperation the regime would establish the principles and rules for the cooperation between offenders and Member States police and judicial authorities in these very specific cases.
In order to effectively tackle crime within the EU it is of paramount importance that all Member States cooperate and opportunities to detect certain illegal activities are in fact seized.
[i] Available at https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2016
[ii] JO 2018/C 346/04 European Parliament resolution of 3 October 2017 on the fight against cybercrime (2017/2068(INI)).
[i] C.P.Snow, Scinetist and Novelist, New York Times, 1971.
Pictures credits: Londres, reunión con Julian Assange by Ricardo Patiño.