Opening Remarks
Thank you for your invitation to this session.
Before sharing with you all information I have on this security breach, let me stress four key points:
1. It is my firm belief that we need more cooperation on security and effective data exchanges.
But I am equally clear that this presupposes a high level of data protection and state of the art data security rules.
2. This incident could not have happened today thanks to the technical security improvements that are finally in place: nobody can plug in USB drives and download data from Europol computers.
3. It neither affected the private life of European citizens nor any ongoing security investigations.
4. With you, we have adopted new rules for Europol, that will impose a different handling of the case today from 1 May 2017.
Let’s look at facts first:
This data breach is a case of human error by a former staff member, who broke Europol’s security rules.
There is no indication that the security breach by the former staff member was ill-intended.
Still, it is of course unacceptable: our data security rules should prevent human errors from happening.
The data compromised involves a limited number of Member States.
Europol received written assurances from the journalist that the data will not be disclosed and that they are stored safely as ‘journalistic evidence’ for the television programme.
I am confident, on the basis of information we were given, that Europol respected all its current security and confidentiality rules:
A security investigation was launched with the Member State of the former Europol employee, and to which the employee returned at the end of February 2016. National authorities also initiated a formal judicial investigation into the matter.
In parallel, the Member States directly affected were updated by Europol to establish any possible impact.
All Member States through the Security Committee of Europol received a classified report for their attention.
The Europol Data Protection Officer was also briefed at the early stage of the process.
It was verified that no current investigation in Member States has been jeopardised, because the breach concerns historical data which are around 10 years old.
When the case was reported in the media on 30 November, Europol provided external stakeholders with a background brief on the facts, namely:
An update to the Europol Security Committee which includes all Member States, the Europol Management Board which includes the Commission, separately the Commission,
the Europol Data Protection Officer, the Joint Supervisory Body, the EU Counter-Terrorism Coordinator, the Council Secretariat and, the Chairperson of the LIBE Committee.
Last week, also the future data protection oversight body of Europol – the EDPS – was briefed with a report.
Internally, staff were also updated when the incident was reported in media on 30 November – prior to that all staff received continuous security awareness briefings.
Staff members, and in particular staff working in the operational environment, are continuously trained about the expected handling of operational and sensitive information.
Staff have also been briefed about the implications of the security incident.
Another security awareness seminar for all staff is scheduled to take place this Friday.
Honourable Members,
as far as I am aware, this is the first real security breach of this kind involving Europol data since the establishment of the agency in 1999.
Member States concerned confirmed that compromised data does not jeopardise any ongoing investigation.
Only two persons accessed the data. There are no indications that data have been further shared, or the lives of private citizens affected.
A judicial investigation in relation to a potential criminal offence committed by these two people is ongoing.
Europol today is a different organisation that the one back in 2009 when the human error occurred.
Since then, Europol has introduced numerous technical measures preventing copying of data, such as prohibiting the connection of external drives I mentioned earlier.
Staff is constantly trained and informed about security requirements. The case reported in the media is not a data leak – ICT systems or the operational environment of Europol were not ‘hacked’ or intruded.
Handling security breaches is always a primary responsibility of the organisation whose data have been compromised.
That organisation, Europol, is obliged to inform the entities that provided the data, the internal data security bodies and its external data protection supervisor.
Having said that, we should learn lessons from this case and improve our handling for the future.
The Europol regulation that enters into application on 1 May 2017 lays down specific rules on handling data security breaches.
These rules set high standards on data security:
They oblige Europol to notify the personal data breaches without delay to the European Data Protection Supervisor and the competent authorities of the Member States concerned, as well as to the data provider;
They oblige Europol to inform, in certain cases, persons whose data have been breached, and
They oblige the Europol Data Protection Officer to keep a register of data breaches.
Under the new Europol Regulation, a new set of security and confidentiality rules is being established.
In light of this experience, we will look more closely whether any changes are needed there.
Finally, I would encourage Europol – in the hopefully unlikely event of a future security breach – to share proactively information with the Commission and the Joint Parliamentary Scrutiny, within the limits of the security rules.
Closing Remarks
Honourable members,
I heard your interventions carefully and I share fully your concerns.
This incident should have never happened in the Agency in charge of so much data, at the very epicentre of our counter-terrorism work.
I understand that trust may be shaken.
But let us look at facts once again: A human error, which would have been practically prevented today.
Judicial investigations have been launched.
No current investigation in Member States has been jeopardised.
The lives of private citizens were not affected.
Security procedures have been updated, and will be further strengthened with the new Europol Regulation from 1 May.
Data protection supervision is also being stepped up. The professionalism of the staff is ensured by continuous training to prevent such incidents from re-occurring.
Let us be clear: Europol is a very different organisation today, from 2009 when this incident happened.
As I said in my opening remarks, enhanced security goes hand with hand with enhanced data protection and security rules.
Mr Diaz De Mera put it very correctly – this was an unfortunate, but isolated incident. It cannot happen again.
Mr Albrecht is also absolutely right, data protection and data security standards should be stepped up.
Mrs IntVeld, The systems of Europol were not hacked or intruded. There was a human error with an external hard drive.
This cannot happen again now. Europol has informed us that ongoing investigations have not been compromised.
And Member States concerned have confirmed that. Europol informed us and you, and all the other concerned parties, after the press reports.
In its current rules, we are external parties.
In the future, with the new Europol Regulation, YOU will scrutinise Europol’s activities through the Joint Parliamentary Scrutiny Group.
This Group will be briefed about key Europol operational aspects.
And we will examine whether Europol should as a general obligation inform Commission and the Parliamentary Group on security breaches,
in order to allow them to exercise their oversight responsibilities.
Let us draw the lessons from this experience, and make sure that the margin for human errors of this type disappears.