regional news IN BRIEF
1. Twitter bans Kaspersky Lab from advertising
Twitter has banned Moscow-based tech security giant Kaspersky Labs from advertising on its platform, stating that Kaspersky “operate with a business model that inherently conflicts with acceptable Twitter Ads business practices”. Twitter cited a Homeland Security notice that warned that the U.S were concerned about ties between “certain Kaspersky officials and Russian intelligence and other government agencies”. They also referenced a Russian law that allows Russian intelligence agencies to demand assistance from Kaspersky, and to intercept communications transiting Russian networks. Whilst the accusations levied at this company by U.S intelligence officials remain classified, Kaspersky have since announced their intention to establish “transparency centers” across Europe and North America by 2020. It remains to be seen if, in a period of extreme cyber geopolitical tension between Russia and the West, Kaspersky are simply collateral damage in a cyber-war or a serious threat to U.S national security.
2. Slovakia – Prime minister resigns following journalist assassination
In February, Ján Kuciak, a 27-year-old journalist who had been investigating the then Slovak prime minister Robert Fico’s finances, high-level government corruption in Slovakia and links to Italian criminal organisations, was killed with his fiancée in their home. Following the assassination, tens of thousands of Slovaks gathered to protest in Bratislava, leading President Andrej Kiska to call for a radical shake-up of the government, or for new elections. Fico, a controversial figure whose tenure was marked by frequent corruption allegations, and who was often accused of pandering to Slovak and Russian oligarchs and maintaining associations with the Italian organised crime, resigned on 15 March. Deputy Prime Minister Peter Pellegrini has since formed a new government. However, despite his resignation as Prime Minister, Fico has claimed he will remain an active party leader.
3. Malta – The Daphne Project
Following the assassination of Maltese investigative journalist Daphne Caruana Galizia in October 2017, 18 major news organisations, including Reuters, the New York Times and the Guardian, are collaborating on The Daphne Project, an initiative led by Forbidden Stories, a journalism network working to publish the work of journalists who have been killed or imprisoned. Forty-five journalists across the world have pledged to pursue the investigations into Maltese government corruption and money laundering that Galizia had been working on.
The Guardian’s work on the Daphne Project has linked Maltese tourism minister, Konrad Mizzi, and the prime minister’s chief of staff, Keith Schembri, to the unexplained payment of USD 1.6 billion to 17 Black, a Dubai company described as a potential client of one of the officials’ offshore businesses. The revelations have already led to calls for a money laundering investigation, and leading members of Maltese opposition party, Partit Nazzjonalista, have filed a court application requesting a magisterial investigation into Mizzi and Schembri.
4. Security vs privacy?
Apple’s iOS 11.3 update considered introducing a feature that would seriously hamper the effectiveness of an iPhone unlocking tool used by US police departments. Found in the beta version of the software update, a feature entitled ‘USB restricted mode’ meant that if an iOS device had not been unlocked within a week of the attempted Graykey unlocking by a police department, it would not work. This would make it harder for police to obtain evidence and data from seized phones if they had been inactive for a period of time.
The feature did not make it into the final iOS 11.3 release, but its inclusion raises further questions over the relationship between tech giants and law enforcement agencies, and the power they wield over public security – whether seen in terms of securing individual privacy or securing the public by enhancing police access.
5. Facebook moves 1.5bn users out of reach of GDPR
In the midst of the largest data breach scandal in history, Facebook has moved 1.5 billion users out of reach of the GDPR, despite Mark Zuckerberg promising to apply the “spirit” of the legislation globally. Facebook is shifting the responsibility for all users outside the US, Canada and the EU from Ireland to California.
Facebook have stated that “we apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland”. It said the change was only carried out “because EU law requires specific language” in mandated privacy notices, which US law does not”. However, the move means that the data collected does not have to be protected with the same degree of security, or be compliant to the specific demands of the GDPR.
Europe, Russia & the Politics of Energy
On 4 March 2018, former Russian spy Sergei Skripal and his daughter fell critically ill after being poisoned by a military-grade nerve agent, Novichok, in the English town of Salisbury. The attack has led to a tense international diplomatic impasse, with Russia singled out by the UK and its allies as the most likely perpetrator of the attempted assassination. Over 100 Russian diplomats were subsequently expelled from their respective postings across Europe and the US, with Russia expelling an equal number of European diplomats in kind. Germany was one of the first European countries to back the UK, expelling four Russian diplomats on 26 March. The following day, however, Germany gave its approval for the construction of the Nord Stream 2 pipeline under the Baltic Sea, a move set to increase Europe’s already hefty dependence on Russian gas. German Chancellor Angela Merkel initially insisted that the decision to support the project was purely economic, and unrelated to Germany’s political relationship with Russia. Nevertheless, the intricate web of economic and political interdependencies which characterise the Europe-Russia gas nexus begs the question of whether these two spheres can indeed be considered standalone.
In 2017, Europe received close to 40 percent of its gas supply from Russian state-run energy conglomerate, Gazprom. Europe’s dependence on Gazprom stems largely from its ability to consistently meet demand in the face of decreasing domestic production from the likes of other regional suppliers such as the Netherlands and Norway. For example, during the Arctic blast which beset much of Europe in early 2018, Gazprom was the first supplier able to increase output in response to an extreme surge in demand.
Such dependencies, however, run both ways. The Russian economy is largely dependent on its oil and gas sector, with these historically accounting for almost 40 percent of the country’s budget revenue, and over half of total export revenue. Gazprom itself is inherently linked to this revenue stream. The company owns 72 percent of Russia’s natural gas reserves, and generates 66 percent of the country’s gas output. Europe is a key export partner in this regard. According to the company’s official records, Gazprom supplied a total of 194.4 billion cubic meters of gas to European countries, including Turkey, in 2017, 81 percent of which was directed to Western European countries. Thus, while Europe may indeed rely on Russia’s gas supply, the Russia economy is equally beholden to European demand.
Furthermore, once complete, the planned Nord Stream 2 pipeline is set to double Russian gas supplies to Germany. The Nord Stream 2 project has far-reaching economic implications for Germany, who will be uniquely positioned to reap the economic benefits of becoming a regional gas transit hub once construction is complete. However, other European countries also have a vested interest in the project. Alongside Gazprom, the Nord Stream 2 pipeline has five European commercial investors, including German Uniper and Wintershall, Anglo-Dutch Shell, Austrian OMV and French Engie. The economic and commercial interests of a select number of key European countries in Nord Stream 2 have led to concerns over whether Europe can effectively stand up to Russia in the political arena as a unified whole. Those more suspicious of the Kremlin’s intentions have questioned whether Europe’s economic ties with Russia has lulled it into a false sense of (energy) security.
ENERGY SECURITY AND THE WEAPONISATION OF SUPPLY
The energy-security implications of European gas dependency on Russia have played out most notably through the ongoing conflict between Russia and Ukraine. Historically, much of Russian gas exports have transited via Ukrainian pipeline infrastructure. However, Russia has vowed to limit the amount of gas which runs from Russia to Europe via Ukraine by the end of 2019. The Nord Stream 2 pipeline works towards this goal, as it wholly bypasses Ukraine’s pipeline infrastructure. The implications thereof are twofold in nature. The first pertains to the risk of further Russian aggression in Ukraine. According to Polish Prime Minister Mateusz Morawiecki, the pipeline project would allow Russia to proceed with a ground offensive against Ukraine without jeopardising its gas transit route to Europe. Poland, along with a cohort of other eastern European and Baltic states resistant to the pipeline, also fear that Europe’s increased gas dependency on Russia would weaken it, politically, when seeking to pacify Russian aggression in the region and in upholding its stated support for the government in Kiev.
Such weakness stems from the second implication of increased gas dependency on Russia, and pertains to a primary tenet of energy security as a national interest: ensuring a country’s consistent access to energy. With the Kremlin controlling such a substantial portion of European gas supplies, Russia could use its energy supply punitively in retaliation to political overtures, or future sanctions, by European states. Precedent suggests that this is not an unreasonable concern. Following its annexation of Crimea in 2014, for example, Russia cut its gas supply to Ukraine as the conflict in the region escalated. This was not the first time Russia had weaponised its gas supply. In the winter of 2009, Russian-induced cuts in response to alleged gas siphoning by Ukraine led to significant shortages in a number of European countries, forcing a few impacted states to implement energy rationing for industrial users. Most recently, in March 2018, Gazprom announced a termination of all its gas contracts with Ukraine’s energy company, Naftgaz, spurring Ukraine to close down schools in an effort to conserve energy. In light of this, the detractors of the Nord Stream 2 pipeline fear the possibility, and consequences, of a future gas war between Russia and Europe.
POLITICS, ECONOMICS, AND POWER
The embroilment of these political and economic considerations have come to a head over the issue of Nord Stream 2 construction permits. The pipeline, set to run through the Exclusive Economic Zones (EEZs) of Germany, Finland, Sweden and Denmark, requires construction permits from each in order to proceed. So far, full approval has been given by Germany, and Finland too has conceded that the pipeline may run via its EEZ, although construction and operating permits remain pending. Sweden and Denmark, however, are yet to make a decision, with the latter holding a particularly powerful position in light of recent legislation which allows it to veto the construction of the pipeline in its sovereign territorial waters on security grounds. Denmark was hoping to take its cue in this regard from the EU, but the block remains grossly divided on the issue, with Germany pushing for approval while a number of Denmark’s other EU allies object. The UK, for its part, intends to reduce its reliance on Russian gas in response to the chemical attack on British soil, according to a statement made by Prime Minister Theresa May. Although the UK is less dependent on Russia for its gas than the rest of Europe, Gazprom is still the second-largest supplier to the UK’s major industrial consumers.
That energy-security considerations have taken centre stage in the diplomatic impasse between Russia and Europe suggests that the economic and political spheres are far more deeply embroiled than Chancellor Merkel would have us believe. Whether these economic dependencies run sufficiently in both directions to mitigate the risk of punitive action on the part of Russia remains to be seen. However, if little else, the very brazenness of the recent attempted assassination speaks volumes to Russia’s perception of its own power within its politically complex and economically entangled relationship with Europe.
25th May: A data remember
For anyone who has not been online, checked their emails or listened to one of the myriad GDPR training sessions, the EU’s General Data Protection Regulation (GDPR) comes into force a month from now on 25th May 2018. Organisations have had two years to raise awareness and prepare to be compliant, but those unfortunate enough to have done any GDPR-related work will be aware that despite first appearances, the GDPR is much more than a prescriptive rulebook. It is a principle-based legislation which is open to a high degree of interpretation. As organisations continue to grapple with considerable uncertainty surrounding what its application will look like in practice, the reality is that much will be clarified as organisations found lacking are brought before the courts in the coming months and years.
So how should you create the foundation for compliance on shifting ground? The short answer is to think of 25th May not as a deadline, but as a beginning for GDPR. Organisations must be ready to adapt as regulators begin to enforce the GDPR, and the financial and reputational impacts of non-compliance become clear. With that in mind, those getting ready for GDPR should settle in for the long haul and be prepared to continually evaluate and update their approach to data protection after May 25. The most successful organisations will take a long-term view, and focus on an approach that is practical, flexible and creative.
HOUSEKEEPING: CHANGING MIND-SETS
In contrast to popular feeling, the GDPR compliance and training sessions should not come to an end after the 25th May. The Data Protection Officer (DPO) must continue to coordinate the compliance program, nag colleagues and monitor their organisation’s privacy and policy compliance. Bad habits must be broken: desks and desktops must remain clear. Regular training and a conscientious and common sense approach to privacy, communicated from the highest levels of management, will be crucial to incorporating compliance into employees’ mind-sets and everyday business practices. The aim is to preserve a positive change in the culture and conversation around data protection.
HOUSEBUILDING: PRIVACY BY DESIGN AND DEFAULT
Compliance with the legislation alone will not satisfy the requirements of the GDPR. These two key principles require organisations and employees to hold privacy measures at the forefront of their minds at every stage in the development of a new product or service.
Privacy by design means that data protection can no longer be an afterthought, akin to tidying your desk just before the weekend. Instead, privacy should be one of the first things considered when building a new website, trying to streamline the recruitment process, or roll out a new sales approach. Privacy by default means organisations must ‘reset’ their privacy settings on behalf of users. Any systems or services which include a choice for individuals around how much personal data he or she shares must be set to the most privacy-friendly by default.
These are not new concepts, nor should they be resisted – both offer a chance for organisations to increase efficiency and gain consumer trust.
HOUSEMENDING: RESPONDING TO A BREAK-IN
Under the GDPR, organisations will need to notify the regulatory authorities within 72 hours of a security incident in which personal data is breached. Clearly, this is a short timeframe and means you need effective breach response plans and procedures in place. The best plans will be easy to read, and provide step-by-step guidance for employees to act quickly. Well-defined reporting lines to escalate an incident to the appropriate figures within an organisation, in particular the DPO, information security team and crisis management team, will be a critical element of any effective response.
For most organisations, these roles will have been identified or assigned in advance of the 25 May. However, practice makes perfect. It is imperative going forward that the appropriate staff walk through various scenarios in regular table-top exercises. Every scenario should be anticipated and rehearsed. What if the DPO is on holiday? What if it’s Friday and everyone wants to go home? What if it snows again? By expecting the unexpected, real-time decision-making will be improved and the margin for human error will be reduced. Regular testing will increase the likelihood that all team members react in a focused, pragmatic and effective manner.
MOVING HOUSE: MERGERS, ACQUISITIONS AND DIVESTITURES
Organisational restructuring is very common and the impact of the GDPR on these activities must not be neglected. All mergers and acquisitions should trigger an evaluation of potential data privacy and security impacts to ensure that data protection best practice is upheld. Reviewing sector-specific or jurisdictional data protection regulations which may apply after the deal, and the potential impact on existing supplier and client agreements must also be taken into consideration.
In particular, the potential inheritance of another organisation’s privacy debts and security weaknesses should be considered. The recent acquisition of Yahoo by Verizon is a good example of how a data breach can negatively impact the value of an organisation, and why it is important to identify potential warnings as early as possible. In the case of divestitures, data processing systems need to be decoupled and it is imperative that no personal data is retained within the wrong organisation.
Many will try to reduce compliance with the GDPR to a series of policies and procedures, but ensuring compliance is successfully maintained must go further. It must involve a cultural shift in which a positive and proactive attitude towards privacy and data security is cultivated at all levels. Ultimately, it is senior management and employees who must promote the kind of collaborative, responsive and conscientious approach to data protection that that will enable organisations to adapt to the unknown which lies ahead.