Index 
 Previous 
 Next 
 Full text 
Procedure : 2006/0276(CNS)
Document stages in plenary
Document selected : A6-0270/2007

Texts tabled :

A6-0270/2007

Debates :

PV 09/07/2007 - 21
CRE 09/07/2007 - 21

Votes :

PV 10/07/2007 - 8.37
Explanations of votes

Texts adopted :

P6_TA(2007)0325

Debates
Monday, 9 July 2007 - Strasbourg OJ edition

21. European Critical Infrastructure (debate)
PV
MPphoto
 
 

  President. – The next item is the report (A6-0270/2007) by Mrs Hennis-Plasschaert, on behalf of the Committee on Civil Liberties, Justice and Home Affairs, on the proposal for a Council directive on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection (COM(2006)0787 – C6-0053/2007 – 2006/0276(CNS)

 
  
MPphoto
 
 

  Franco Frattini, Vice-President of the Commission. – (IT) Mr President, ladies and gentlemen, I should like to thank the rapporteur for this important report, which follows the presentation of an initiative by the Commission.

The protection of critical infrastructure is, of course, a priority for the European Commission as well as for the Member States, not least because the need to protect critical infrastructure from the eventuality of a terrorist attack, for instance, derives from the very nature of such infrastructures and the interconnection and interdependence between them. Indeed, if a physical or technological infrastructure is attacked in one Member State, the effect will inevitably be felt in other Member States. That is why we need a common European prevention and protection framework.

Our view was that the best way forward was to involve the private sector first of all, which means drawing on currently available technologies and stimulating more technological research. We would then call on companies and research laboratories to collaborate by placing the outcome of such research at the disposal of the common European framework. The idea is to have proper security schemes devoted to the various infrastructure sectors and a real network of liaison officers to ensure that this common European framework functions.

Our idea is to take into consideration only those infrastructures that are truly cross-border in nature and not of course those confined to the territory of just one Member State, unless that particular critical infrastructure has an influence that goes beyond the borders of that Member State.

As you know, we adopted a communication last December to set up a European programme for critical infrastructure protection, together with a proposal for a directive to identify which infrastructure needs protecting. I am therefore grateful to Parliament for having examined all the proposals on such an important subject. The communication, of course, identifies principles and processes to be carried out as well as the instruments for carrying out the processes, while the directive lays down rules for identifying those infrastructures which, according to a common European approach, require protection. It is our intention to develop this action plan through a broad web of public-private collaboration.

We think that the Member States should be assisted in developing the various initiatives included in the action plan; we are also convinced that the international dimension must be taken into account and that financial measures must be put in place. Of course, we already have a financial programme for the prevention, preparation and management of the consequences of the terrorist threat, which may be able to provide appropriate funds for critical infrastructure protection measures.

I can say straight away that I can accept certain important amendments that Parliament is preparing to examine. The first concerns the need to emphasise in the text of the directive that it is the responsibility of each Member State to identify the most appropriate forms and methods of implementing it: in other words, we must stress the principle of flexibility in the implementation of the directive, on the basis of which the measures, whether mandatory or not, should be put into practice without an excessively rigid approach.

The second point that I think is acceptable concerns the need to clarify the procedures for exempting certain sectors from some of the obligations laid down in the directive. The Commission has foreseen the possibility of exempting certain sectors, and Parliament’s draft amendments substantially seek to specify more clearly when a particular exemption applies to a given sector. I believe I can agree on the need to introduce some specification, thus making things clearer.

I also agree with the proposal to amend the list of critical infrastructure protection sectors given in Annex I to the proposal for a directive. I think Parliament’s proposal to amend that annex is acceptable, as is the introduction of certain changes to the sectors where resorting to the comitology procedure is envisaged. There is a specific proposal on that, although we should be aware that by limiting the use of comitology we would be increasing the time it would take to implement the directive. Basically, comitology is perhaps a rather complicated instrument, but it does save time in implementation, However, I am not against accepting the idea behind those amendments.

To conclude, Mr President, I can say that I am happy and pleased with the report before us, and I hope Parliament will adopt it by a large majority. We need to show that we are speaking with one voice on a strategic measure such as this European initiative to protect critical energy, transport and technological infrastructures, which require strong prevention and protection measures, because the terrorist threat is unfortunately directed first and foremost at critical infrastructures. I am therefore grateful to Parliament for the contribution that it has already made and is yet to make to this work of ours.

 
  
MPphoto
 
 

  Jeanine Hennis-Plasschaert (ALDE), rapporteur. (NL) Mr President, back in June 2004, the Council tabled a request in which the Commission was asked to prepare a general strategy to protect critical infrastructure. In the past three years, the topic has not been off the Commission agenda, quite rightly so. In line with the wishes of the Council and the European Parliament, the Commission finally moved a proposal for a European programme to protect critical infrastructure, which culminated in the Directive we are debating today.

As rapporteur, I support the idea of a common framework in this matter. The effective protection of vulnerable critical infrastructures and services requires communication, coordination and cooperation in which all interested parties are involved, both at national and at European level. The complex processes and interfaces of critical infrastructure with a transnational dimension are, as I see it, also legitimate areas for consideration.

As Commissioner Frattini has already explained on several occasions, damage to, or loss of, a certain infrastructural provision in a Member State can impact badly on various other Member States and even on the European economy as a whole. Thanks to new technologies, for example the Internet, as well as the far-reaching liberalisation of the market, for example where the supply of electricity and gas is concerned, many infrastructural provisions are already part of bigger networks.

Indeed, in these circumstances, the effectiveness of all these protective measures is determined by the weakest link. I do take the view, though, as Mr Frattini already observed, that the Commission has been slightly too proactive or overenthusiastic in some sections of the Directive. It must be clear that the primary and ultimate responsibility lies with the Member States and the owners of this critical infrastructure.

From that point of view, I consider a bottom-up approach to be of critical importance. Common action can, in my view, only be justified if at least three Member States were to experience adverse effects, or at least two Member States other than those in which the critical infrastructure is located. After all, much has already been agreed upon bilaterally, which, to be honest, is also the most flexible solution.

In addition, I take the view that overlaps or inconsistencies with existing legislation and/or provisions should be avoided at all costs. Existing criteria and mechanisms must therefore be taken into consideration. It is equally important to me that the private sector is not faced with an unnecessary administrative burden. I would urge them to make use of the expertise that is already available and would, above all, counsel against re-inventing the wheel. I would therefore argue in favour of this pragmatic, yet structural, approach.

Following the debates in the parliamentary committees, certain groups of Parliament have also agreed to focus on so-called priority sectors. It has, indeed, also been decided to scrap the proposed comitology procedure. In the past, the use of the comitology procedure has too often led to shaky situations. I am therefore very grateful to the Commissioner for his observations on this matter and on the other amendments and for the fact that he has shown his satisfaction. I would like to have a reaction, however, to the definition of two to three Member States, because this is the most important amendment in my view.

I should like to finish off with an observation for the Council, which is once again conspicuous by its absence. The agreement on a common position appears to be a bridge too far for them. This is quite remarkable, given the fact that the Council asked for this common framework itself, and out of character too, because, if anything happens, then the Council is all too keen to be the first to immediately announce all manner of rules without really taking the quality of the proposals into account, their ramifications for the internal market, for example, or the European citizens for that matter.

After all, vision and power are two skills that can be expected from the Council in this matter. At the opening of the plenary sitting earlier today, President Poettering spoke wise words. Nobody is waiting for ad hoc rules and regulations that are dictated by panic. A structural line of attack, on the other hand, taking the principles of rule of law into consideration – and the latter is vitally important – is very welcome. I thank you and I thank the Commissioner.

 
  
MPphoto
 
 

  Harald Ettl (PSE), draftsman of the opinion of the Committee on Economic and Monetary Affairs. – (DE) Mr President, cross-border crises, whether caused by terrorism or natural disasters, call for Union-wide protection of critical infrastructures. Critical infrastructures cannot be kept secret by not mentioning them. It would be completely naïve to think that.

From a psychological point of view, the destruction of critical infrastructures leads to a loss of public confidence in the European Union. Crisis protection is not therefore only a national matter but requires European crisis management, as the Commission proposes.

Moreover, as the Committee on Economic and Monetary Affairs has clearly pointed out, moving elements of European infrastructures outside the EU increases the risk of terrorist attacks and access to data in particular makes the entire infrastructure more vulnerable. This is also true of banking and insurance. Even if security and controls are constantly being improved in these areas, there is still a need for additional coordinated European action. Nobody will want double regulation. What we need is greater security. The Directorate General for the Market must be guided by that and not by short-sighted wishes expressed by industry.

 
  
MPphoto
 
 

  Renate Sommer (PPE-DE), draftsman of the opinion of the Committee on Transport and Tourism. – (DE) Mr President, the Committee on Transport and Tourism is of the opinion, for its area of responsibility, that with this proposal for a directive the Commission is exceeding its powers, because it is misunderstanding its instructions. It speaks of stabilising the internal market, but the directive is supposed to be principally about protection against acts of terrorism.

Moreover, the Commission proposal contravenes the principle of subsidiarity, because it seeks not only to complement Member States’ existing measures, but to replace some of them. Finally, the proposal does not address the real task, but delegates it to a comitology committee.

The Committee on Transport and Tourism therefore rejected the Commission proposal, although we know that we do of course need European cooperation. The question is simply how. My main concern is to ensure that the Member States are not obliged to notify their critical European infrastructures to the Commission so that it can then make a complete list of sensitive EU infrastructures, attach security plans to it and then store everything in some office in Brussels. That would be against national security interests. Such a list would be an interesting source of information for terrorists.

All that should be done by the Commission is to define and list in general terms the most important sectors at risk. It should be left to the Member States to identify those sectors, because it is they who are primarily responsible for the protection of critical infrastructures and they carry the ultimate responsibility for measures to protect critical infrastructures within their national borders. In the interests of national security, that must continue to be the case. Only a devolved management of sensitive infrastructures can reduce the level of risk.

I believe the narrower definition of critical European infrastructures, according to which at least three Member States, or two others than the one in which the critical infrastructure is located, must be affected, is the right one. We must ensure that the directive covers only European infrastructures and no national ones. I also consider that bilateral cooperation between Member States is more sensible in this area on security grounds.

Finally, I would like to thank the rapporteur, Jeanine Hennis-Plasschaert, most sincerely and assure her of my support.

 
  
MPphoto
 
 

  Herbert Reul, on behalf of the PPE-DE Group. – (DE) Mr President, Commissioner, ladies and gentlemen, indisputably, we have raised a very difficult issue with critical European infrastructures. There can be no doubt, however, that we need to get to grips with this question at European level and find and develop solutions jointly with the Member States, because the potential threats which the Commissioner has just described do exist and must therefore be taken seriously.

It is, however, extremely difficult to say where the European competence lies in this matter, what must be organised at European level and where particular devolved tasks must be dealt with. This question occupied us in committee for a very long time. We have tried – and I would like to thank the rapporteur most sincerely for her very fair and open cooperation – to find a way that will ensure the exchange of best practice between the Member States with EU-wide coordination, while at the same time keeping the subsidiarity principle central. Neither, as Mrs Sommer has already said, do we want to notify specific critical infrastructures and collect them somewhere, rather we want to ensure that secrecy is guaranteed.

That is why we agreed that the Member States should notify the Commission of their respective critical sectors but not specific infrastructures. It was important for us not to go for a comitology procedure, and I am grateful to the Commissioner for accommodating Parliament on this. As the rapporteur has already pointed out, the procedure’s inefficiency in the past does not encourage us to go further down that route. We suggest another way.

I also want to say that it was important for us that unnecessary bureaucracy should be avoided, that a contact point in the Member States should do the designating and identifying and that no new bureaucracies should be created, that administrative costs should be reined in and that there should be plenty of flexibility.

 
  
MPphoto
 
 

  Inés Ayala Sender, on behalf of the PSE Group. (ES) Mr President, the President of the European Parliament, Mr Poettering, referred today to this very report by Mrs Hennis-Plasschaert when he condemned the latest terrorist attacks, both on European territory — where airports were the targets — and in third countries, such as Yemen — in the case of the murdered Spanish tourists. In the latter case, the target was not a specific infrastructure, but rather tourists travelling in a vehicle along a road.

This reference once again demonstrates or reinforces the importance of this exercise proposed to us by the Commission and for which I would like to thank the Commissioner most warmly. This is not a single measure but rather part of a long process – which began in 2004 – which is now taking the form of increasingly interesting and effective measures.

Furthermore, in view of the complexity of our European society, based on these complex and open networks of communication, supply and services on which, additionally, the economy is founded, we must defend them and defend ourselves in view of their potential vulnerability to terrorist attacks.

I wish to point out that my group was more in agreement with the Commission’s original proposal relating to the definition of critical European infrastructures, in the sense of infrastructures shared by two or more countries, or cases in which a State is affected by an infrastructure of another Member State.

For example, for us, the Eurotunnel could be a good example for the application of this optimum protection from possible attacks, not to mention airports, etc., where we have already suffered such attacks.

Tomorrow, therefore, we shall maintain this position in favour of the Commission’s original proposal, because we want to remain hopeful that we may find more support in the Council. In any event, we prefer to continue moving towards more integrated and European approaches, and we prefer to avoid savings that appear to reduce costs but that we could end up regretting in the future.

We do support everything that Mrs Hennis-Plasschaert proposes in terms of protection with regard to third countries; we support everything relating to the protection of the individual data involved; naturally, we support everything relating to the necessary confidentiality — we have long experience of dealing with this confidentiality, both at national level and at Commission level, and we do not believe that it is going to be violated in this case — and we also agree that we should avoid any duplication of what has already been done within the Member States and what the Commission is now proposing.

In this way, we hope to overcome the backward-looking position that we had to accept in the Committee on Transport and Tourism and with which my group still does not agree. We hope that, with the proposal that will be put to the vote tomorrow, we will be able to continue moving forward and that with both what Parliament is proposing — and I am grateful for the great work by Mrs Hennis-Plasschaert and all of the honourable Members — and with what the Council is proposing, we will be able to achieve better protection of our critical European infrastructures.

 
  
MPphoto
 
 

  Margarita Starkevičiūtė, on behalf of the ALDE Group. – (LT) I would like to thank the Commission member and the honourable rapporteur for their suggestions; however, I would like to stress that these suggestions should be interpreted as only the beginning of the discussion. I do not know whether the Internet can be described as critical infrastructure according to the definition used by the Commission. It is hard for me to know, if a website was blocked in one country, would that mean that it was no longer critical infrastructure? One need only block the website of a large bank that has its headquarters, let us say, in Germany, France or Great Britain, and all the residents of Europe will feel it. We are talking about the consolidation of the financial sector, the consolidation of economic activity, even the consolidation of hotel chains. In other words, we have to acknowledge that critical infrastructure has spilled into cyberspace, and I believe that Estonia is the first country to have experienced elements of cyber-war. I regret that little attention has been paid to this, and now this topic is getting beyond the scope of the concerns of the Commission Member responsible for communications. However, I would like to say that this topic has to be highlighted from a security point of view, because it is hard to imagine what the lives of European citizens would be like without the Internet. Whether the Internet is European or whether it belongs to one country we cannot say – it is a world-wide web, and of course, to define how to protect the web from an attack that could be carried out at any minute is rather complicated and the level of debate has to be quite different. We are presently talking mainly about physical infrastructure and, without a doubt, tragic scenes upset us, but life is becoming ever more virtual and this needs attention.

 
  
MPphoto
 
 

  Eva Lichtenberger, on behalf of the Verts/ALE Group. – (DE) Mr President, Commissioner, ladies and gentlemen, no one in this House disputes that close cooperation between the Member States is very important and necessary for countering terrorist risks. Our criticism is of how this is to be done. More bureaucracy will not help us against terrorism! I would like to thank the rapporteur for at least bringing the proposal back down to earth and greatly improving the Commission’s version. She has also made a number of very practical suggestions.

We are all agreed that improved cooperation and information are good things. That can be done bilaterally or multilaterally. But compiling a list of all at-risk infrastructures will bring no gains in terms of security and may even be counterproductive. In the end, however, competence lies with the Member States in any case, and there is no point at all in shifting it to the European level.

I hope that when we come to the vote tomorrow we will all proceed with the same realism as the rapporteur has shown and go on to secure what we now have: a sensible way forward that takes account of reality and fosters no illusions!

 
  
MPphoto
 
 

  Erik Meijer, on behalf of the GUE/NGL Group. (NL) Mr President, those who already wanted more government pressure in the areas of the army, police, security services, all kinds of other control system and the prison system in the past have been able to reinforce their position since the turn of the century. They can now refer to the advent of a new kind of terrorism, which, as it came as a shock to everyone, creates scope for ill-thought-out solutions.

At all administrative levels, proposals have been moved to subject democracy, the freedom of association, the freedom of demonstration, the right to strike, the freedom to travel and privacy to the proposed guarantees for security. The trouble with this line of attack is that it does nothing to remove the seedbed from which terrorism springs, including the utter inequality in wealth or power that divides the world.

Instead, we collect more intelligence, monitor more objects, organise more bureaucracy and bring about more displeasure. In the European Union, in the area of critical infrastructure, there are already 32 directives, regulations, treaties and decisions that make a European approach possible. This is why adding a new directive with yet more powers and obligations has raised a few eyebrows.

In January, the committee for the subsidiarity test of the Dutch Parliament drew my attention to this very subject. This committee is calling into question Article 308 of the EC Treaty, which focuses on the interim enhancement of powers, as a legal basis, and considers the protection of critical infrastructure to be first of all a national affair.

As shadow rapporteur on this subject in the Committee on Transport and Tourism, I was delighted to find that this committee decided to invite the Committee on Civil Liberties, Justice and Home Affairs to emphatically reject the proposal. The main reason for this request was that everything that is in the draft Directive can be regulated more effectively on a smaller scale, in other words by the Member States or their regions. In this case, more interference from the European Union means, above all, more unproductive bureaucracy.

Unfortunately, the groups that voted ‘no’ unanimously in the Committee on Transport were divided in the Committee on Civil Liberties, Justice and Home Affairs. My group was no different. Most smaller national delegations consider this to be a poor proposal, partly because unnecessary interference obscures the division of tasks between the Member States and the Union, and partly because it may be used inappropriately in order to cut down on civil rights, such as the freedom of demonstration, by referring to the protection of infrastructure, in which case it does not affect international terrorism, but rather domestic democracy.

By contrast, the members of our larger delegations from Germany and Italy also see positive points in the proposal. They expect a reduction in the powers that are already being exercised by the Commission anyway and better parliamentary control of the application of the remaining powers. Those in favour and against in my group applaud the fact that the amendments predominantly weaken the effect of the draft and confine the application to matters that affect at least three Member States.

 
  
MPphoto
 
 

  Christian Ehler (PPE-DE). – (DE) Mr President, unlike the Committee on Industry, Research and Energy or the Committee on Economic and Monetary Affairs, the committee responsible, the Committee on Civil Liberties, Justice and Home Affairs, failed to recognise the importance of the European level for the protection of critical infrastructures. The focus is no longer on the protection of individual infrastructures but on the consideration of sectors.

I think the procedure proposed in the report lacks resolve. The added value that comes from including the European level has been almost completely abandoned. It is clear that responsibility for critical infrastructures must rest with the Member States. However, if we leave designation entirely to the nation states we will not identify the weaknesses and structural dependencies, and that is precisely what is needed for the designation of critical European infrastructures.

The idea that a list would be as good as a textbook for terrorist attacks is downright naïve. The Member States have had such lists for a long time. One of the most important structural errors was, for example, not having checked those lists with NATO. In the military sphere, NATO has had such lists of critical infrastructures for 40 years and relevant scenarios have long been provided for in anticipation of military crises.

 
  
MPphoto
 
 

  Inger Segelström (PSE). – (SV) I wish to begin by thanking the rapporteur for a constructive report and an efficient piece of work. It feels as if we in the Committee on Civil Liberties, Justice and Home Affairs are systematically wading through all those areas of society that have bearing on the terrorist threats to our citizens. The President too addressed this issue today.

It is very important that we not look at each individual measure in isolation but review all areas together so that we obtain common security regulations covering everything from visa regulations and security checks in aviation to better ways of protecting ourselves against the threats to airports, public transport and harbours and to the whole of the infrastructure which, because of the huge number of passengers involved, could be hit by a huge disaster if a terrorist attack were to occur.

The issue from the rapporteur’s proposal that I wish to address is that of whether three or more Member States should have to be affected by disruption or destruction, or whether it is enough that two be so affected. The rapporteur’s proposal involves an increase to three Member States from the two referred to in the original proposal’s directive. I consider this increase to be unreasonable because a threat, disaster or instance of devastation may affect a lot of people, despite few countries being involved. Moreover, the incident may make more impact on the place affected than it would have done on more centrally located places in the EU. This proposal makes it still more difficult to take account of smaller EU Member States, in spite of the fact that they are in danger of being hit by equally serious crises on just as large a scale.

I also believe that as we plug the holes and make it more difficult to attack aviation, the terrorists will concentrate on other targets and on central locations within the infrastructure, to which a huge amount of damage can be caused. We should not be naïve. Instead, we must be as well prepared as we possibly can be. That is our responsibility.

 
  
MPphoto
 
 

  Marianne Mikko (PSE). – (ET) The cyber attacks against Estonia that took place in April and May of this year were the first such events that gained global attention. Yet these were not the first attacks against the essential infrastructure of Europe. Until now, cyber attacks had been directed against individual companies, primarily in the financial sector, where the Internet has become an indispensable environment for transactions.

For understandable reasons banks prefer not to make a lot of noise about attacks. Lack of confidence in the reliability of banking systems would have serious consequences for the entire European economy.

Fields of activity in which the Internet has become an essential part of infrastructure include public administration and the media. The inability to repulse a cyber attack could in the worst case scenario throw the European Union back in time to the last century.

Imagine today, in the 21st century, a situation in which communication between ministries is interrupted, and both the government and the media are unable to inform the public. This is precisely what happened in Estonia, as Mrs Starkevičiūtė so correctly stated.

I would like to thank the rapporteur and emphasise her excellent timing. Cybersecurity is the best example of the need for cooperation in the defence of the essential infrastructure of the European Union. During this hitherto unique cyber attack against an independent state, Estonian IT specialists were supported by experts from both the European Union and beyond.

May this cooperation be an example and a lesson in internal security to the responsible parties in all the Member States. Neither wealth nor military force can help repulse a cyber attack. The only defence is cooperation. Once again, many thanks to the rapporteur.

 
  
MPphoto
 
 

  Franco Frattini, Vice-President of the Commission. – (IT) Mr President, ladies and gentlemen, while I am grateful to all the speakers, including the rapporteur, I am afraid I have a few concerns about accepting the rather restrictive approach that the Committee on Transport and Tourism has tried to put across.

As certain Members have rightly pointed out – Mrs Segelström was the last, and there were others – restricting the minimum threshold for defining a European infrastructure to just three or more Member States would, in my view, have two drawbacks, the first of which would be to prevent the smaller European Member States from taking part in the critical infrastructure protection programme. We, of course, want to avoid any such eventuality. We want to offer all Member States that are potential targets for terrorist attacks a way of taking part in this European strategy.

I must also raise objections to the restrictive attitude that is hostile to the idea that Europe should concern itself with a common infrastructure protection framework. This is not a matter of subsidiarity, which we are extremely careful to respect. The problem is that infrastructures nowadays are closely interconnected, and the last speech by the Member from Estonia, who recalled the cyberattack on her country, provides the most obvious proof of that: it was an attack that affected an entire countrywide system. Even though only a single countrywide system was involved, can we have any doubt that that attack indirectly affected Estonia’s entire network of relations with the other countries of Europe? If the banking system of just one country is paralysed for a certain number of days, then one of the basic structures of the European Union is inevitably affected. I therefore believe that the Commission’s original proposal, for which I confirm my support, is better in that it provides a wider range of opportunities.

With regard to cyberattacks, I do not rule out the possibility that terrorists may plan an attack on a countrywide system, such as a banking system, a ministry or an administration system: we are examining what happened in Estonia and our information security agency will be producing a report after the summer. I obviously intend to publish its report but, leaving aside the analysis of this particular incident, we cannot rule out the possibility that terrorist organisations may be thinking of knocking out an entire countrywide system by means of a cyberattack. That is why I believe a rather less restrictive interpretation is absolutely essential.

To conclude, I once again thank the rapporteur and all the Members of this Parliament. I believe that adopting a rigorous report on the initiatives undertaken by the Commission would show very clearly that we are concerned about prevention. As someone rightly pointed out, the European Commission and the European Union’s institutions have been acting to strengthen our policies on prevention ever since 2004. It is only by doing so that we can provide a truly effective and coordinated response to the threat of terrorism.

 
  
MPphoto
 
 

  President. – The debate is closed.

The vote will take place tomorrow, 11 July 2007.

 
Legal notice - Privacy policy