Our IT & Outsourcing eBulletin contains summaries of the following recent developments in technology, outsourcing and data protection developments in law, and regulation in the EU and the UK.
1. Battening down the Cyber hatches: EU Council approves Cyber Security Directive
On 17 May 2016, the Council of Europe formally adopted the new Network and Information Security Directive (the so-called "Cyber Security Directive"), paving the way for final approval from the European Parliament.
As part of the Cyber Security Directive, Member States will be required to adopt a national 'NIS strategy' which will define strategic objectives and appropriate policy and regulatory measures in relation to cyber security. Member States will also be required to designate a national competent authority for the implementation and enforcement of the Directive, as well as Computer Security Incident Response Teams ("CSIRTs") responsible for handling incidents and risks and to promote swift and effective operational cooperation on specific cyber security incidents and sharing information about risks.
Critically for organisations, the Directive will also apply security and incident reporting obligations on two distinct categories of organisation, being: (i) operators of essential services; and (ii) digital service providers.
Operators of essential services will be required to adopt risk management practices and report major security incidents on their core services to the appropriate national authority or CSIRT. The original text of the Directive defined these operators broadly to include information service providers – internet payment gateways, social networks, search engines, cloud computing providers and app stores – and operators of critical infrastructure, such as electricity and gas suppliers, operators of oil and natural gas, air carriers, maritime carriers, railways, airports and ports, traffic management operators, banks, financial market infrastructure and health care providers. However, the final agreement between the European institutions provides that Member States will identify the operators in their jurisdiction to fall within the scope of the Directive, based on three criteria laid down in the text. These criteria are that:
- they provide a service that is essential for the maintenance of critical societal and/or economic activities;
- the provision of that service depends on network and information security; and
- an incident impacting the network and information security would have significant disruptive effects on the provision of those services.
Digital service providers are also subject to express security and notification requirements. Digital service providers are providers of online marketplaces, online search engines and cloud computing services, but hardware and software developers are excluded, as are social network providers. Digital service providers are required to take appropriate and proportionate technical and organisational measures, having regard to the state of the art, to manage the risks posed to the security of the network and information security used in the provision of service within the EU. They are also required to notify the competent authority or CSIRT without undue delay of any incident having a substantial impact on the provision of their service.
Organisations who are not operators of essential services or digital service providers may also notify the competent authority or CSIRT of any incidents but are not mandated to do so.
The text of the Cyber Security Directive will now have to be formally approved by the European Parliament. After that it will be published in the EU Official Journal and will officially enter into force. Member States will then have 21 months to implement the Cyber Security Directive into their national laws and six further months to identify operators of essential services in their jurisdiction.
For further details regarding the Cyber Security Directive, please click here.
However, cyber security is not just a regulatory compliance issue. There are a number of proactive and reactive steps that organisations should take in order to prepare for, and react to, a cyber attack.
From a proactive perspective, it is vital that organisations carry out the following five key steps:
- Risk Assessment - Carry out a comprehensive risk assessment to identify assets and risks.
- Incident Management Strategy – Establish effective incident management policies and processes, and keep them under review
- Employee Education and Awareness - Consider how to effectively embed risk management and cyber security within the organisation
- Regulatory and Compliance Governance – Pay attention to regulatory requirements, in particular cyber incident reporting requirements
- Network and IT Security - Take appropriate steps to ensure that networks and infrastructure are defended against external and internal attacks
From a reactive perspective, organisations will need to respond to a cyber incident in the following five key phases:
- Detect – Detecting a cyber incident is not always as easy as you would think
- Assess - The early assessment of a cyber attack is sometimes the most difficult step, with decisions needing to be made under considerable time pressure and on the basis of incomplete information
- Contain – Appropriate measures to contain a cyber attack will depend on the type of attack as well as the type of business in question
- Investigate – Use a legal team to manage any investigation in order to preserve legal privilege
- Remediate and Review - Reflect on the causes of the breach and remediate them so that the same attack cannot recur.
For further details regarding our Top Ten Tips for Businesses with respect to Cyber Security, please click here. This article first appeared in the January/February 2016 edition of PLC magazine - click here for the PLC Magazine homepage.
2. Going Digital: European Commission publishes digital single market proposals
The European Commission has published a number of documents in support of its digital single market strategy, including legislative proposals relating to eCommerce.
On 25 May 2016, the European Commission tabled a package of measures targeted to allow consumers and companies to buy and sell products and services online more easily and confidently across the EU. The eCommerce package is comprised of:
- A legislative proposal to address unjustified geoblocking and other forms of discrimination on the grounds of nationality, residence or establishment;
- A legislative proposal on cross-border parcel delivery services to increase the transparency of prices and improve regulatory oversight; and
- A legislative proposal to strengthen enforcement of consumers' rights and guidance to clarify, amongst other things, what qualifies as an unfair commercial practice in the digital world.
In relation to geoblocking, the Commission is proposing legislation to ensure that consumers seeking to buy products and services in another EU country, be it online or in person, are not discriminated against in terms of access to prices, sales or payment conditions, unless this is objectively justified for reasons such as VAT or certain public interest legal provisions. The general objective of this proposal is to give customers better access to goods and services in the Single Market by preventing direct and indirect discrimination by traders artificially segmenting the market based on customers' residence.
In relation to cross-border parcel delivery, the proposed regulation is intended to increase price transparency and regulatory oversight of cross-border parcel delivery services so that consumers and retailers can benefit from affordable deliveries and convenient return options even to and from peripheral regions.
In relation to consumer rights in eCommerce, the Commission is proposing an amendment to the Consumer Protection Cooperation Regulation which will give more powers to national authorities to better enforce consumer rights. They will be able to:
- check if websites geo-block consumers or offer after-sales conditions not respecting EU rules (e.g. withdrawal rights);
- order the immediate take-down of websites hosting scams; and
- request information from domain registrars and banks to detect the identity of the responsible trader.
For further information regarding the eCommerce proposals, please click here.
At the same time as its legislative proposals on eCommerce, the European Commission also published other documents as part of its digital single market strategy, including a communication on online platforms and the digital single market, available here (http://ec.europa.eu/transparency/regdoc/rep/1/2016/EN/1-2016-288-EN-F1-1.PDF) and a proposed update to the Audiovisual Media Services Directive, available here. https://ec.europa.eu/digital-single-market/en/news/proposal-updated-audiovisual-media-services-directive.
3. Schrems Part II? Irish DPC refers model clauses to CJEU
The Irish Data Protection Commissioner ("DPC") has issued a statement confirming that it intends to make a referral to the Court of Justice of the European Union ("CJEU") to determine the legal status of data transfers undertaken using the so-called Model Clauses.
The announcement by the DPC follows a complaint by Maximillian Schrems that Facebook's use of Model Clauses to transfer personal data from the EU to the US, provides no protection from access by intelligence services and that EU citizens have a lack of effective legal redress in the US, should their personal data by accessed by a US public authority.
The move also follows the decision by the CJEU in October last year which found the US Safe Harbor invalid as a mechanism for transferring data from Europe to the United States. The CJEU decision also originated with a complaint from Mr Schrems regarding use of the US Safe Harbor mechanism to justify transfers of personal data to the US.
The implications of the US Safe Harbor decision are still being felt. EU and US authorities have put together an alternative to the Safe Harbor known as the EU-US Privacy Shield, although the detail of the Privacy Shield has been criticised by the Article 29 Working Party (the European body comprising representatives from each of the data protection authorities of each of the EU Member States, the European Data Protection Supervisor and the European Commission).
On 30 May 2016, the European Data Protection Supervisor ("EDPS") also published his opinion on the Privacy Shield, finding it to not be robust enough to withstand future legal scrutiny before the Court. The EDPS went on to say that significant improvements were needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. To view a copy of the EDPS opinion, please click here.
The European Commission is not bound by the opinions of either the Article 29 Working Party or the EDPS and it therefore remains to be seen whether the Commission will push ahead and adopt the Privacy Shield in its current form despite the criticisms levied at it.
In the aftermath of the US Safe Harbor decision, the Article 29 Working Party also confirmed that it would, in due course, consider the validity of other data transfer mechanisms such as Model Clauses and Binding Corporate Rules. It is therefore not entirely surprising that the DPC has referred the issue of the validity of Model Clauses to the CJEU.
For further details regarding the proposed EU-US Privacy Shield, please see our eBulletin, available here.
4. The Countdown Begins: EU General Data Protection Regulation to apply from 25 May 2018
The EU General Data Protection Regulation has finally been approved and published in the Official Journal. The countdown to its application date of 25 May 2018 has therefore begun.
The European Commission published its first draft of the EU General Data Protection Regulation (the "GDPR") in January 2012, a comprehensive reform of current the existing EU regime. In April 2016, after over four years of debate, the final text of the GDPR was formally approved.
The GDPR has now been published in the Official Journal (on 4 May 2016) and entered into force on 25 May 2016. There is now a two year implementation period, meaning that it will apply from 25 May 2018.
For further details regarding the content of the GDPR, please see our data protection eBulletin available here.
The UK Information Commissioner's Office ("ICO") has now also published details of the guidance on the GDPR organisations can expect to receive and when.
The ICO will first of all focus on producing guidance to assist organisations to get to grips with the key differences in the new legislation and to implement their preparation. This will build on the "12 steps" document already published by the ICO and available here. The ICO is also contributing to priority European level guidance. Guidelines on the following topics are due for completion by the end of 2016: (i) identifying an organisation’s main establishment and lead supervisory authority; (ii) data portability; (iii) data protection officers; (iv) risky processing and data protection impact assessments; and (v) certification.
To view a copy of the ICO's statement, please click here.