The landscape of data security regulation within the European Union will likely change drastically over the next few years. In just the latest indicator of this regulatory revolution, the European Commission adopted on May 6, 2015 the heavily anticipated Digital Single Market (DSM) strategy, a multifaceted package of initiatives aimed at reducing or eliminating barriers to online commerce within the EU. The DSM strategy includes components explicitly directed towards data security, as security concerns could undermine parts of its core mission.
The DSM strategy consists of 16 initiatives to be delivered by the end of 2016. It is the Commission’s hope that the DSM unleashes a wave of innovation within the EU and generates billions of Euros in additional economic growth by “break[ing] down national silos in telecoms regulation, in copyright and data protection legislation, in the management of radio waves and in the application of competition law.”
The DSM strategy rests on three pillars: (1) better access for consumers to digital goods and services, (2) creation of the right conditions for digital networks, and (3) innovation and maximization of the growth potential of the digital economy. Pillar II, focused on improving digital networks generally, contains Initiatives 12 and 13, which relate to data security and the handling of cyber threats within the EU.
With Initiative 12, the Commission seeks to “reinforce trust and security in digital services,” with particular emphasis on personal data, by building on the EU’s upcoming data protection rules, the General Data Protection Regulation (GDPR). Though the GDPR remains in EU negotiations, it is due to be passed by the end of 2015 and will likely impose new and expanded data security obligations on both data controllers and processors, as well as generally applicable data breach reporting requirements. Initiative 12 commits the Commission to using the GDPR as the basis for a review of the e-Privacy Directive, passed in 2002.
Initiative 13 similarly recognizes the importance of cybersecurity and proposes a partnership between the Commission and industry “in the area of technologies and solutions for online network security.”
Initiatives 12 and 13 of the DSM strategy demonstrate the Commission’s belief that cyber threats undermine public trust in online commerce and activities and hinder innovation and economic growth via the Internet. However, the DSM strategy’s commitment to data security as a means of maintaining consumer confidence is just one piece of an increasingly ambitious data security agenda within the EU. Another piece, the Network and Information Security Directive (NISD), is currently working its way through the EU’s legislative process and once in place will directly support the DSM strategy by ensuring “a high common level of cybersecurity in the EU.” Just as Initiative 12 of the DSM strategy is motivated in part by concern for consumer confidence, security of personal data, and encouragement of e-commerce, the NISD is intended to maintain consumer confidence in the face of cybersecurity threats. Per the Commission: “Failure to respond to these threats will mean consumers losing confidence in the digital world, businesses losing money, e-government initiatives becoming ineffective and even national security being put at stake.”
Specifically, the NISD would require member states to adopt a strategy for network and information security and designate a competent national authority to prevent and respond to security risks and incidents. The NISD would also require coordination among member states and between member states and the Commission in matters related to security in order to facilitate the sharing of early warnings and regular peer reviews. Finally, the NISD would impose security incident reporting requirements on certain organizations. These requirements would only apply to operators of critical infrastructure in some sectors, such as energy and health, and to enablers of information society services, such as e-commerce platforms and social networks.
The DSM strategy, aimed at dismantling digital borders between member states, will likely change how European and foreign businesses operate within (and potentially outside of) the EU. While the data security initiatives found within the DSM strategy represent only one part of these coming changes, the initiatives are significant because they build upon previous and ongoing efforts like the GDPR and NISD. Importantly, all three measures emphasize the importance of harmonized and enhanced security standards, as well as the need for European cooperation in the area of data security. The final reforms will likely reflect those concerns. Businesses and organizations operating in and outside of the EU should be sure to carefully track the DSM strategy and related efforts like the GDPR and NISD.