In this fourth article in our series on "Big Data & Issues & Opportunities" (see our previous article here), we focus on some of the cybersecurity aspects of big data processing. Where relevant, illustrations from the transport sector will be provided.
Given that cyber-threats and attacks may have devastating consequences, the issues related to cyber-security have never been more important. For instance, in the transport sector, cyber-attacks could have potentially serious consequences on the economy but also on individuals, resulting in certain cases in loss of lives.
It follows that any organisation, including notably actors in the big data value chain, is required to observe the legal obligations related to security and cyber-security, which derive not only from the General Data Protection Regulation (hereinafter the "GDPR"), but also from other legislative instruments at both EU and national level.
The present article will look into such security requirements under the GDPR, the Network and Information Security Directive (hereinafter the "NIS Directive"), and other European legislations and security standards.
Security requirements under the GDPR
The requirements relating to security under the GDPR apply whenever personal data is processed (see our second article on Privacy & Data Protection for the definitions of "processing" and "personal data"). Considering that the use of big data technologies may entail massive personal data processing operations, the GDPR security requirements will have to be taken into account in such context.
The GDPR security requirements can be divided into, on the one hand, personal data governance obligations and, on the other hand, obligations relating to the security of personal data processing.
As regards the personal data governance obligations laid down in the GDPR, a general obligation is imposed upon data controllers to adopt technical and organisational measures to ensure compliance with the GDPR and, importantly, to be able to demonstrate such compliance. Operating a regular audit programme, implementing privacy by design and by default measures, running data protection impact assessments, appointing a data protection officer, etc. are all measures considered to be in line with the data governance obligations, including the security-related requirements. Such measures must be reviewed and updated on a regular basis, taking into account the changing circumstances.
As for the obligations relating to the security of personal data processing, the GDPR requires data controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In the context of big data, this entails that both data controllers and processors should continuously evaluate, manage, and document the risks involved in their respective processing activities. The GDPR does not detail the security measures that can or should be put in place. It nonetheless provides some, however limited, specific suggestions for what types of security measures might be considered “appropriate to the risk”.
The GDPR moreover indicates that adherence to an approved code of conduct or certification mechanism may be used as an element to demonstrate compliance with data governance obligations as well as with security requirements. Currently, such codes of conduct or certification mechanisms are still being developed throughout the EU market.
Finally, it should be borne in mind that the GDPR imposes a high duty of care upon data controllers in the selection of personal data processing service providers, i.e. their processors. In a data-rich environment, such as in the context of big data processing operations, the data controller should carefully impose security obligations in its respective agreements concluded with processors, including for instance cloud service providers. Also, it shall be contractually ensured that a processor relying on a sub-processor imposes security obligations on such sub-processor equivalent to those imposed by the controller on the processor.
Security requirements under the NIS Directive
The NIS Directive was adopted on 6 July 2016 to address the increasing challenges in relation to cybersecurity. This EU legislation aims to develop a common approach across Europe to address potential socio-economic damage caused by attacks on the network and information systems of operators of essential services and digital service providers.
Taking into account its nature as a directive, the NIS Directive had to be implemented by the EU Member States into their national laws by May 2018. It is therefore required to carefully consider the specific obligations flowing from the national implementing laws, which may be particularly relevant in a big data context, but also in the transport sector.
The Directive imposes (online) security obligations on providers of two different types of services discussed hereunder: essential and digital services.
- Essential service: Article 5 of the NIS Directive defines an essential service as "a service essential for the maintenance of critical societal and/or economic activities depending on network & information systems, an incident to which would have significant disruptive effects on the service provision."
EU Member States had to identify the operators of essential services established on their territory by 9 November 2018. Operators active in the following sectors may be included: energy, transport, banking, stock exchange, healthcare, utilities, and digital infrastructure.
- Digital service: a digital service is defined as "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services" and which can be qualified as one of the following: (i) an online marketplace; (ii) an online search engine; or (iii) a cloud computing service.
In contrast with the operators of essential services, which are identified by each EU Member State, online businesses must self-assess whether they are targeted by the rules of the NIS Directive, and in particular whether they fall within one of the three different types of digital services mentioned above.Digital service: a digital service is defined as "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services" and which can be qualified as one of the following: (i) an online marketplace; (ii) an online search engine; or (iii) a cloud computing service.
The fact that cloud computing services are targeted by the NIS Directive is particularly relevant in a big data context, especially in light of its broad definition; i.e. a digital service that enables access to a scalable and elastic pool of shareable computing resources. This being said, other stakeholders in the (big) data value chain, taking an active role in the provision of services (such as in the transport sector), may also be concerned by different concepts of the NIS Directive. It seems likely that the big data value chain will include operators of online market places (generally described as operators of platforms that act as an intermediary between buyers and sellers), online sites that redirect users to other services to conclude contracts or facilitate trade between parties, and sites that sell directly to consumers.
Finally, it shall be noted that even if a particular actor of the data value chain would not be qualified as a digital service provider or an operator of essential services, the NIS Directive obligations may indirectly apply to suppliers of digital or essential service providers as a result of flow down obligations.
Illustration in the transport sector: The application of the NIS Directive may lead to complex situations. An integrated urban mobility plan can illustrate the possible complexity, where for instance, the plan aims to meet the following three key objectives:
In order to fulfil the above objectives, many actors may come into play that could qualify as operators of essential services and digital service providers or that could be obliged to take into account the NIS Directive due to flow down obligations. Indeed, in such context, road authorities responsible for traffic management control and/or operators of Intelligent Transport Systems are likely to be involved. Similarly, cloud computing service providers will be relied on. Finally, ‘online market places’ could be involved and targeted by the NIS Directive rules in the context of the third objective.
Under the new rules of the NIS Directive and the national implementing legislations, the essential and digital service providers will have to (i) interact with new key actors; (ii) implement security measures; and (iii) notify security incidents.
With regard to the security measures, the NIS Directive includes generic obligations by requiring operators of essential services and digital service providers to take appropriate and proportionate technical and organisational measures to manage the risks posed to the networks and information systems which they use for the provision of their services, and to prevent and minimise the impact of incidents affecting the security of such network and information systems. These security measures must take into account the state of the art to ensure a level of security of network and information systems adequate to the risk.
More particularly, when examining the security aspects of Operators of Essential Services (OES) and Digital Service Providers (DSPs), it is worth considering the following:
Although the NIS Directive is a fundamental legal instrument laying down the core cyber-security obligations, clarification will be required at EU and national level in order to truly enhance cyber-security and resilience in the various concerned sectors. More particularly, as concluded in the context of the transport sector, but also applicable to others, "non-regulatory actions are and should be pursued to address cyber threats already today: information exchange, capabilities building, awareness raising and development of cyber skills. The transport sector should work together to lay down the foundations for a “cybersecurity culture". Furthermore, (better) cooperation between technical and operational levels will be needed, as well as between international partners and relevant international organisations.
Security requirements under other legislations
- It is important to note that other legal instruments may impose security requirements as well. This is particularly true in the electronic communications sector where several EU Directives, transposed in the national laws of the (currently) 28 Member States, provide for security obligations – such as for instance:
- The ePrivacy Directive: this Directive requires providers of electronic communications services to take appropriate technical and organisational measures to safeguard the security of their services, where necessary in conjunction with the provider of the public communications network.
- The Framework Directive: this complements the ePrivacy Directive by requiring providers of publicly available electronic communication networks and services to take appropriate measures to manage the risks posed to the security of the networks and services. The Directive also requires the providers to guarantee the integrity of their networks and continuity of supply. The Radio Equipment Directive: pursuant to this Directive, radio equipment within certain categories or classes shall incorporate safeguards to ensure that the personal data and privacy of users and subscribers are protected.
In addition to legal requirements on security, security standards indisputably have an important role to play in big data analytics, and are therefore also relevant to actors of the data value chain. Also, relying on standards and certification schemes facilitates demonstrating compliance with legal requirements, including security requirements.
By relying on existing schemes, such as for instance the ISO/IEC 27000 series issued by the International Standards Organisation ("ISO") and the International Electrotechnical Commission ("IEC"), big data services providers can demonstrate to the regulator and to their customers that their systems are adequate, or at least that security-related measures and processes have been implemented.
Furthermore, several standards development organisations have created and are currently developing big data-specific standards. It is essential for any big data service provider to follow up closely on the evolutions in this respect. Despite the existence of guidance on the various security obligations and how to consider them practically, the implementation of security aspects remains difficult in reality and requires further and continuous research. A good way to illustrate the complexities of applying appropriate security measures is through so-called “adversarial images”. The concept of adversarial images consists in making minor changes to manipulate machine learning algorithms. To illustrate such specific security issue, OpenAI relies on the work performed by Cornell University. More concretely, "starting with an image of a panda, the attacker adds a small perturbation that has been calculated to make the image be recognized as a gibbon with high confidence".
The requirement to put in place security measures is imposed in various legislations at EU and national level, including key instruments like the GDPR and the NIS Directive. Such legislations however remain rather general and vague as to which specific measures are deemed appropriate. It follows that organisations in the data value chain are required to:Conclusion
- make a risk assessment (evaluate, manage and document the risks);
- carefully assess the available security measures on the market;
- adequately reflect the security aspects in the various contracts between stakeholders; and
- continuously assess the adequacy of the implemented measures in light of the evolving risks and the available measures.
In order to do so, organisations generally need to rely on security experts and take into account the evolving guidance documents published by authorities such as ENISA. Also, relying on certification mechanisms, seals, marks and codes of conduct will enable companies to comply with their legal obligations in terms of security and demonstrate their compliance.
Despite the enormity of the task still to be undertaken in order to improve cyber-security across the EU, the various stakeholders are aware of the need to move forward, notably through non-regulatory actions and improved cooperation. The EU institutions have also recently devised the appropriate means to tackle the cyber-security challenges, notably through the political agreement on 11 December 2018 by the European Parliament, the Council and the European Commission on the so-called "Cybersecurity Act" which aims to reinforce the mandate of ENISA and establish an EU framework for cybersecurity certification.
This series of articles has been made possible by the LeMO Project (www.lemo-h2020.eu), of which Bird & Bird LLP is a partner. The LeMO project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 770038.
This article on (cyber-)security has also been made possible by the THREAT-ARREST Project (www.threat-arrest.eu), of which Bird & Bird LLP is a partner. The THREAT-ARREST Project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 786890.