|June 24, 2013|
Previously published on June 20, 2013
We gave a progress report earlier this week in our Alert on the European Commission's plans for wide-ranging changes to data protection laws. It is worth remembering that the European Commission is also considering additional new laws to try and deal with the growing threats to cybersecurity that may add to the regulatory burden of those doing business in Europe.
The number and severity of cyber-attacks are on the rise. We know from Duane Morris lawyers in Europe, Asia and the United States that corporations, large and small, are increasingly a target of sophisticated attempts to steal their data and compromise their systems.
The European Commission published a proposal for a Directive on Network and Information Security on 7 February 2013. This was accompanied by a cybersecurity strategy (or "Communication"), which contains non-legislative measures on a broad range of issues.
The European Commission feels that whilst some countries are taking effective measures to combat cyberthreats, others are not. The European Commission wants them to raise their game and proposes to deal with that by introducing a new European Directive. The way in which the Directive system works is that the European Commission would introduce a model law and give each country in the European Union a set time by which they would have to introduce that law.
The second part of the proposals would be directed toward businesses. The new Directive would introduce security breach reporting requirements for a broad range of sectors, including public administration, the finance, energy, transport and health sectors, as well as to "providers of Internet society services," which include app stores; cloud service providers; social networks; and e-payment providers. These proposals would mandate a report to the National Competent Authority (to be set up under the first part of the Directive by each country in the EU), but with no threshold detailed in the Directive. This would operate in a similar way to the breach reporting requirement that exists in another new European Directive for telecommunications companies. It would also be similar to the European Commission's proposals in the new data protection Regulation. The National Competent Authority could then make the report public without the reporter's consent, share details with other EU authorities or take other measures.
The European Commission estimates that its proposals would affect some 42,000 businesses. The European Council published a progress report on 28 May, however, which questioned some aspects of the European Commission's impact assessment. The interim report said:
"Most Member States also raised the issue of the perceived significant costs involved in the implementation of the Directive and regretted that [it] fails to sufficiently assess the possible benefits. At a more fundamental level, Member States requested further justification from the Commission why a legislative, rather than a voluntary approach, would be the preferred option to tackle the uneven level of security capabilities across the EU and the insufficient sharing of information on incidents, risks and threats, which the Commission perceives as being the root causes of the situation."
The European Data Protection Supervisor (EDPS) Peter Hustinx also expressed some reservations in a paper he published on 17 June 2013. He stressed the significance of cooperation with other countries, notably the United States. He also expressed concern at the potential overlap and conflict with the proposed Data Protection Regulation.
As with other European proposals, it is challenging to predict a time frame for these new laws to come into effect. Not every EU member state has announced its formal position. The negotiation process for the Directive could take another 12 to 18 months, with a further period of around the same length for implementation. These proposals may also be delayed whilst the European Commission gives priority to its wide-ranging data reforms. Legislation could therefore be expected around 2016 at the earliest.
It is, however, important to note that existing laws across Europe already have obligations to keep personal data secure. Some countries (including Germany and Austria) have general data breach reporting obligations. Others use existing obligations in data protection legislation to enforce good cybersecurity practice. For example, in the UK, recent enforcement action has included:
- A £150,000 fine for Glasgow City Council after two laptops were stolen.
- Enforcement action against an Armagh-based medical practice after a hack led to the compromise of 175 patients' email addresses.
- A £250,000 fine to Sony Computer Entertainment Europe Limited after the hack of its PlayStation Network Platform in what the regulator called "a determined criminal attack."
The UK Government is currently seeking comment on the proposals. The UK Government's call for evidence is here: https://www.gov.uk/government/consultations/eu-directive-on-network-and-information-security-call-for-evidence.
The European Commission's proposals are here: http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-protect-open-internet-and-online-freedom-and-opportunity-cyber-security.
The EDPS opinion is here: http://europa.eu/rapid/press-release-EDPS-13-6-en.htm?locale=en.