A bit like London buses—you wait for ages and then two come along—two of the most significant pieces of European legislation ever affecting cyber liability have been announced by the European Commission in the last week.
Network and Information Security Directive
On 8th December, the European Commission announced a new Network and Information Security Directive. Under the new directive, businesses in member states with an important role for society and the economy—referred to in the directive as “operators of essential services” —will have to take appropriate security measures and to notify serious incidents to the relevant national authority.
As the press release makes clear,The Directive will cover such operators in the following sectors:
- Energy: electricity, oil and gas
- Transport: air, rail, water and road
- Banking: credit institutions
- Financial market infrastructures: trading venues, central counterparties
- Health: healthcare providers
- Water: drinking water supply and distribution
- Digital infrastructure: internet exchange points (which enable interconnection between the internet’s individual networks), domain name system service providers, top level domain name registries
- Member States will identify these operators on the basis of criteria, such as whether the service is essential for the maintenance of critical societal or economic activities.
- Security and notification requirements for digital service providers
- Important digital businesses, referred to in the Directive as “digital service providers” (DSPs), will also be required to take appropriate security measures and to notify incidents to the competent authority. The Directive will cover the following providers:
- Online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online)
- Cloud computing services
- Search engines
- In line with the objectives of the Digital Single Market strategy, the Directive aims to establish a harmonised set of requirements for digital service providers, so that they can expect similar rules wherever they operate in the EU.
That is a lot of businesses!
The obligation to notify comes with some real teeth. Draconian penalties will be imposed for non-compliance with up to 2% of global turn over or €75 million possible for the most aggravated cases.
The legislation will need to be approved by the European Parliament and is likely to be phased in over the next 2 years.
Data Privacy Law Reform
Then exactly a week later on 15th December the European Commission announced agreement on the long anticipated Data Privacy law reform.
The reform consists of two instruments:
- The General Data Protection Regulation will enable people to better control their personal data. At the same time modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.
- The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.
This is probably the most fundamental overhaul of data privacy at an EU level ever.
- A right to be informed if your data has been hacked. Companies will have to notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures. No such obligation currently exists in the EU but a similar obligation which has existed in the US for some time has given rise to some very expensive remedial action needing to be taken by companies who have suffered cyber-attacks under which the personal data of many thousands of individuals have been compromised.
- A significant extension of data privacy laws from companies who are data controllers to those who process data. At the moment only the former are liable in damages for breaches in the EU, whereas when the regulation comes into force data processors will be held jointly liable. This has very significant implications for outsourcing agreements relating to the processing of data which are commonplace between businesses.
- Subject to an exemption for small and medium size enterprises, it will be mandatory for companies to appoint data protection officers with responsibilities for ensuring compliance with the new legislation.
- The right will be given to consumers to have their personal data corrected if inaccurate, and the expansion of their right to remove irrelevant or outdated information. This “right to be forgotten” extends a concept enshrined in the EU’s existing privacy laws. Consumers will for the first time have the right to stop a firm using data when they close an account.
- The age of consent for data processing is set at 16, but EU countries governments will be able to lower it to 13, which is the current limit for many US social media companies
- A “one-stop shop” for data protection complaints will be introduced. This will allow people to complain about a company in their home country rather than the country where that firm’s EU headquarters is located.
Penalties Add Teeth to the Directive
Again, draconian penalties for serious breaches of the new regulation will be enforced. Fines of up to 4% of global sales can be imposed on companies. The timetable for introduction of the new laws looks to be very similar to that for the Network and Information Security Directive. Subject to approval from the European Parliament, the laws are likely to be introduced within the next two years.
These summaries do not really do justice to the implications of these new pieces of legislation for companies doing business in any of the 28 European Union Member States. Expect plenty more to be written about this in 2016-17.
The fact that legislative agreement has finally been reached now on such a broad front after such long and tortuous negotiations is perhaps significant. It demonstrates that many governments have really begun to take cyber threats seriously.
That challenge now need to be taken up and addressed by businesses to avoid not simply reputational and business interruption losses (bad enough though they are) but also very genuine and serious liability threats.