It has been an eventful week in the European Parliament in relation to data privacy and security matters.  Having already voted in favor of the General Data Protection Regulation (“GDPR”) and endorsed a controversial report into allegations of mass surveillance, the European Parliament voted yesterday on the proposed Network and Information Security (“NIS”) Directive.  In line with previous committee reports, the Parliament vote ensures that the Proposed Network and Information Security Directive focuses on protecting critical infrastructure in the energy, transport, financial services and health sectors. 

The EU legislative bodies will now enter into negotiations to agree a final text.  Commissioner Kroes called earlier this week for this work to be completed this year, but this timeframe seems ambitious.

Recap on the Proposed NIS Directive

The Commission proposed the NIS Directive in February 2013.  In addition to provisions aimed at Member State governments (e.g., to improve cyber security capabilities and cooperation to prevent and respond to cyber-attacks), the Directive targets private companies in the energy, transport, financial services and health sectors.  The Commission draft also applied to “enablers of key internet services”, such as providers of cloud computing services, app stores, e-commerce platforms, internet payment gateways, search engines and social networks.   

The two main requirements on private sector companies under the Directive are (i) to implement security measures to “guarantee a level of security appropriate to the risk presented . . . having regard to the state of the art”, and (ii) to notify competent national authorities of any security incident that has a significant impact on the continuity of core services they provide.  The basic idea is to extend EU-level security and incident reporting requirements, which currently only apply to communication network and service providers, to a broad universe of private sector companies. 

Scope 

Including “enablers of key internet services” within the scope of the Directive has been controversial.  One view, which rapporteur Andreas Schwab (IMCO) expressed in his report, is that the security and reporting requirements should be “limited to infrastructures that are critical in a stricter sense”.  The Parliament yesterday agreed that these requirements should only be imposed on companies in the energy, transport, financial services and health sectors, and that “internet enablers” should be excluded.  This is consistent with the view of several Member States that such companies should not be covered by the proposal (see the Council’s Progress Report of 22 November 2013).  The Parliament also has removed public administrations from scope.      

The Parliament agreed with the Commission’s original proposal that software developers and hardware manufacturers should be excluded from the scope of the Directive.

Overlap with the General Data Protection Regulation – and who to notify… 

One of the concerns that has been raised in relation to the Directive is the overlap with the proposed General Data Protection Regulation, specifically regarding whether it creates double reporting requirements (in relation to security incidents and personal data breaches).  More work will need to be done to clarify how this is to work in practice. 

Several other issues (such as applicable national law) still need to be resolved in relation to the NIS Directive, but one of the more significant challenges will be deciding which regulators should supervise private sector companies and receive reports of incidents.  As we know from the GDPR debate, determining which national regulators have scope to act and how they should cooperate is a thorny issue, which is arguably even more complicated in relation to the NIS Directive as energy, transport, financial services and health companies are already supervised by sector-specific national regulators.  The Parliament has made some progress in this area by proposing to amend the Directive to require each Member State to appoint one single point of contact, but it remains to be seen whether this plan will survive negotiations with the Council.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.