Next week we expect to find out if the Council of the EU will finally agree (“adopt a general approach”) on its version of the proposed General Data Protection Regulation (GDPR).  Progress with a “little brother” of the GDPR – namely the proposed Network and Information Security (NIS) Directive, tagged the Cybersecurity Directive – continues in parallel.  Before providing news next week on the GDPR, we thought that it would be useful to provide a quick update on NIS, especially as some of the issues with the GDPR – such as jurisdiction and supervision of companies – also are proving to be difficult in relation to NIS.

Recap

As we have explained previously, the Commission proposed the NIS Directive back in February 2013.  One of the main aims, in relation to the private sector, is to require companies in the energy, transport, financial services and health sectors, and possibly a range of online companies, to implement mandatory security measures and report significant security incidents to national authorities.  Broadly speaking, this would mirror existing obligations that apply to telecommunications providers.

Scope

The scope of the NIS Directive has been controversial from the outset.  Several Member States have expressed doubts about subjecting online companies – referred to at times as providers of information society services, digital services, internet enablers or other strained phrases – to the same obligations as operators of truly critical infrastructures.  The Parliament agreed to exclude internet enablers from scope in March last year (see our summary here), but Member States have continued to discuss this issue in Council meetings since then and have still to come to an agreement.

The Commission is becoming increasingly frustrated with lack of progress on this issue in the Council.  The Commission recently suggested that instead of leaving it up to Member States to decide which companies that provide critical services are in scope of the Directive (which is one option under consideration), this could be addressed via delegated acts.  This essentially would allow the Commission to define the type of companies within scope at a later date without having to go through the usual legislative procedure.  This is not the first time that the Commission has made this suggestion.  It’s fair to say that it has not been universally well received.

Jurisdiction

Another challenge is how to determine which national regulator has jurisdiction over a company that operates across the Union.  Strangely, for a directive, the rules on both applicable law and allocating the jurisdiction of national regulators have been vague from the outset.  The Commission recently proposed possible solutions in a “working document”, based on (a) where companies are “established” (which may mean “headquartered”), (b) where their network and information systems are physically located, or (c) where they provide core services to customers.  The Commission favours the “country of origin principle” and a combination of (a) and (b).  The document seems in places to borrow from existing ideas in the Data Protection Directive 95/46/EC (DPD), e.g., requiring companies to appoint a representative if they are not established in the Union.  This may not bode well given that the rules under the DPD are complicated and the jurisprudence on jurisdiction is still being formed 20 years after the DPD was adopted (see Google, the CJEU and the Long Arm of European Data Protection Law).

More welcome are reports from the UK that, regardless of the rules on jurisdiction, there is broad agreement that Member States may use existing sector-specific competent authorities to work directly with companies that are in scope, and then nominate a single point of contact for cross-border communications (see update from Rachael Bishop, policy officer at the Department for Business, Innovation and Skills).  It is our understanding that this has always been the intention, even if it has not been made very clear in the original proposal.

Next steps

The Italian Presidency of the Council hoped to reach a conclusion by the end of 2014, but was unsuccessful.  The Latvian Presidency similarly has pushed hard these past 6 months, but NIS was not on the agenda for today’s Council meeting and it looks like time is running out.  Although further talks may take place later this month (possibly on 22 or 29 June), Brussels media report that it is unlikely an agreement will be reached on NIS before the Presidency of Luxembourg starts on 1 July.

There are some interesting potential ways being suggested to break the gridlock, so we’ll continue to monitor and report developments in the coming weeks and months.  And, who knows, perhaps NIS will still beat the GDPR when it comes to which legislation is adopted first!

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.