Archive for the ‘Legislative reform’ Category

Will the new EU General Data Protection Regulation prevent forum shopping?

Posted on May 12th, 2015 by



It’s a common criticism of the current EU Data Protection Directive that its provisions determining applicable law invite forum shopping – i.e. encourage businesses to establish themselves in the Member State perceived as being the most “friendly”.  In fact, while there is some truth to this belief, its effect is often overstated.  Typically, businesses choose which country to set up shop in based on a number of factors – size of the local market, access to talent and infrastructure, local labor laws and (normally the overwhelming consideration) the local tax regime.  We privacy pros like to consider data protection the determining factor but, at least in my experience, that’s hardly ever the case.

Nevertheless, it’s easy to understand why many worry about forum shopping.  Under the Directive, a business that has a data controlling “establishment” in one Member State is subject only to the national data protection laws of that Member State, to the exclusion of all other Member States.  So, for example, if I have a data controlling establishment in the UK, then the Directive says I’m subject only to UK data protection law, even when I collect data from individuals in France, Germany, Spain and so on.  A rule that works this way naturally lends itself to a concern that it might encourage a “race to the bottom”, with ill-intentioned businesses scampering to set up shop in “weak” data protection regimes where they face little to no risk of penalty – even if that concern is overstated in practice.

But a concern it is, nevertheless, and one that the new General Data Protection Regulation aims to resolve – most notably by applying a single, uniform set of rules throughout the EU.  However, the issue still arises as to which regulatory authorities should have jurisdiction over pan-EU businesses and this point has generated much excited debate among legislators looking to reach agreement on the so-called “one stop shop” mechanism under the Regulation.

This mechanism, which began life as a concept intended to provide greater regulatory certainty to businesses by providing them with a single “lead” authority to which they would be answerable, has slowly been whittled away to something scarcely recognizable.  For example, under the most recent proposals by the Council of the European Union, the concept of a lead protection authority remains but there are highly complicated rules for determining when other “concerned” data protection authorities may instead exercise jurisdiction or challenge the lead authority’s decision-making.

All of which begs the question, will the General Data Protection Regulation prevent forum shopping?  In my view, no, and here’s why:

  • Businesses don’t choose their homes based on data protection alone.  As already noted, businesses determine the Member States in which they will establish based on a number of factors, king of all being tax.  The General Data Protection Regulation will not alter this.  Countries, like Ireland or the UK, that are perceived as attractive on those other factors today will remain just as attractive once the new Regulation comes into effect.
  • While you can legislate the rules, you can’t legislate the culture. Anyone who practices data protection in the EU knows that the cultural and regulatory attitudes towards privacy vary enormously from Member State to Member State.  Even once the new Regulation comes in, bringing legislative uniformity throughout the EU with it, those cultural and regulatory differences will persist.  Countries whose regulators are perceived as being more open to relationship-building and “slow to temper” will remain just as attractive to businesses under the Regulation as they are under the Directive.
  • The penalties under the General Data Protection Regulation will incentivize forum shopping. It has been widely reported that the General Data Protection Regulation carries some pretty humungous fines for non-compliance – up to 5% of worldwide turnover.  In the face of that kind of risk, data protection takes on an entirely new level of significance and attracts serious Board level attention.  The inevitable behavioral consequence of this is that it will actively incentivize businesses to look for lower risk countries – on any grounds they can (local regulatory culture, resourcing of the local regulator and so on).
  • Mature businesses won’t restructure. The Regulation is unlikely to have an effect on the corporate structure of mature businesses, including the existing Internet giants, who have long since already established an EU controller in a particular Member State.  To the extent that historic corporate structuring decisions can be said to have been based on data protection forum shopping grounds, the General Data Protection Regulation won’t undo the effects of those decisions.  And new businesses moving into Europe always look to their longer-standing peers as a model for how they, too, should establish – meaning that those historic decisions will likely still have a distorting effect going forward.

The Digital Single Market: Has Europe bitten off more than it can chew?

Posted on May 8th, 2015 by



You may have read a lot of chatter about the European Commission’s Digital Single Market (DSM) over the last two days. The reaction in the blogosphere has already been a mix of optimism, hope, consternation, cynicism… and general Brussels fatigue.

What is the DSM?

In a nutshell, it is a strategy that seeks to create a true ‘single market’ within the EU – that is, a market where there is total free movement of goods, persons, services and capital; where individuals and businesses can seamlessly and fairly access online services, regardless of where in the EU they are situated.

Theoretically, EU citizens will finally be able to use their mobile phones across Europe without roaming charges, and access the same music, movies and sports events online at the same price wherever they are.

Whatever the public reaction, there is no doubt that the DSM is a highly ambitious strategy. It sets out wide legislative initiatives across a vast range of issues: from copyright, e-commerce, geo-blocking, competition, cross-border shipment, data protection, to telecoms regulation.

Much has already been written about these proposals and the Fieldfisher team has written this great summary of all the legislative proposals.

For the readers of this blog, we’d like to focus only on those proposals that relate to privacy and data protection.

Privacy & Data Protection issues

In our view, data issues lie at the heart of these reforms and there are 4 key initiatives that impact directly on these rights:

1. Review of data collection practices by online platforms

As part of the DSM, the Commission is proposing a “comprehensive analysis” of online platforms in general, including anything from search engines, social media sites, e-commerce platforms, app stores and price comparison sites.

One of the concerns of the Commission is that online platforms generate, accumulate and control an enormous amount of data about their customers and use algorithms to turn this into usable information. One study it looked at, for example, concluded that 12% of search engine results were personalized, mainly by geo-location, prior search history, or by whether the user was logged in or out of the site.

The Commission found that there was a worrying lack of awareness by consumers about the data collection practices of online platforms: they did not know what data about their online activities was being collected and how it was being used. In the Commission’s view, this not only interfered with the consumers’ fundamental rights to privacy and data protection, it also resulted in an asymmetry between market actors.

As platforms can exercise significant influence over how various players in the market are remunerated, the Commission has decided to gather “comprehensive evidence” about how online platforms use the information they acquire, how transparent they are about these practices and whether they seek to promote their own services to the disadvantage of competitors. Proposals for reform will then follow.

2. Review of the e-Privacy Directive

The e-Privacy Directive is currently a key piece of privacy legislation within the EU – governing the rules for cookie compliance, location data and electronic marketing amongst other things.

Not a huge amount has been said about this review in the DSM documents. All that we know at this stage is that the Commission plans to review the e-Privacy Directive after the adoption of the General Data Protection Regulation, with a focus on “ensuring a high level of protection for data subjects and a level playing field for all market players”. For instance, the Commission has said that it will review the e-Privacy Directive to ensure “coherence” with the new data protection provisions, and consider whether it should apply to a much wider set of service providers. It further says that the rules relating to online tracking and geo-location will be re-evaluated “in light of the constant evolution of technology” (Staff Working Document, p. 47).

3. Cloud computing and big data reforms

Cloud computing and big data services haven’t escaped the grasp of the Commission either. The Commission sees these types of services as central to the EU’s competitiveness. European companies are lagging significantly behind in their adoption and development of cloud computing and big data analytics services.

In its report, the Commission has diagnosed a number of key reasons for this lag:

  • EU businesses and consumers still do not feel confident enough to adopt cross-border cloud services for storing or processing data because of concerns relating to security, compliance with privacy rights, and data protection more generally.
  • Contracts with cloud providers often make it difficult to terminate or unsubscribe from the contract and to port their data to a different cloud provider.
  • Data localization requirements within Member States create barriers to cross-border data transfers, limiting competitive choice between providers and raising costs by forcing businesses to store data on servers physically located inside a particular countries.

The Commission are therefore proposing to remove what it sees as a series of “technical and legislative barriers” – such as rules restricting the cross-border storage of data within the EU, the fragmented rules relating to copyright, the lack of clarity over the rights to use data, the lack of open and interoperable systems, and the difficulty of data portability between services.

4. Step up of cyber-security reforms

Cyber threats have led to significant economic losses, huge disruptions in services, violations of citizens’ fundamental rights and a breakdown in public trust in online activities. The Commission proposes to step up its efforts to reduce cybersecurity threats by requiring a more “joined up” approach by the EU industry to stimulate take up of more secure solutions by enterprises, public authorities and citizens. In addition, it seeks a “more effective law enforcement response” to online criminal activity.

Too ambitious…? 

The above is just the tip of the iceberg of the reforms that are being proposed. Outside of privacy and data protection issues, the DSM Strategy includes initiatives such as harmonizing copyright laws, extending media regulation to all online platforms, and prohibiting unjustified geo-blocking.

As with all ambitious reforms of this kind in the EU, there will be vocal critics on both sides, and a huge degree of political scrutiny. The timetable for completion is either the end of 2015 or the end of 2016 but, no doubt, it will be years before any legislation is actually signed off and transposed into national law.

In an industry which changes at such a rapid speed – week after week, month after month – the real danger of EU reform is that such legislation can already be conceptually outdated by the time it is brought into force and a whole new set of problems may, by then, have emerged.

But whatever the eventual outcome of these legislative initiatives, it is clear that there is an important, wider debate to be had about the global digital market: Why is the rest of the world so behind the US? What is the secret to the US’ success and dominance? Do these proposals really go to the heart of the problem? Such questions merit a post, if not a treatise, of their own. We should perhaps show some admiration towards the European Commission for trying to tackle these deep and knotty issues head on.

 

 

Finally, some certainty around Europe’s Single Digital Market Strategy

Posted on May 7th, 2015 by



If you haven’t already spotted it among the leaks, tweets and general pre-announcement noise, today the EU released its Digital Single Market Strategy. In an orchestrated tweet-fest the clunky machine of the EU ventured online endlessly pronouncing “let’s go digital with European #DigitalSingleMarket thndr.it/1NqDGe4“. All the fanfare and hype was for a new Strategy “A Digital Single Market for Europe“.

The back-drop; a fear Europe is falling behind, a slow awakening to the inevitable truth – the Internet and digital technologies are transforming our world. Dealing with such technologies across 28 different Member States is at best extremely complex and frequently simply impossible. And yes, perhaps sometimes, the humble consumer is overwhelmed and exploited in order to deliver online gains for others.

There is a detailed commentary and explanation on our sister tech blog here.

However, readers should be aware that there are the following three privacy-related legislative initiatives:

  1. A review of the e-Privacy Directive (2002/58/EC)(by the end of 2016);
  2. The establishment of a cyber-security contractual public-privacy partnership (by the end of 2016); and
  3. Initiatives on data ownership, free flow of data (e.g. between cloud providers) and on a European cloud (by the end of 2016).

We’ll soon be reporting on the consequences and the interplay with the plans for the new General Data Protection Regulation.

What about timing?

The Single Digital Market Strategy promises: “The Digital Single Market project team will deliver on these different actions by the end of 2016. With the backing of the European Parliament and the Council, the Digital Single Market should be completed as soon as possible.” This will first be aired by the European Council in meetings on the 25th June 2015.

At the fore is a desire to champion and protect the consumer. As with the General Data Protection Regulation, perhaps underneath all this the US, Silicon Valley and the general success of its internet and online platforms in the EU markets is in the firing line. We all know these privacy law reform proposals have struggled to emerge and, even today, remain some way from agreement and becoming law. The constant leaking and previewing is over – will they now be able to deliver and advance any of these promises?

Perhaps the only certainty: this digital overhaul is likely to play out at analogue speed.

Mark Webber – Fieldfisher Silicon Valley Office

Mark.webber@fieldfisher.com
@digitechlaw for more and for updates

 

 

The EU General Data Protection Regulation is on its way…but when?

Posted on April 17th, 2015 by



As a privacy lawyer based in Brussels, I often get asked when the General Data Protection Regulation (the “GDPR”) will be adopted. People often look surprised or shocked when I tell them that it could take at least another year. Recently, there have been several announcements stating that the GDPR could be adopted before the end of 2015. While possible, this seems very unlikely due to the complex and lengthy legislative procedure of the European Union. Here’s an overview of how it all works…

The law-making procedure in Europe is enshrined in the founding treaties of the European Union called Treaty on European Union and Treaty on the Functioning of the European Union, which were updated by the Lisbon Treaty on 1st December 2009. Essentially, there are three institutions involved in the EU’s legislative procedure, whose powers and responsibilities are defined under the EU treaties:

the European Commission (the Commission”): which represents the interests of the Union as a whole.

the European Parliament (the Parliament”): which represents the EU’s citizens and is directly elected by them.

the Council of Ministers of the European Union (the Council”): which represents the governments of the 28 EU Member States. The Presidency of the Council is shared by the Member States on a rotating basis every six months. Currently, the EU presidency is held by Latvia until June 30th and will then will passed on to Luxembourg.

Together, these three institutions produce through the “Ordinary Legislative Procedure” the policies and laws that apply throughout the EU. The main steps of the Ordinary Legislative Procedure are described below.

Step 1: Commission’s initial proposal

The Commission submits its legislative proposal simultaneously to the Parliament and the Council. The Commission did so with its proposal for a GDPR on 25th January 2012.

Step 2: 1st reading in the Parliament

The President of the Parliament refers the proposal to a parliamentary committee (in this case, the Civil Liberties, Justice and Home Affairs committee, more commonly referred to as “LIBE committee”), which appoints a rapporteur (Jan Philipp Albrecht from the Group of the Greens/European Free Alliance party) who is responsible for drawing up a draft report containing amendments to the proposed text. The committee votes on this report and any amendments to it tabled by other members. This is usually the moment when all the lobbying in Brussels takes place, which as we know was immensely important for this text (more than 4,000 proposed amendments!). The Parliament then discusses and votes on the legislative proposal in its plenary session on the basis of the committee report and amendments. The result is the Parliament’s position, which in the case of the GDPR was adopted on 12th March 2014. The Parliament’s 1st reading position is then forwarded to the Council.

Step 3: 1st reading in the Council

The Council can begin preparatory work in parallel with the 1st reading in Parliament, but it may only formally conduct its 1st reading based on the Parliament’s position. The Council can either accept the Parliament’s position, in which case the legislative act is adopted; or where the Council does not adopt all the Parliament’s amendments or wants to introduce its own changes, it adopts a 1st reading position, which is sent to Parliament for a 2nd reading. This is currently where we stand with the GDPR . The Council is expected to adopt its amendments any time soon. However, it is worth noting that there is no time limit for the Council’s 1st reading, which explains why this can take a long time, particularly when the EU Member States disagree amongst themselves on some of the proposals (as is the case with the so-called “one-stop-shop” rule). The Commission may also decide at any time during the 1st reading to withdraw or alter its proposal, although this seems unlikely given the attention that the GDPR has drawn in Europe and abroad.

Step 4: 2nd reading in the Parliament

Upon receipt of the Council’s 1st reading position, the Parliament has three months (with a possible extension to four) to examine the Council’s position. The Council’s position goes first to the responsible committee (LIBE committee), which prepares a recommendation for the Parliament’s 2nd reading. In this case, the text to be amended is the Council’s 1st reading position rather than the Commission’s initial proposal.

The outcome of the 2nd reading can be that the Parliament:

– rejects the Council’s 1st reading position. This puts an end to the legislative procedure, which can only be re-launched if the Commission makes a new proposal. However, this has only happened once in July 2005 on the software patents directive.

– fails to vote within the time limit and in that case, the text is deemed to have been adopted in accordance with the Council’s 1st reading position.

– approves the Council’s 1st reading position without any amendments.

– proposes amendments to the Council’s 1st reading position.

In principle, 2nd reading amendments in Parliament are admissible only is they seek to (a) wholly or partly restore the Parliament’s 1st reading position; (b) reach a compromise between the Parliament and the Council; (c) amend part of the Council’s text that was not included in, or differs in content from, the original Commission’s proposal; or (d) take account of a new fact or legal situation that has arisen since the 1st reading. However, if European parliamentary elections have taken place since the 1st reading – which is the case here – the President may decide that the restrictions do not apply. In theory, this broadens the scope of amendments that the Parliament could make on the Council’s 1st reading of the GDPR .

Law-making behind the scenes

The EU treaties provide for a 2nd reading in the Parliament and Council and, where both institutions fail to agree on a common position, a Conciliation Committee (composed of an equal number of MEPs and Council representatives) is convened with a view to reaching an agreement on a joint text that is finally adopted in a 3rd reading in Parliament.

In recent years, however, the number of laws that have made it all the way to the Conciliation Committee has dropped significantly and, on the contrary, approximately 80% of law are now agreed after the first reading. In fact, most of the law-making now takes place behind the scenes. The so-called “trilogues” are not mentioned anywhere in the EU treaties, but are specifically designed to speed up the legislative procedure.

The way it works is that when the co-legislators are aiming for a 1st reading agreement they will then organise informal meetings that are held behind closed doors and are attended by representatives of the Parliament (rapporteur and, where appropriate, shadow rapporteurs), the Council (chair of the working party and/or Coreper), and the Commission (department responsible for the dossier and the Commission’s Secretariat-General). This is aimed at ensuring that the Parliament’s amendments adopted in plenary are acceptable to the Council. The Commission typically plays the role of a mediator or facilitator in respect of these compromise texts. However, due to its permanent staff of highly-qualified officials, the Commission is better equipped in terms of resources and expertise than the two other institutions to impose its view during these negotiations.

In conclusion, things will certainly accelerate once the Council adopts its 1st reading position, which is excepted at some point this year following the Justice and Home Affairs Council on 15-16 June. The question remains whether the Council and Parliament will succeed to reach a common position during the trilogues, in which case a swift adoption of the GDPR in 2016 (or possibly even end of 2015) seems possible. Otherwise, the adoption of this text could be pushed to the end of 2016 or 2017 if the legislative procedure continues all the way to the Conciliation Committee, which isn’t completely unfounded given the strong divergences around this text. Only time will tell…

This article was first published in the IAPP’s Privacy Tracker.

US and European moves to foster pro-active cybersecurity threat collaboration

Posted on March 12th, 2015 by



In this blog we report a little further on the proposals to share cybersecurity threat information within the United States. We also draw analogies with a similar initiative under the EU Cybersecurity Directive aimed at boosting security protections for critical infrastructure and enhancing information sharing around incidents that may impact that infrastructure within the EU.

Both of these mechanisms reflect a fully-formed ambition to see greater cybersecurity across the private sector. Whilst the approaches taken vary, both the EU and US wish to drive similar outcomes. Actors in the market are being asked to “up” their game. Cyber-crimes and cyber-threats are impacting companies financially, operationally and, at times, are having a detrimental impact on individuals and their privacy.

Sharing of cyber-threat information in the US

Last month we reported on Obama’s privacy proposals which included plans to enhance cybersecurity protection. These plans included requests to increase the budget available for detection and prevention mechanisms as well as for cybersecurity funding for the Pentagon. They also outlined plans for the creation of a single, central cybersecurity agency: the US government is establishing a new central agency, modelled on the National Counterterrorism Centre, to combat the threat from cyber attacks.

On February 12th 2015, President Obama signed a new Executive Order to encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government.  In a Whitehouse Statement they emphasised that “[r]apid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone”.  The rhetoric is that, in sharing information about “risks”, all actors in the United States will be better protected and prepared to react.

This Executive Order therefore encourages a basis for more private sector and more private sector and government cybersecurity collaboration.  The Executive Order:

  • Encourages the development of Information Sharing Organizations: with the development of information sharing and analysis organizations (ISAOs) to serve as focal points for sharing;
  • Proposes the development of a common set of voluntary standards for information sharing organizations: with Department of Homeland Security being asked to fund the creation of a non-profit organization to develop a common set of voluntary standards for ISAOs;
  • Clarifies the Department of Homeland Security’s authority to enter into agreements with information sharing organizations: the Executive Order also increases collaboration between ISAOs and the federal government by streamlining the mechanism for the National Cybersecurity and Communications Integration Center (NCCIC) to enter into information sharing agreements with ISAOs. It goes on to propose streamlining private sector companies’ ability to access classified cybersecurity threat information.

All in, Obama’s plan is to streamline private sector companies’ ability to access cybersecurity threat information. These plans were generally well-received as a step towards collective responsibility and security. Though some have voiced concern that there is scant mention of liability protection for businesses that share information threats with an ISAO. Commentators have pointed out that it is this fear of liability which is a major barrier to effective threat sharing.

Past US initiatives around improving cybersecurity infrastructure

This latest Executive Order promoting private sector information sharing came one year after the launch of another US-centric development. In February 2014, the National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity pursuant to another Executive Order of President Obama’s issued back in February 2013.

This Cybersecurity Framework contains a list of recommended practices for those with “critical infrastructures”.   The Cybersecurity Framework’s executive summary explains that “[t]he national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.”

Obama’s 2013 Executive Order had called for the “development of a voluntary risk-based Cybersecurity Framework” being a set of industry standards and best practices to help organisations manage cybersecurity risks.  The resulting technology neutral Cybersecurity Framework was the result of interaction between the private sector and Government institutions. For now the use of the Cybersecurity Framework is voluntary and it relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. “Building from those standards, guidelines, and practices, the [Cybersecurity] Framework provides a common taxonomy and mechanism for organizations to:

  • Describe their current cybersecurity posture;
  • Describe their target state for cybersecurity;
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  • Assess progress toward the target state;
  • Communicate among internal and external stakeholders about cybersecurity risk.”

The Cybersecurity Framework was designed to complement, and not to replace, an organisation’s existing risk management process and cybersecurity program. There is recognition that it cannot be a one-size-fits-all solution and different organisations will have their own unique risks which may require additional considerations.

The Cybersecurity Framework states that it could be used a model for organisations outside of the United States. Yet even in the US there are open questions about how many are actually adopting and following it.

Similarities between US and European cybersecurity proposals

We have to draw analogies between the US initiatives in relation to cybersecurity and the more recent information sharing proposals with the draft EU Cybersecurity Directive which the team reported on in more detail in a recent blog. Both initiatives intend to drive behavioural change. But, as you may expect, the EU wants to introduce formal rules and consequences while the US remains focussed on building good cyber-citizens through awareness and information sharing.

The proposed Cybersecurity Directive would impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the European Union. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”). The NCA being analogous to the ISAO information sharing body concept being developed in the US.  In contrast to the US Framework the EU’s own cybersecurity initiatives are now delayed (with a likely date for mere agreement of the rules of summer 2015 and implementation not likely until 2018) and somewhat diluted compared to the original announced plans.

Both the US and EU cybersecurity initiatives aim to ensure that governments and private sector bodies involved in the provision of certain critical infrastructure take appropriate steps to deal with cybersecurity threats. Both encourage these actors to share information about cyber threats. Both facilitate a pro-active approach to cyber-risk. Whist the US approach is more about self-regulation within defined frameworks the EU is going further and mandating compliance – that’s a seismic shift.

In the EU we await to see the final extent of the “critical infrastructure providers” definition and whether or not “key internet enablers” will be caught within the rules or whether the more recent and narrower definition will prevail. Interplay with data breach notification rules within the upcoming General Data Protection Regulation is also of interest.

Impact

Undoubtedly cyber-risk can hit a corporate’s bottom-line. Keeping up with the pace of change and multitude of risks can be a real challenge for even the most agile of businesses. Taking adequate steps in this area is a continuous and often fast-moving process. Only time will tell us whether the information sharing and interactions that these US and EU proposals are predicated on are going to be frequent enough and fast enough to make any real difference. Cyber-readiness remains at the fore because the first to be hit still wants to preserve an adequate line of defence. The end game remains take appropriate technical and organisational measures to secure your networks and data.

Of course cyber-space does not respect or recognise borders. How national states co-operate and share cybersecurity threat information beyond the borders of the EU is a whole other story. What is certain is that as the cyber-threat response steps up, undoubtedly so too will the hackers and cyber-criminals. The EU’s challenge is to foster a uniform approach for more effective cybersecurity across all 28 Member States. The US also wants to improve its ability to identify and respond to cyber incidents. The US and EU understand that economic prosperity and national security depend on a collective responsibility to secure.

For those acting within the EU and beyond in the future, they will have to adjust to operating (and where required complying) in an effective way across each of the emerging cybersecurity systems.

Mark Webber, Partner Palo Alto, CAmark.webber@fieldfisher.com

 

Progress update on the draft EU Cybersecurity Directive

Posted on February 27th, 2015 by



In a blog earlier this year we commented on the status of the European Union (“EU”) Cybersecurity Strategy. Given that the Strategy’s flagship piece of legislation, the draft EU Cybersecurity Directive, was not adopted within the proposed institutional timeline of December 2014 and the growing concerns held by EU citizens about cybercrime, it seems that an update on EU legislative cybersecurity developments is somewhat overdue.

Background

As more of our lives are lived in a connected, digital world, the need for enhanced cybersecurity is evident. The cost of recent high-profile data breaches in the US involving Sony Pictures, JPMorgan Chase and Home Depot ran into hundreds of millions of dollars. A terrorist attack on critical infrastructure such as telecommunications or power supplies would be devastating. Some EU Member States have taken measures to improve cybersecurity but there is wide variation in the 28 country bloc and little sharing of expertise.

These factors gave rise to the European Commission’s (the “Commission”) publication in February 2013 of a proposed Directive 2013/0027 concerning measures to ensure a high common level of network and information security across the Union (the “proposed Directive”). The proposed Directive would impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the EU. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”).

Where do things stand in the EU institutions on the proposed Directive?

On 13 March 2014 the European Parliament (the “Parliament”) adopted its report on the proposed Directive. It made a number of amendments to the Commission’s original text including:

  • the removal of “public administrations” and “internet enablers” (e.g. e-commerce platforms or application stores) from the scope of key compliance obligations;
  • the exclusion of software developers and hardware manufacturers;
  • the inclusion of a number of parameters to be considered by market operators to determine the significance of incidents and thus whether they must be reported to the NCA;
  • the enabling of Member States to designate more than one NCA;
  • the expansion of the concept of “damage” to include non-intentional force majeure damage;
  • the expansion of the list of critical infrastructure to include, for example, freight auxiliary services; and
  • the reduction of the burden on market operators including that they would be given the right to be heard or anonymised before any public disclosure and sanctions would only apply if they intentionally failed to comply or were grossly negligent.

In May-October 2014 the Council of the European Union (the “Council”) debated the proposed Directive at a series of meetings. It was broadly in favour of the Parliament’s amendments but disagreed over some high-level principles. Specifically, in the interests of speed and efficiency, the Council preferred to use existing bodies and arrangements rather than setting up a new cooperation mechanism between Member States.

In keeping with the Council’s general approach to draft EU legislation intended to harmonise practices between Member States, the institution also advocated the adoption of future-proofed flexible principles as opposed to concrete prescriptive requirements. Further, it contended that Member States should retain discretion over what information to share, if any, in the case of an incident, rather than imposing mandatory requirements.

In October-November 2014 the Commission, Parliament and Council commenced trilogue negotiations on an agreed joint text. The institutions were unable to come to an agreement during the negotiations due to the following sticking points:

  1. Scope. Member States are seeking the ability to assess (to agreed criteria) whether specific market operators come within the scope, whereas the Parliament wants all market operators within defined sectors to be captured.
  2. Internet enablers. The Parliament wants all internet enablers apart from internet exchanges to be excluded, whereas some Member States on the Council (France and Germany particularly) want to include cloud providers, social networks and search engines.
  3. There was also disagreement on the extent of strategic and operational cooperation and the criteria for incident notification.

What is the timetable for adoption of the proposed Directive?

There is political desire on behalf of the Commission to see the proposed Directive adopted as soon as possible. The Council has also stated that “the timely adoption of … the Cybersecurity Directive is essential for the completion of the Digital Single Market by 2015“.

Responsibility for enacting the reform now lies with the Latvian Presidency of the Council. On 30 January 2015, Latvian Transport Minister Anrijs Matiss stated that further trilogue negotiations would be held in March 2015, with the aim of adopting the proposed Directive by July 2015.

Once adopted, Member States will have 18 months to enact national implementing legislation so we could expect to see the proposed Directive come into force by early 2017.

How does the proposed Directive interact with other EU data privacy reforms?

In our previous blog we highlighted the difficulties facing market operators of complying with the proposed Directive in view of the potentially conflicting notification requirements in the existing e-Privacy Directive and the proposed General Data Protection Regulation (the “proposed GDPR”).

Although the text of the proposed Directive does anticipate the proposed GDPR, obliging market operators to protect personal data and implement security policies “in line with applicable data protection rules“, there has still been no EU guidance issued on how these overlapping or conflicting notification requirements would operate in practice.

Furthermore, any debate over which market operators fall within the scope of the breach notification requirements of the proposed Directive would seem to become superfluous once the proposed GDPR, with mandatory breach notifications for all data controllers, comes into force.

Comment

Rather unsurprisingly, the Commission’s broad reform has been somewhat diluted in Parliament and Council. This is a logical result of Member States seeking to impose their own standards, protect their own industries or harbouring doubts regarding the potential to harmonise practices where cybersecurity/infrastructure measures diverge markedly in sophistication and scope.

Nonetheless, the proposed Directive does still impose serious compliance obligations on market operators in relation to cybersecurity incident handling and notification.

At the risk of sounding somewhat hackneyed, for organisations, cyber data breaches are no longer a question of “if” but “when” for private and public sector bodies. Indeed, there is an increasing awareness that a high level of security in one link is no use if this is not replicated across the chain. Whether the proposed Directive meets its aim of reducing weak links across the EU remains to be seen.

EU privacy reform: are we nearly there yet?

Posted on February 7th, 2015 by



One thing everyone agrees on is that the EU needs new data protection rules. The current rules, now some 20 years old, are getting long in the tooth. Adopted at a time when having household Internet access was still a rare thing (remember those 56kpbs dial-up modems, anyone?), there’s a collective view across all quarters that they need updating for the 24/7 connected world in which we now live.

The only problem is this: we can’t agree what those new rules should look like. That shouldn’t really be a surprise – Europe is politically, culturally, economically and linguistically diverse, so it would be naive to think that reaching consensus on such an important and sensitive topic would be quick or easy.

Nevertheless, whether through optimism, politicization, or plain naivety, there have been repeated pronouncements over the years that adoption of the new rules is imminent. Since the initial publication of the EU’s draft General Data Protection Regulation in January 2012, data protection pundits have repeatedly predicted it would all be done and dusted in 2012, 2013, 2014 and now – no surprises – in 2015.

The truth is we’re a way off yet, as this excellent blog from the UK Deputy Information Commissioner highlights. Adoption of the new General Data Protection Regulation ultimately requires agreement to be reached, first, individually by each of the European Parliament and the Council of the EU on their respective preferred amendments to the original draft proposals; and then, second, collectively between the Parliament, the Council and the Commission via three-way negotiations (so-called “trilogue” negotiations).

As at the date of this post, the Parliament has reached consensus on its preferred amendments to the draft, but the Council’s deliberations in this respect are still ongoing. That means the individual positions of both institutions have not yet been finalised, the trilogue negotiations have not yet begun, and so an overall agreed upon text is not yet even close. There’s still a mountain to climb.

Not that progress hasn’t been made – it has, but there’s still a long way to go and it’s very unlikely the new law will pass in 2015. Even when it does, the expectation is that it will be a further two years until it takes effect. In other words, don’t expect the news rules to bite any time before 2018 – six years after they were originally proposed.

Why so long? Designing privacy rules fit for the 21st century is a difficult task, and the difficulty stems from the inherent subjectivity of privacy as a right. When thinking about what protections should exist, a natural consideration is what “expectation” of privacy individuals have. And therein lies the problem: no two people have the same expectations: what you expect and I expect are likely very different. Amplify those differences onto a national stage, and it becomes quickly apparent why discussions over new pan-European rules have become so protracted.

How, then, to progress the debate through to conclusion?

First, European lawmakers need to listen to the views of all stakeholders in the legislative process without prejudice or pre-judging their value. It’s far too simplistic to dismiss consumer advocates’ proposals as ‘impractical’, and equally disingenuous to label all industry concerns as just ‘lobbying’. Every side to the debate raises important points that deserve careful consideration. Insufficiently strong privacy protections will come at an expense to society, our human rights and our dignity; but, conversely, excessively strict regulation will impede innovation, hamper technological progress and restrict economic growth. A balance needs to be found, and ignoring salient points made by any side to the debate comes at a cost to us all.

Once lawmakers accept this, then they must also accept compromise and not simply ‘dig in’ to already fortified positions. Any agreement requires compromise – whether a verbal agreement between friends, a written contract between counterparties, or even legislative agreement over new laws like the General Data Protection Regulation. At present, however, there is too much bluster, quarreling and entrenchment, where reason, level-headedness and compromise should prevail.

When it comes to new data protection rules, a compromise – one that benefits all stakeholders of the information economy – is there to be struck: we just have to find it.

US and UK Regulators position themselves to meet the needs of the IoT market

Posted on January 30th, 2015 by



The Internet of Things (“IoT“) is set to enable large numbers of previously unconnected devices to communicate and share data with one another.

In an earlier posting I examined the future potential regulatory landscape for the IoT market and introduced Ofcom’s (the UK’s communications regulator) 2014 consultation on the Internet of Things. This stakeholder consultation was issued in order to examine the emerging debate around this increasing interconnectivity between multiple devices and to guide Ofcom regulatory priorities. Since the consultation was issued, the potential privacy issues associated with IoT continue to attract the most attention but, as yet, no IoT issues have led to any specific laws or legal change.

In two separate developments in January 2015, the UK and US Internet of Things markets were exposed to more advanced thinking and guidance around the legal challenges of the IoT.

UK IoT developments

Ofcom published its Report: “Promoting investment and innovation in the Internet of Things: Summary of responses and next steps” (27 January 2015) which responded to the views gathered during the consultation which closed in the autumn of 2014. In this report Ofcom has identified several priority areas to focus on in order to support the growth of the IoT. These “next step” Ofcom priorities are summarised across four core areas:

Spectrum availability: where Ofcom concludes that “existing initiatives will help to meet much of the short to medium term spectrum demand for IoT services. These initiatives include making spectrum available in the 870/915MHz bands and liberalising licence conditions for existing mobile bands. We also note that some IoT devices could make use of the spectrum at 2.4 and 5GHz, which is used by a range of services and technologies including Wi-Fi.” Ofcom goes on to recognise that, as IoT grows and the sector develops, there may be a renewed need to release more spectrum in the longer term.

Network security and resilience: where Ofcom holds the view that “as IoT services become an increasingly important part of our daily lives, there will be growing demands both in terms of the resilience of the networks used to transmit IoT data and the approaches used to securely store and process the data collected by IoT devices“. Working with other sector regulators where appropriate, Ofcom plans to continue existing security and resilience investigations and to extend its thoughts to the world of IoT.

Network addressing: where Ofcom, previously fearing numbering scarcity, now recognises that “telephone numbers are unlikely to be required for most IoT services. Instead IoT services will likely either use bespoke addressing systems or the IPv6 standard. Given this we intend to continue to monitor the progress being made by internet service providers (ISPs) in migrating to IPv6 connectivity and the demand for telephone numbers to verify this conclusion“; and

Privacy: In the particularly hot privacy arena there is nothing particularly new within Ofcom’s preliminary conclusions. Ofcom concludes that there is a need for “a common framework that allows consumers easily and transparently to authorise the conditions under which data collected by their devices is used and shared by others will be critical to future development of the IoT sector.” In a world where the UK’s Data Protection Act already applies, it was inevitable that Ofcom (without a direct regulatory remit over privacy) would offer little further insight in this regard.

It’s not surprising to read from the Report that commentary within the responses highlighted data protection and privacy to potentially be the “greatest single barrier to the development of the IoT“. The findings from its consultation do foresee potential inhibitors to the IoT adoption resulting from these privacy challenges, and Ofcom acknowledges that the activities and guidance of the UK Information Commissioner (ICO) and other regulators will be pertinent to achieving clarity. Ofcom will be co-ordinating further cooperation and discussion with such bodies both nationally and internationally.

A measured approach to an emerging sector

Ofcom appears to be striking the right balance here for the UK. Ofcom suggests that future work with ICO and others could include examining some of the following privacy issues:

  • assessing the extent to which existing data protection regulations fully encompass the IoT;
  • considering a set of principles for the sharing of data within the IoT looking to principles of minimisation and restricting the overall time any data is stored for;
  • forming a better understanding of consumer attitudes to sharing data and considering techniques to provide consumers “with the necessary information to enable them to make an informed decision on whether to share their data“; and
  • in the longer term, exploring the merit of a consumer education campaign exposing the potential benefits of the IoT to consumers.

The perceived need for more clarity around privacy and the IoT

International progress around self-regulation, standards and operational best practice will inevitably be slow. On the international stage, Ofcom suggests it will work with existing research groups (such as the ones hosted by BEREC amongst other EU regulators).

We of course already have insight from Working Party 29 in its September 2014 Opinion on the Internet of Things. The Fieldfisher privacy team expounded the Working Party’s regulatory mind-set in another of our Blogs. The Working Party has warned that the IoT can reveal ‘intimate details’; ‘sensor data is high in quantity, quality and sensitivity’ and the inferences that can be drawn from this data are ‘much bigger and sensitive’, especially when the IoT is seen alongside other technological trends such as cloud computing and big data analytics.

As with previous WP29 Opinions (think cloud, for example), the regulators in that Opinion have taken a very broad brush approach and have set the bar so high, that there is a risk that their guidance will be impossible to meet in practice and, therefore, may be largely ignored. This is in contrast to the more pragmatic FTC musings further explained below, though following a similar approach to protect privacy, the EU approach is far more alarmist and potentially restrictive.

Hopefully, as practical and innovative assessments are made in relation to technologies within the IoT, we may find new pragmatic solutions emerging to some of these privacy challenges. Perhaps the development of standard “labels” for transparency notifications to consumers, industry protocols for data sharing coupled with associated controls and possibly more recognition from the regulators that swamping consumers with more choices and information can sometimes amount to no choice at all (as citizens start to ignore a myriad of options and simply proceed with their connected lives ignoring the interference of another pop-up or check-box). Certainly with increasing device volumes and data uses in the IoT, consumers will continue to value their privacy. But, if this myriad of devices is without effective security, they will soon learn that both privacy and security issues count.

And in other news….US developments

Just as the UK’s regulators are turning their attention to the IoT, the Federal Trade Commission (FTC) also published a new Report on the IoT in January 2015: As Ofcom’s foray into the world of the IoT, the FTC’s steps in “Privacy & Security in a Connected World” are also exploratory. To a degree, there is now more pragmatic and realistic guidance around best practices in making IoT services available in the US than we have today in Europe.

In this report the FTC recommends “a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security, as Americans start to reap the benefits from a growing world of Internet-connected devices.” As with Ofcom, it recognises that best practice steps need to emerge to ensure the potential of the IoT can be recognised.  This reads as an active invitation to those playing in the IoT to self-regulate and act as good data citizens. With the surge in active enforcement by the FTC in during 2014, this is something worthy of attention for those engaged in the consumer facing world of the IoT.

As the Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them the FTC’s approach focusses more on the risks that will arise from a lack of transparency and excessive data collection than the practical challenges the US IoT industry may encounter as the IoT and its devices create an increasing demand on infrastructure and spectrum.

The report focuses in on three core topics of (1) Security, (2) Data Minimisation and (3) Notice and Choice. Of particular note the FTC report makes a number of recommendations for anyone building solutions or deploying devices in the IoT space:

  • build security into devices at the outset, rather than as an afterthought in the design process;
  • train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  • ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  • when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  • consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  • monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.”

With echoes of privacy by design and data minimisation as well as recommendations to limit the collection and retention of information, suggestions to impose security on outside contractors and then recommendations to consider and notice and choice, it could transpire that the IoT space will be one where we’ll be seeing fewer differences in the application of US/EU best practice?!

In addition to its report, the FTC also released a new publication designed to provide practical advice about how to build security into products connected to the Internet of Things. This report “Careful Connections: Building Security in the Internet of Things” encourages both “a risk-based approach” and suggests businesses active in the IoT “take advantage of best practices developed by security experts, such as using strong encryption and proper authentication“.

Where next?

Both reports indicate a consolidation in regulatory thinking around the much hyped world of IoT. Neither report proposes concrete laws for the IoT and, if they are to come, such laws are some time off. The FTC even goes as far as saying “IoT-specific legislation at this stage would be premature“. However, it does actively “urge further self-regulatory efforts on IoT, along with enactment of data security and broad-based privacy legislation”. Obama’s new data privacy proposals are obviously seen as a complementary step toward US consumer protection? What is clear is there are now emerging good practices and a deeper understanding at the regulators of the IoT, its potential and risks.

On both sides of the Atlantic the US and UK regulators are operating a “wait and see” policy. In the absence of legislation, with other potentially privacy sensitive emerging technologies we’ve seen self-regulatory programs within particular sectors or practices emerging to help guide and standardise practice around norms. This can protect at the same time as introducing an element of certainty around which business is able to innovate.

Mark Webber – Partner, Palo Alto California mark.webber@fieldfisher.com

 

Guns and privacy have more in common than you think

Posted on January 13th, 2015 by



When speaking with US companies, how do you explain the importance that EU consumers place on their data protection rights?  Oftentimes, I do this by referring to the US right to bear arms.

Whether for or against guns, pretty much every American has a strong view on this issue.  And why wouldn’t they?  The right to bear arms is a constitutional right for US citizens.  Over in the EU, we have the Charter of Fundamental Rights – not quite a constitution, but pretty close to it.  This doesn’t enshrine a right to bear arms, but it does enshrine both a right to privacy (Art 7) and a right to data protection (Art 8) for all EU citizens.

So I start by explaining that Europeans have constitutional-like rights to privacy and data protection, and that they feel as strongly about these rights as Americans do about their second amendment rights.  Once I’ve drawn this analogy, US companies quickly grasp the ‘EU privacy issue’ and understand the need for comprehensive measures to address EU data protection compliance.

In fact, the analogy between guns and privacy doesn’t end there.  At the risk of extending the analogy to breaking point, it can also be applied to debates about government surveillance and gun control.

Consider this: in the EU, there’s widespread ongoing concern over excessive government surveillance of telephone and internet communications.  These concerns are fuelled largely by fears that the data collected might be used by governments to exert Orwellian control over their citizens.   As it happens, fear of an abusive government is also part of what drives many of the heated debates over US gun control: a fear that, by restricting citizens’ right to bear arms, a dystopian future government might in some way turn against a citizenship that has no ability to defend itself.

Not everyone feels this way though.  Some argue that allowing some level of government incursion into citizens’ civil liberties affords us greater protection, either by disrupting potential terrorist threats or by preventing accidental or deliberate gun deaths, and that these incursions are necessary in light of the present-day threats we face.  The issues are complex and, whether it comes to guns or privacy, the emotive arguments presented by both sides to the discourse often seem to present an insurmountable barrier to consensus.

Perhaps this is the way it should be, though.  When fundamental human or constitutional rights are at stake, they should attract impassioned debate – that’s the imperative of a democratic society.  Because debating these issues calls into question the very type of society we want to be:  are we a society that accepts a level of surveillance in return for greater assurance of physical safety?  Or should we be a society that protects freedom of communication at all cost?

There are no easy answers, and the debate will often be determined by cultural sensitivities and topical news events.  But, as difficult as consensus can sometimes seem, we witnessed one wonderfully positive example of it today.  Speaking at the Federal Trade Commission, President Obama announced four major new privacy initiatives in the US.  These included a federal data breach notification standard, easier access to credit scores, and new protections for student data.

Most critically, though, President Obama announced that federal consumer privacy legislation would be introduced by the end of February and called on Congress to make this new legislation “the law of the land”.  The new legislation will address data processing transparency, control, purpose limitation, security and accountability, across all sectors.  In other words, the White House acknowledges the need for federal data protection standards across the entirety of the US that will to a large degree mirror those that EU citizens enjoy today.  A form of transatlantic consensus, if you will.

So maybe there’ll come a time in the very near future where I won’t have to explain how passionately Europeans feel about their privacy because American consumers will also enjoy, and feel as strongly about, these rights.  Maybe consensus building on privacy issues, across continents if not across different schools of thought, is possible.  And maybe – no, certainly – continuing the dialogue to enshrine and protect our data protection rights worldwide is now more important and more achievable than ever.

WP29 Guidance on the right to be forgotten

Posted on December 18th, 2014 by



On 26 November the Article 29 Working Party (“WP29“) issued WP225 (the “Opinion“). Part I of the Opinion provides guidance on the interpretation of the Court of Justice of the European Union ruling on Google Spain and Inc v the Spanish Data Protection Authority and Mario Costeja Gonzalez (the “Ruling“) and in part II the WP29 provides a list of common criteria that the European Regulators would take into account when considering right to be forgotten (“RTBF“) related complaints from individuals.

The Opinion is in line with the Ruling but it further elaborates on certain legal and practical aspects of it and it offers, as a result, an invaluable insight into European Regulators’ vision of the future of the RTBF.

Some of the main ‘take-aways’ are highlighted below:

Territorial scope

One of the most controversial conclusions in the Opinion is that limiting the de-listing to the EU domains of the search engines cannot be considered sufficient to satisfactorily guarantee the rights of the data subjects and that therefore de-listing decisions should be implemented in all relevant domains, including “.com”.

The above confirms the trend of extending the application of EU privacy laws (and regulatory powers) beyond the traditional interpretation of current territorial scope rules under the Data Protection Directive and will present search engines with legal uncertainly and operational challenges.

Material scope

The Opinion argues that the precedent set out by the judgment only applies to generalist search engines and not to search engines with a limited scope of action (for instance, search engines within a website).

Even though such clarification is to be welcome, where does this leave non-search engine controllers that receive right to be forgotten requests?

What will happen in practice?

In the Opinion, the WP29 advises that:

  • Individuals should be able to exercise their rights using “any adequate means” and cannot be forced by search engines to use specific electronic forms or procedures.
  • Search engines must follow national data protection laws when dealing with requests.
  • Both search engines and individuals must provide “sufficient” explanations in their requests/decisions.
  • Search engines must inform individuals that they can turn to the Regulators if they decide not to de-list the relevant materials.
  • Search engines are encouraged to publish their de-listing criteria.
  • Search engines should not inform users that some results to their queries have been de-listed. WP29’s preference is that this information is provided generically.
  • The WP29 also advises that search engines should not inform the original publishers of the information that has been de-listed about the fact that some pages have been de-listed in response to a RTBF request.