A stricter regime for profiling07 June 2016
Agreement Reached on First EU-Wide Rules to Improve Cybersecurity
The draft rules also contemplate the establishment of a strategic cooperation group to facilitate the exchange of information and best practices among member states. In addition, a network of national Computer Security Incidents Response Teams (CSIRTS) will be established to discuss cross border security incidents and identify coordinated responses.
Agreement was reached only after a number of compromises by all sides with the result that the agreement may not be considered to be ideal from a number of perspectives.
On the plus side, it will be down to Member States to identify which entities fall within the scope of "operators of essential services" within their jurisdictions. Specific criteria for such determinations include whether the service is critical for society and the economy, whether it depends on network and information systems and whether a cybersecurity incident could have significant disruptive effects on public safety.
On the down side, "digital service providers" will be caught if they fall in scope of the definitions of "search engines", "e-commerce marketplace" and "cloud computing" with an exemption for small companies (under 50 employees). A compromise was reached to exempt "social networks". We understand that there will be no individual identification of companies by Member States though each company will be regulated only by a 'home' Member State.
The European Parliament was keen to secure legal clarity through "implementing acts" thereby ensuring that Member States will not be able to take different approaches to risk management and incident reporting for digital service providers. It is expected that this work will probably be developed by the European Agency for Network and Information Security (ENISA) with the involvement of stakeholders after the draft rules have been drawn up. Digital service providers will watch this space with particular interest.
At present, the news is that political agreement has been reached and at this point, no detailed text is available. The Presidency is due to report on progress on the draft Directive at the next Transport, Telecommunications and Energy Council meeting this coming Friday, December 11th so more detail may emerge in the meeting's minutes.
The provisionally agreed text still needs to be formally approved by the Parliament's Internal Market Committee and the Council Committee of Permanent Representatives. Member States are likely to be required to implement the Directive within 21 months of the date of entry into force of the Directive.
By Conor Ward, Consultant in our London office.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016