4. EU 2009
• new provisions inserted in the EU
electronic communications privacy
(ePrivacy) directive (art. 4)
• introduction of first EU security breach
notification duty
• limited scope: providers of public
electronic communications networks and
services
• Belgium 2012: transposition in art. 114/1
and 114/2 of the e-communications act
5. Summary
• notification of specific risk of network
security breach
• to the NRA (Belgium: BIPT)
• to subscribers
• notification of actual security breach with
important impact
• to the NRA (Belgium: BIPT)
• NRA can notify further to EU
• notification of security breach regarding
personal data
• to the NRA (Belgium: BIPT)
• to subscribers and/or users
6.
7. Details
• timeframe?
• which information to communicate?
• via which channel?
• when should individuals be notified?
• role of encryption
• ...
9. EU Proposals to extend the notification duty
1. Draft general data protection regulation (January 2012)
2. Draft e-identification and trust services regulation (June 2012)
3. Draft network and information security (NIS) directive (February 2013)
10. Draft NIS Directive
a) Obligations for Member States
b) Cooperation mechanism
c) Requirements for market operators and public administrations
Note: minimum harmonisation (minimum common capacity building)!
11. NIS: Duties for public administrations and market
operators
• Obligation to take appropriate technical and organisational measures to manage the risks
• Obligation to notify to the national competent authority incidents having a significant impact on
the security of core services
• National competent authority may inform the public where it determines that it is in the public
interest
• EC will be empowered to adopt delegated acts (art. 18)
12. “Market operators”: Annex II of the Draft NIS
Directive
• Providers of “information society services” (operating in the EU)
• e-commerce platforms
• internet payment gateways
• social networks
• search engines
• cloud computing services
• application stores
• Operators of “critical information infrastructures” (CIIP operators)
• Energy
• Transport
• Banking
• Financial market infrastructures (stock exchange, clearinghouses)
• Health sector
13. EU Proposals to extend the notification duty
1. Draft general data protection regulation (January 2012)
2. Draft e-identification and trust services regulation (June 2012)
3. Draft network and information security (NIS) directive (February 2013)
15. “e-Identification”: mutual recognition
• idea:
• if an online (government) service in a Member State requires access
authentication by means of an e-ID,
• then this service should be accessible for e-ID’s notified
by other Member States
16. “Trust Services”
• stricter rules for “trust service providers” (e.g. annual security audit)
• “trust services”: services related to e-signatures, timestamps, e-documents, e-
delivery, website authentication, digital certificates
• introduction of security breach notification (to supervisory bodies and data
protection commissioners)
• “qualified” trust services : presumption of legal validity
17. EU Proposals to extend the notification duty
1. Draft general data protection regulation (January 2012)
2. Draft e-identification and trust services regulation (June 2012)
3. Draft network and information security (NIS) directive (February 2013)
18. On 25 January 2012 the European Commission has
officially released a proposal for a comprehensive reform of the
1995 data protection rules on personal data processing.
19. 1. One single European law
If adopted, the proposed Regulation will be valid across the EU.
As a consequence, companies established in more than one EU country
will no longer experience difficulties to cope with the divergent rules of
the EU Member States.
20. 2. Every company supervised by one
data protection commissioner
Personal data processing by companies established in more than
one EU country will be monitored by one single supervisory
authority.
In principle this will be the data protection commission of the
country where the company has its main establishment.
21. 3. Also applicable to companies outside the
EU
Theoretically the proposed Regulation claims to be applicable on
the processing of personal data of data subjects residing in the EU
by a controller not established in the EU,
… where the processing activities are related to the offering of
goods or services to such data subjects, or to the monitoring of
the behaviour of such data subjects.
22. 4. Basic rules remain but would be
better implemented
The supervisory authorities will be empowered to fine
companies that violate EU data protection rules.
This can lead to penalties of up to €1 million or up to 2% of the
global annual turnover of a company.
Moreover responsibility and liability of the controller for any
processing of personal data is more clearly established.
23. 5. Abolition of the general obligation to notify
The general notification obligation would be abolished, and
replaced by procedures and mechanisms which focus instead on
those processing operations which are likely to present specific
risks.
24. 6. Data protection officers
The controller and the processor would in the future be requested
to designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body; or
b) the processing is carried out by an enterprise employing 250
persons or more; or
(c) the core activities of the controller or the processor consist of
processing operations which, by virtue of their nature, their scope
and/or their purposes, require regular and systematic monitoring of
data subjects.
25. 7. Consent: always explicit
Tacit consent will no longer be sufficient as a legal ground for
personal data processing.
Moreover consent can no longer be integrated into terms and
conditions but must be presented distinguishable in its appearance
from this other matter.
26. 8. Right to be forgotten?
The right to erasure would be extended in such a way that a
controller who has made the personal data public would be
obliged to inform third parties which are processing such data
that a data subject requests them to erase any links to, or
copies or replications of that personal data.
27. 9. “Data portability”
The data subject would be allowed to transmit those data, which
they have provided, from one automated application, such as a
social network, into another one.
This should apply where the data subject provided the data to the
automated processing system, based on their consent or in the
performance of a contract.
28. 10. Security breach notification
As soon as a controller becomes aware that a personal data breach
has occurred, he would be obliged to notify this breach to the
supervisory authority without undue delay and, where feasible,
within 24 hours.
The individuals whose personal data could be adversely affected
by the breach would also have to be notified without undue delay
in order to allow them to take the necessary precautions.
29. Conclusions
• current scope still limited (telecom providers, ISPs, etc.)
• extension to other sectors under discussion
• lack of co-ordination between proposed rules is criticized
• many questions remain about practical implementation
30. Jos Dumortier
time.lex - Information & Technology Law
Congresstraat 35
B-1000 Brussel
(t) +32 (0)2 229 19 47
www.timelex.eu / jos.dumortier@timelex.eu