Tag Archive: europe

EUROPE: Cyber Security Directive Adopted by the EU Council – New rules on security requirements and incident reporting


On 17 May, 2016 the Council of the European Union, which comprises representatives of the Member States’ national governments, formally adopted the Network and Information Security Directive (“Directive“).  The NIS Directive will increase the security of network and information systems across the EU, and includes a new incident notification regime for affected businesses.  The final stage for the NIS Directive is endorsement from the Parliament, which is expected imminently. Thereafter, it should become effective EU law in August of this year, giving Member States 21 months to adopt the necessary national provisions.


The NIS Directive will apply to two types of organisation – operators of essential services, and digital service providers. The former is defined as an entity which “provides a service which is essential for the maintenance of critical societal and/or economic activities”.  In practice, that is likely to include energy suppliers, major transport providers (including airlines, rail transport operators and road authorities), banks and credit providers, and healthcare providers.  A digital service provider, meanwhile, might be an online marketplace, a search engine or a cloud computing provider.

Significantly, digital service providers based outside the EU, but which offer services within the EU, will be within the scope of the Directive.

Key Requirements

The two key outcomes from the Directive will be (i) increased network and information security requirements and (ii) a mandatory incident notification regime. In respect of each of these areas,  different rules apply to operators of essential services and digital service providers.

Operators of essential services will be required to “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations”. Competent authorities in each Member State will be able to demand documented security policies, and evidence of their effective implementation, to test compliance with this requirement.  Operators will also be required to notify, without undue delay, the local competent authority of any incident (or breach) “having a significant impact on the continuity of the services they provide”.  In deciding if there is a significant impact, operators will need to consider the number of users affected, the duration of the incident, and its geographical spread.

Meanwhile, digital service providers will be required to “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services […] within the Union”.   They will only be required to notify incidents that have a substantial impact on the provision of their services.

Finally, Member States need to designate a national authority for the security of network and information systems, and establish a national strategy for cyber security.


There is obvious overlap between the provisions of the Directive and the data security and breach reporting provisions of the General Data Protection Regulation (“GDPR“), due in force in 2018.  In terms of incident/ breach reporting, where the competent authority of a Member State is also its data protection authority, it will be up to that authority to determine how it handles obligations to report incidents under both the Directive and the GDPR.  We note that the Directive talks about reporting incidents without “undue delay”, whilst the GDPR is more specific in prescribing a 72 hour deadline.

The entry into force of the Directive will give affected businesses further impetus to kick-start internal assessments to ensure that their network and information security practices are well documented and effective.  This will be valuable preparation for compliance with the increased technical and organisational security measure requirements of the GDPR.

For further information, please get in touch with your usual DLA Piper contact or email us at dataprivacy@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-cyber-security-directive-adopted-by-the-eu-council/

EUROPE: EU approves airline passenger records directive

On 14 April 2016, the European Parliament approved a joint system for police and justice officials to access airline passenger data on all flights to and from the EU. The Directive endorses the use of passenger name records (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

For flights entering or departing from the EU, air carriers will have to provide the PNR data to EU Member States’ authorities. Beyond this basic obligation, Member States will also be allowed to collect PNR data on selected intra-EU flights, provided that they notify the Commission. They may also choose to collect and process PNR data from travel agencies and tour operators who manage flight bookings.

“Passenger Information Units” (PIUs) will be set up in each Member State to collect, store and process data. The information will be retained for five years, but after six months, the data will be stripped of the elements that may lead to the identification of individuals, such as name, address and contact details.

The decision has been welcomed by the European Commission, calling it a “strong expression of Europe’s commitment to fight terrorism and organised crime”.

“We have adopted an important new tool for fighting terrorists and traffickers. By collecting, sharing and analysing PNR information our intelligence agencies can detect patterns of suspicious behaviour to be followed up. PNR is not a silver bullet, but countries that have national PNR systems have shown time and again that it is highly effective”, said Parliament’s rapporteur for the proposal, Timothy Kirkhope (ECR, UK).

“There were understandable concerns about the collection and storage of people’s data, but I believe that the directive puts in place data safeguards, as well as proving that the law is proportionate to the risks we face. EU governments must now get on with implementing this agreement”, Mr Kirkhope added.

The data protection safeguards include the following:

  • national PIUs will have to appoint a data protection officer responsible for monitoring the processing of PNR data and implementing the related safeguards;
  • access to the full PNR data set, which enables users to immediately identify the data subject, should be granted only under very strict and limited conditions after the initial retention period;
  • all processing of PNR data should be logged or documented; and
  • an explicit prohibition on processing personal data revealing a person´s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

Now that the European Parliament has endorsed the agreed text at first reading, the Council will formally adopt the Directive at an upcoming Council meeting. It will be published in the Official Journal and member states will have two years to transpose it into their national laws.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-eu-approves-airline-passenger-records-directive/

EUROPE – US: EU Data Protection Authorities voice strong concerns about Privacy Shield

EU Data Protection Authorities demand improvements before EU – US transfer mechanism will be approved.

The Article 29 Working Party (“WP29“), which comprises the national data protection authorities of the EU member states, issued a statement on Wednesday strongly criticising the draft “EU – US Privacy Shield” proposal.  Privacy Shield is intended to be the replacement to the defunct Safe Harbor scheme, which allowed EU companies to legally export personal data to the US.

Whilst WP29 accepts that, in its current form, Privacy Shield represents a significant improvement over Safe Harbor, it believes it does not go far enough in offering EU citizens an adequate level of protection for their personal information. Crucially, WP29 considers that Privacy Shield does not sufficiently address the massive and indiscriminate collection of personal data by the US authorities which was the precipitating factor in the Schrems case which brought down Safe Harbor.

In summary, the specific criticisms voiced by WP29 are:

  • Lack of clarity – Privacy Shield is comprised of various documents and annexes, making information hard to find and at times inconsistent;
  • Lack of key data protection principles – some of the central principles of European data protection law, such as purpose limitation and data retention, are not sufficiently covered by the proposal;
  • Onward transfers – the proposal does not ensure that the same standards are applied by third country recipients who receive EU personal data from a Privacy Shield entity;
  • Complex redress mechanism – EU citizens may not be able to effectively defend their rights in the face of a complex recourse mechanism which for many will be in a different language;
  • Indiscriminate data collection – there is insufficient detail about how the massive and indiscriminate surveillance of individuals by US authorities will be curtailed. In WP29’s view, such surveillance can never be considered proportionate or necessary;
  • Ombudsperson not independent – WP29 welcomes the creation of an Ombudsperson role to handle and solve complaints raised by EU citizens. However, it is concerned that this role will not be sufficiently independent from US authorities.

The statement also concluded that, even if Privacy Shield is approved as an adequate mechanism for data transfers under current legislation, a review of its efficacy will be needed following the entry into application of the General Data Protection Regulation (“GDPR“) in 2018.  This appears to be a strong hint from WP29 that in its current form, Privacy Shield would almost certainly not be GDPR compliant.

As the Privacy Shield proposal is still being finalized, WP29’s assessment is not fatal. However, it is a clear signal to the EU Commission and to their partners in the US that significant improvements are needed if the scheme is to earn the adequacy decision which will make it a legal mechanism for data transfers.

In the meantime, WP29 has repeatedly stated that Binding Corporate Rules and the EC standard contractual clauses (or ‘model clauses’) can be relied upon for data transfers, and represent a safe alternative for former Safe Harbor companies. Although both of these schemes will be reviewed by WP29 in due course, it will not make any decision about them until after Privacy Shield has been dealt with.

If you need any assistance with the fast evolving area of EU – US data transfers, please contact a member of our global Data Protection, Privacy and Security team.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-us-eu-data-protection-authorities-voice-strong-concerns-about-privacy-shield/

The European Commission’s commitment to Safe Harbor – three months to go?

By Patrick Van Eecke and Loretta Marshall

Although there are alternative tools authorising data flows to the US (see DLA Piper’s previous Privacy Matters blog post to view the European Commission’s latest guidance on this matter), the Commission considers that a renewed and sound safe harbor framework is the most comprehensive solution for ensuring the protection of EU personal data when it is transferred to the US. In this respect, the Commission will continue to negotiate a renewed framework for transatlantic transfers of personal data and the objective is to conclude discussions with the US government within three months.

Already in 2013, the Commission started negotiations with the US government on a new arrangement for transatlantic data transfers based on 13 recommendations which fall into four categories:


1.  Self-certified companies should publicly disclose their privacy policies.

2.  Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbour website which lists all the ‘current’ members of the scheme.

3.  Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.

4.  Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.


5.  The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel.

6.  ADR should be readily available and affordable.

7.  Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.


8.  Following the certification or recertification of companies under the Safe Harbour, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).

9.  Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year.

10.  In case of doubts about a company’s compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.

11.  False claims of Safe Harbour adherence should continue to be investigated.

Access by US authorities

12.  Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.

13.  It is important that the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate.

Now that the Safe Harbor decision has been declared invalid, the Commission has intensified talks with the US government to ensure that the legal requirements formulated by the Court are complied with. Until this renewed transatlantic framework is in place, companies need to rely on the alternative transfer tools available.

To view DLA Piper’s comprehensive guide following the ruling, including a summary of the Judgment, tips on what to do next and latest updates, please click on the following link.

For further information please email dataprivacy@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-european-commissions-commitment-to-safe-harbor-three-months-to-go/

EUROPE: Fingerprinting treated like cookies under privacy law

Device fingerprinting is replacing cookies for analytics and tracking purposes, but privacy regulators now held that their usage is subject to the privacy consent, unless exemptions apply. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-fingerprinting-treated-like-cookies-under-privacy-law/

EUROPE: Data Protection Regulation Vote

In a vote today, the European Parliament has given its formal approval to its version of the new European Data Protection Regulation. With an approval given by 621 for, 10 against, 22 abstentions, the path is now set for the next phase of negotiation and agreement concerning the proposals.


Although many groups will be pleased with the outcome, there remains concern in the business community on the practical implications of implementing the text in its current draft form. The process of determining the final framework of the reform is now dependent upon agreement being reached at Council level, with Member States still seemingly far away from a consolidated approach. Outstanding issues include the approach to third country data transfers, the use of automated profiling, the obligations of the controller and processor and the concept of the ‘one-stop-shop’, amongst others.


The objective which has now been set in the European Union is to seek agreement at Council level before the Ministerial meeting scheduled in June 2014, with a view to establishing a common position at this point. By keeping to this timetable, the process of the trilogue negotiation between the three EU institutions can commence to find an agreed approach to the new legal framework after the summer recess period this year.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-data-protection-regulation-vote/