EU Data Protection Directive

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

On January 25, 2012, the European Commission presented a proposal for a “Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data”, the “Data Protection Regulation” (DPR). The Commissioner in charge of justice at the time, Viviane Reding, aware of the complexity of the matter, stated jokingly that she hoped a decision on this proposal would at least be reached by the end of her term, i.e. in October 2014.

Reding is now gone, a new EU Commission is in place, but the Council of Ministers has only agreed very recently on a few chapters of the ninety page proposal; “Trilogue” negotiations between the European Parliament, the Council, and the Commission have not even started.  When, recently, the new Commissioner, Vera Jourova, claimed that a final agreement will be reached before the end of 2015, this deadline was seen by experts as wishful thinking, just as all those announced previously by her predecessor.

The Parliament cannot be blamed: on 12 March 2014, just before being dissolved in preparation for the May elections, it endorsed with 621 votes in favor, 10 against and 22 abstentions, the position on the regulation adopted by the LIBE (Civil Liberties, Justice and Home Affairs) Committee. But this vote was seen more as a political move (in the context of the NSA scandal) than a nuanced and balanced approach to the difficult issues at stake. The stronger safeguards inserted, the increased level of fines, and some radical definitions are light years away from the compromises currently discussed in the Council. So even when the Council will have reached a common position (or “general approach”) on the whole text, reconciling this position with the Parliament’s might take a long time – or end up in a deadlock.Continue Reading The EU data protection regulation after 3 years of negotiation

By Fredericka Argent

Last week, the Court of Justice of the European Union (CJEU) ruled that owners of home surveillance cameras could be breaching the EU Data Protection Directive 95/46/EU (the Directive), when those cameras are used to monitor public spaces.  The ruling was made following a request from the Nejvyšší správní soud (The Supreme Administrative Court of the Czech Republic) for interpretive guidance.

According to the facts, Mr Ryneš, from the Czech Republic, had set up a camera to monitor the footpath outside of his home in response to a series of break-ins that he and his family had suffered.  One of the suspects of a break-in was subsequently caught on camera, and the video recording was used as evidence in the criminal proceedings that followed.  However, the suspect separately made a complaint to the Czech Data Protection Office that the surveillance system used by Mr Ryneš was unlawful.  The Czech Data Protection Office agreed. Mr Ryneš then brought an action challenging that decision, which was appealed to the Czech Supreme Court.
Continue Reading The EU’s Highest Court Rules That The EU’s Data Protection Directive Applies To Home Security Surveillance Cameras