EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

Transcription

1 EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? Dr. Jörg Hladjk Counsel European Data Protection & Privacy Practice Hunton & Williams, Brussels Cyber Security & Privacy EU Forum 2013 April 19, 2013 Brussels

2 Agenda Current regulatory trends in the EU Data protection Cybersecurity Cloud computing Conclusions 2

3 Data Protection (I) General theme becoming stricter Proposed EU Regulation (January 2012) Harmonization and direct effect - no national implementation Addresses evolving technologies Will apply to Companies processing data within the EU Companies outside the EU that offer goods and services to EU residents or monitor their behavior (online context) 3

4 Data Protection (II) Demand for accountability New requirements, including: documentation about data processing privacy impact assessments privacy-by-design/default appointment of data protection officer Data processors (i.e. IT service providers) will share responsibilities and liabilities 4

5 Data Protection (III) Stricter rules on data security Broad legal definition of data breach Obligations to implement technical and organizational measures Requirement to notify regulators and individuals within 24 hours of discovery of a breach, where feasible Supervision: One-Stop-Shop A company will only be regulated by one data protection authority across the EU Main establishment becomes important 5

6 Data Protection (IV) High sanctions in case of non-compliance up to EUR or 0,5% of annual worldwide turnover for minor breaches up to EUR or 1% of annual worldwide turnover for intermediary level breaches up to EUR or 2% of annual worldwide turnover for serious breaches Regulation will most likely be adopted in 2014 and enter into force in

7 Cybersecurity (I) FBI Director Robert Mueller I am convinced there are only two types of companies: Those that have been hacked and those that will be. March 1,

8 Cybersecurity (II) Proposed EU Cybersecurity Directive (February 2013) Comprehensive regulation of security Introduction of broad legal definitions for network and information systems security risk incident 8

9 Cybersecurity (III) Security requirements and incident notification Obligation to implement appropriate technical and organizational measures Obligation to undergo security audit Notification requirement vis-à-vis regulators in case of incidents Regulator may then inform the public 9

10 Cybersecurity (IV) Market operators explicitly listed as targets: E-commerce platforms Internet payment gateways Social networks Search engines Cloud computing services Application stores Energy suppliers Transport/logistics companies Credit institutions, stock exchanges Health care institutions 10

11 Cybersecurity (V) Sanctions EU Member States required to lay down rules on sanctions Sanctions must be effective, proportionate and dissuasive If personal data is involved, sanctions must be consistent with sanctions of proposed Data Protection Regulation 11

12 Cloud Computing (I) Focused EU Commission Strategy (September 2012) Three main issues: Simplification of cloud computing standards and certification Development of new model contract terms for cloud computing services Initiative for a European Cloud Partnership 12

13 Cloud Computing (II) Standards and Certification Aim to introduce pan-european certification schemes by 2014 Schemes will address data protection, especially data portability, and focus on increased transparency of cloud service providers security practices Participation will be voluntary 13

14 Cloud Computing (III) Model Contract Terms To be drafted by the end of 2013 Will cover range of topics Will incorporate new mechanisms for data processors (i.e. IT service providers) 14

15 Cloud Computing (IV) Review of current EU standard contractual clauses for international data transfers to make them more cloud-friendly Encouragement of national data protection authorities to approve Binding Corporate Rules tailored for cloud services 15

16 Conclusions Data protection framework will change fundamentally and should be high on the risk agenda Cybersecurity will be regulated for the first time and reporting obligations require an emergency plan Cloud computing strategy will overlap with other initiatives and lead to standardization 16

17 Contact & Questions Dr. Jörg Hladjk Counsel Tel Fax Hunton & Williams Park Atrium, Rue des Colonies Brussels, Belgium 17

18 Hunton & Williams Ranked by Computerworld magazine for the fourth consecutive year as the top law firm globally for privacy Ranked in Band 1 for Privacy and Data Security in Chambers Global, Chambers USA and Chambers UK guides Ranked in Tier 1 in The Legal 500 United States for Data Protection and Privacy Ranked in Tier 1 in The Legal 500 EMEA for Belgium: Privacy and Data Protection Received Corporate INTL Magazine Global Award for Data Protection Law, Firm of the Year in China 18