Incyder news


31 March 2014


Developments in the European Union: NIS Directive, Data Protection Reform, EP’s response to U.S. surveillance

Prior to the forthcoming parliamentary elections in May 2014, the European Parliament (EP) was successful in adopting several significant proposals influencing the European Union’s developments in cyber security and data protection. The Parliament approved the draft Network & Information Security (NIS) Directive, supported the Commission’s data protection reform by endorsing the General Data Protection Regulation and the Police and Criminal Justice Data Protection Directive, and passed a resolution on findings and recommendations with regard to the U.S. National Security Agency’s surveillance program.

European Parliament passes the Network & Information Security Directive

The NIS Directive (also known as the Cybersecurity Directive) was first proposed in February 2013 by the European Commission (EC) as a significant part of EU Cybersecurity Strategy. The draft Directive1 passed the European Parliament by a large majority on 13 March 2014,2 and the final text of the Directive will now be negotiated in the EU legislative bodies. An ambitious aim to reach a final agreement by the end of 2014 was expressed by Neelie Kroes, EU Commissioner for the Digital Agenda.3

The purpose of the Directive is to guarantee a high common level of NIS across the EU through a set of comprehensive measures that will create cooperation and information sharing mechanisms and set minimum requirements for a broad scope of public and private actors.4 For example, Member States are expected to adopt national NIS strategies, designate an NIS authority, set up national CERTs and cooperate closely with EU institutions.

Perhaps the most contested aspect of the Directive relates to the scope of private companies which fall under the proposed security and reporting requirements. In addition to setting requirements for the providers of critical infrastructure such as private companies in the energy, transport, financial services and health sectors, the initial proposal by the EC also targeted the ‘enablers of key internet services’. These services include cloud computing, search engines, social networks and app stores.5 The exemption of the ‘internet enablers’ from the list is considered one of the main reasons why the Directive was successfully passed in the EP.6

The EU has been criticised for trying to achieve greater cybersecurity by creating additional regulation. This contrasts with the US approach, which is industry-led and on a more voluntary basis.7 Nevertheless, when fully implemented, the Directive will serve as a global standard for cybersecurity.8

Moving forward with data protection reform

The EU is also moving forward with the data protection reform initiated in 2012.9 The EP passed the compromise texts of the General Data Protection Regulation10 and the Police and Criminal Justice Data Protection Directive11 on 12 March 2014. This development can be considered an important step in data protection reform since it confirms the approval of the EP just before the parliamentary elections in May.12 Before final adoption, the Regulation and the Directive will be submitted to the EU Council of Ministers and be subject to trilateral negotiations between the EU legislative bodies. The Commission hopes for the regulation to become law in late 2014.13

The aim of the General Data Protection Regulation is to unify and update data protection laws across the European Union. The Regulation would supersede the 1995 Data Protection Directive (95/46/EC) which, inter alia, does not take into account developments such as social networks and cloud computing.14 The scope of the Regulation goes beyond the borders of the EU and it will also apply to all non-EU organisations involved in processing the data of EU citizens.15

Dealing with data protection in the context of law enforcement, the Police and Criminal Justice Data Protection Directive is also a significant part of the overall data reform process.16

As expressed in the EU’s press release of 12 March 2014, the need to harmonise data protection standards in Europe is seen as a ‘necessity’17 and a sense of urgency to the issue has been fostered by the recent U.S. spying scandals.18

European Parliament’s response to the U.S. surveillance

The Snowden revelations alleging that the U.S. has conducted mass surveillance of EU citizens were also the driving force behind a six month investigation carried out by the Committee for Civil Liberties, Justice and Home Affairs (LIBE). The findings and recommendations of the committee were wrapped up in a resolution19 approved by the EP on 12 March 2014. As a sign of consent, the Resolution was backed by an overwhelming majority.20

In addition to describing the scope of the surveillance, the Resolution requested measures which could negatively influence the cooperation between     the EU and the United States. The resolution called for ‘(1) withholding the Parliament’s consent to the Transatlantic Trade and Investment Partnership if European data protection principles are not fully respected; (2) suspending the Terrorist Finance Tracking Program until alleged breaches of the underlying data disclosure agreements have been fully clarified; and (3) suspending the Safe Harbor Framework immediately, alleging that it does not adequately protect European citizens’.21 The Parliament also declared its support for more Europe-based cloud providers and suggested a ‘European whistle-blower protection programme’.22 From the perspective of data protection, the suspension of the Safe Harbor Framework would be the most important development since it could disrupt U.S.-EU data flows. The Safe Harbor Framework essentially provides a method for U.S. businesses to transfer personal data from the EU in accordance with the EU Data Protection Directive (95/46/EC).23

The revelations have had a negative effect on transatlantic relations, but the legal implications of the Resolution will likely be limited. This is because the EC is the only organ that has the mandate to formally renegotiate agreements and is unlikely to share the view of the Parliament on this issue.24 Indeed, on 27 March 2014, the EU was still able to issue a communiqué with the US emphasising further cooperation on cybersecurity.25