The last two weeks has seen the ‘Digital Economy’ on the agenda within Brussels with discussions by the European Parliament on the Digital Single Market and the adoption of the Directive on Cybersecurity. The other interesting development has been the further doubts expressed by the European Parliament on the adequacy for the new EU-US Privacy Shield arrangements that cover data transfer from the EU to the US which means the ‘deal’ is certainly not complete. Some hard work ahead still for the Commission on this one!
KEY AREAS OF ACTIVITY
- DIGITAL SINGLE MARKET PROPOSALS
On 25 May 2016, the European Parliament held a debate on the Digital Single Market. During the debate, Members of the European Parliament (MEPs) said they wished to ensure that all citizens benefit from the Digital Single Market package presented by the Commission. MEPs were also pleased with the plan to avoid a “one-size-fits-all” approach to online platforms.
- CYBERSECURITY DIRECTIVE ADOPTED BY THE EU COUNCIL
On 17 May, 2016 the Council of the European Union, which comprises representatives of the Member States’ national governments, formally adopted approved the text of the Network and Information Security Directive (“NIS Directive“), previously agreed with the European Parliament. The NIS Directive will increase the security of network and information systems across the EU, and includes a new incident notification regime for affected businesses.
The NIS Directive will apply to two types of organisations – operators of essential services, and digital service providers. The former is defined as an entity which “provides a service which is essential for the maintenance of critical societal and/or economic activities”. In practice, that is likely to include energy suppliers, major transport providers (including airlines, rail transport operators and road authorities), banks and credit providers, and healthcare providers. A digital service provider, meanwhile, might be an online marketplace, a search engine or a cloud computing provider.
Significantly, digital service providers based outside the EU, but which offer services within the EU, will be within the scope of the Directive.
The two key outcomes from the Directive will be (i) increased network and information security requirements and (ii) a mandatory incident notification regime. In respect of each of these areas, different rules apply to operators of essential services and digital service providers.
The Directive will now be formally adopted by the European Parliament, and is expected to enter into force in August 2016.
- EU-US PRIVACY SHIELD
On 26 May 2016, the European Parliament adopted a resolution (501 in favour, 119 against and 31 abstentions) calling on the Commission to reopen negotiations with the US to address deficiencies to the EU-US Privacy Shield.
The European Parliament voiced concerns about a list of deficiencies relating to:
- Access by US authorities to data transferred under the new agreement
- Bulk collection of data and conformity to necessity and proportionality requirements
- The independence of proposed US Ombudsman
- An overly complex redress mechanism
- A periodic and robust review of Privacy Shield in the light of new EU data protection legislation
Despite not being binding, the resolution will increase pressure on the European Commission to enhance privacy guarantees. The Commission is now expected to miss the June deadline to implement the new agreement.
Neil Munroe is a director of BIIA and a member of the BIIA regulatory committee. He can be reached at: CRS Insights Ltd – e: email@example.com – m: +44 (0) 7710 844518, p: +44 (0) 1923 284604