Out-Law / Your Daily Need-To-Know

Data protection reforms should precede Network and Information Security Directive, says MEP

Out-Law News | 05 Sep 2013 | 1:02 pm | 2 min. read

Planned new laws to bolster the security of 'critical infrastructure' around the EU should not be introduced until a reformed data protection law framework is in place, an MEP has said.

In a draft opinion (12-page / 174KB PDF) being put forward for approval by the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee, Swedish MEP Carl Schlyter said that there is "major concern" about how two new data breach notification schemes, one proposed under the draft Network and Information Security (NIS) Directive and the other under a planned General Data Protection Regulation, would operate together. 

"A major concern that remains regards the relationship of the proposed system to the notification system proposed under the general data protection regulation, and their effective coexistence, which is one of the reasons we highlight the fact that any EU cybersecurity legislation should follow the adoption of the General Data Protection Regulation, not precede it," Schlyter said in his draft opinion. 

The European Commission published the draft NIS Directive in February in a bid to ensure that banks, energy companies and other businesses involved in the operation of critical infrastructure maintained sufficiently secure systems. Under the regime public administrators and 'market operators' would have to notify designed regulators of "significant" cyber security incidents that they experience. 

Under the Commission's proposals not all breaches reported to the regulators would necessarily be conveyed to the public, but regulators would be required to determine on a case-by-case whether it was in the public interest to inform them. The regulators would be obliged to share information with one another on cyber security risks in accordance with the proposed framework. 

The notification regime under the NIS Directive would apply to different forms of security breaches, but it is envisaged that regulators would liaise closely with data protection authorities when breaches reported concern the loss of personal data. 

Under separate European Commission plans, first outlined in January 2012, organisations would be generally required to report all personal data breaches to regulators "without undue delay" and, if possible, within 24 hours of becoming aware of them. MEPs and EU Ministers have subsequently proposed changes to that regime, but new obligations relating to the reporting of personal data breaches do look likely to form part of any reformed EU data protection law framework. 

Under the amendments to the NIS Directive proposed by Schlyter, the breach notifications regime would "apply without prejudice to personal data breach notification obligations in accordance with applicable data protection law". 

A separate personal data breach notification regime already applies for telecoms companies. The rules they are subject to were recently updated. 

In addition, he has recommended that the new requirements be placed on software producers to fix faults with the systems that suffer security breaches. 

"Software producers shall be responsible for correcting security breaches, within 24 hours of being informed for serious cases, and 72 hours for cases were the effects are unlikely to result in any significant financial loss or serious breach of privacy," draft new rules proposed by Schlyter said. "Commercial software producers shall not be protected from 'no-liability' clauses when it can be demonstrated that their products are not properly designed to handle foreseeable security threats." 

Schlyter also said that social networks and app stores should be removed from the list of 'market operators' that should be subject to the NIS Directive rules on the basis that they do not operate 'critical infrastructure'. He has also set out a number of proposed data protection safeguards to limit the circumstances in which personal data could be shared between regulators. 

The operators of critical infrastructure should also "design resilience based systems" that can operate "even when other systems beyond their control fail", the MEP added.