On June 14, 2013, the European Data Protection Supervisor (the “EDPS”) issued an Opinion regarding a joint communication by the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy, Cyber Security Strategy of the European Union: an Open, Safe and Secure Cyberspace (the “Strategy”), as well as the European Commission’s proposed draft directive to ensure uniformly high security measures for network and information security across the EU (the “NIS Directive”). The EDPS welcomes recognizing privacy and data protection as core values of a robust cybersecurity policy, as opposed to separating out security and privacy, but draws attention to several deficiencies, stating that “the ambitions of the strategy are not reflected in how it will be implemented.”
As a general remark, the EDPS notes that the Strategy and the NIS Directive do not sufficiently address the roles of existing and forthcoming data protection law, and thus run the risk of creating overlaps and contradictions between the existing legal framework and the strategy going forward. According to the EDPS, those risks may result in a fragmented approach.
The Opinion also draws attention to the following issues:
In the EDPS’s view, several terms and concepts used in the Strategy and the NIS Directive are not clear enough (e.g., “cyber resilience,” “cyber defense,” “network and information system,” “incident”). Since some of these terms are used to justify certain special measures that could interfere with fundamental rights, including the rights to privacy and data protection, clear definitions are of particular importance. Although the term “cybercrime” is defined, the definition is too vague and broad and should be narrowed.
The EDPS recommends replacing the current non-exhaustive list of “market operators” in Annex II of the NIS Directive with an exhaustive list that includes all relevant stakeholders. The EDPS questions why some sectors (such as hardware and software manufacturers and security software and service providers) were not included in the list, and recommends clarifying that EU institutions and bodies also fall within the scope of the Directive. In addition, the EDPS advises amending Article 14(8) of the Directive, so that the exclusion of microenterprises from the incident notification requirement does not apply to operators that play a crucial role in the provision of information society services as defined by the E-Commerce Directive, for example as regards to the nature of information they process.
The EDPS finds that the current text does not provide sufficient legal certainty regarding which incidents should be reported to the relevant authorities. Accordingly, the EDPS recommends clarifying the circumstances when notification is required, as well as the content and format of the notification, including what types of personal data are covered. The EDPS also recommends clarifying that these incident notifications do not alter any other data breach notification obligations under applicable data protection law (i.e., the e-Privacy Directive and the Proposed General Data Protection Regulation). The Proposal also should include the key aspects how NIS authorities should cooperate with data protection authorities (“DPAs”) if the security incident involves personal data.
The Opinion also recommends:
- further considering the role of DPAs with respect to all aspects of cybersecurity;
- explaining the need to embed data protection by default and by design in the planned mechanisms;
- limiting any further exchange of personal data to what is necessary;
- specifying data retention periods; and
- adding a clause noting that any transfer of personal data to recipients outside the EU should respect the restrictions in EU Data Protection Directive 95/46/EC.