Data Protection and Cybersecurity

Overview

Last updated: 11 August 2017

Bird & Bird's EU Legislation Tracker highlights Regulations and Directives scheduled to take effect or to be implemented by Member States in the period to the UK's departure from the EU. It does not provide an exhaustive survey. Instead, we have sought to summarise some of the key legislation, both draft and finalised, which we are tracking in the run up to Brexit and which are likely to be of interest to companies which do business in the UK and/or elsewhere in Europe. 

The Tracker includes a short commentary on the substance of each of the measures identified, and a timeline for their known or likely effective dates (for Regulations) or implementation deadlines (for Directives). These are colour coded by reference to the likely date of Brexit.

For the purposes of the Tracker, we have assumed that the UK will exit the EU two years from its service of Article 50 notice (i.e. 29th March 2019). Ultimately the UK's Great Repeal Bill will determine whether the UK will retain, implement, amend or repeal the legislation summarised in our Tracker and the date when this will happen.

Key
Implementation status 
  Implementation deadline/effective date likely to be pre-Brexit
  Implementation deadline/effective date likely to be post-Brexit
Timeline   EU legislation

Implementation deadline

9 May 2018

 

Network and Information Security Directive (NISD) (Directive (EU) 2016/1148)

Overview:

  • Will introduce a framework of cyber security risk management for 'essential' and 'digital' service providers.
  • Regulated sectors will have to report cyber-attack incidents to a national competent authority in countries where they operate and adopt measures to manage security risks.
  • Likely to regulate energy, transport, banking, financial market infrastructure, health, water, cloud service and social media service providers amongst others. 

Brexit impact:

  • In August 2017 the UK government published a consultation paper seeking views on its plans to implement the NISD into UK legislation. The closing date for the consultation is 30 September 2017 and a response from government has been promised within 10 weeks. See here for a copy of the consultation request.

Other information:

Full text

Bird & Bird article

 

Takes effect:

25 May 2018

 

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

Overview:

  • The EU's cornerstone data protection legislation
  • Will replace Member State laws which implement the Data Protection Directive (95/46/EC).
  • GDPR will introduce additional costs, liability risk, breach reporting and governance responsibilities for organisations that process personal data either in the context of its operations within the EU or anywhere globally in connection with (i) goods/services offered to or (ii) behavioural 'monitoring' (e.g. tracking online), individuals within the EU.

Brexit impact:

  • The Secretary of State has confirmed that the UK plans to adopt the GDPR, Brexit notwithstanding.
  • In the June 2017 Queen's Speech it was announced that the UK would be introducing a new Data Protection Bill.
  • In August 2017, the UK Government published a 'Statement of Intent' detailing high level principles regarding the new Data Protection Bill which will be published in the Autumn. See here for Bird & Bird's summary of the statement.

Other information:

Full text

Bird & Bird's GDPR guide

UK Government & ICO positions

ICO GDPR overview

 

Takes effect:

[Target is 25 May 2018?]

 

Draft: ePrivacy Regulation (Regulation on Privacy and Electronic Communications)

Overview of provisions:
  • The EU's proposed refresh of laws which regulate e-marketing, cold calling, cookies/other tracking technology, location data, network security and other communications issues.
  • EC's draft Regulation published 10 January 2017.
  • Will replace Member State laws which implement the ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC) which contains rules on cookies and similar technology.
  • The current draft indicates a significant toughening of the online and direct marketing laws, with particular attention paid to rules on consent. The May 2018 effective date seems ambitious.

Brexit impact:

The UK Government's intentions regarding the Regulation are unknown and are not likely to become clear until it has progressed further through the EU legislative process.A draft ePrivacy Regulation was published by the European Commission ((EC) on 10 January 2017.

The ePrivacy Regulation will replace the existing ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC), the EU legislation which contains rules on cookies and similar technology.

Other information:

Draft proposal (10 January 2017)

Bird & Bird summary of draft proposal (January 2017)

Bird & Bird's EU Legislation Tracker 
Aviation Data Protection & Cybersecurity HR and Employment Banking & Financial Services Intellectual Property Media Tax