Regulatory Timeline: Data Protection, Cyber Security and Privacy

Published on 25th Feb 2015

“It’s an incredibly busy time for data lawyers. Much attention will focus on the new DP Regulation, which the European Commission (optimistically) hopes will be finalised by the end of the year.

“Cyber security will continue to generate headlines and will come into sharper focus for lawyers with the finalisation of the EU Cyber Security Directive expected later in 2015.”

31 December 2015 – Data Protection Regulations 

Wholesale reform to Europe’s data protection laws is the subject of ongoing discussion and negotiation within the European Union’s legislative bodies. Once finalised, it is proposed that the reforms will be introduced in the form of a European Regulation, which will take direct effect across all EU Member States after a two-year implementation period.
Progress of Regulation so far/projected progress: 

  • January 2012: First draft Data Protection Regulation (DP Regulation) published by European Council.
    • May 2012: European Parliament committees exchange views on the draft revised DP Regulation. 
  • July 2012: First European Parliament working document produced by the Committee on Civil Liberties, Justice and Home Affairs (LIBE committee). 
  • October 2012: European Parliament leads an inter-parliamentary hearing with national parliaments and MEPs. 
  • January 2013: Draft report and mark-up of the proposed DP Regulation released.  
  • March 2013: All other European Parliament advisory committees provide opinions on the report. 
  • Autumn 2013: Informal negotiations between the European Council and the European Parliament. 
  • March 2014: European Parliament first reading of the draft DP Regulation and the LIBE Committee’s compromise text.
  • May 2014: European Council meets to discuss the draft DP Regulation and produces a report. 
  • December 2014: Latest draft of the DP Regulation being debated by the European Council is leaked, revealing that there are still a large number of significant areas being debated, including consent, profiling and the “right to be forgotten”.
  • Early 2015: European Council is expected to adopt its first reading position; negotiations will then start between the European Council and the European Parliament.
  • 2015: Scheduled date for agreement on the draft DP Regulation. There is a real possibility that agreement may not be reached until 2016. 
  • 2017/2018: Revised data protection framework is expected to come into force, two years from agreement of the final DP Regulation. 

31 December 2015 – EU Cyber Security (Network and Information Security) Directive expected to come into force

On 7 February 2013, the European Commission published a draft Cyber Security Directive to extend existing tough telecoms data security obligations to other communications providers and those who operate critical infrastructure. 

Once implemented, energy providers and network operators, credit-card companies, cloud service providers, hospitals, logistics companies and many others will all be covered by a range of data security obligations, including notifying regulators and the public of data security breaches, and submission to far-reaching audit powers. This is in addition to any existing notification obligations that may be introduced in the meantime by the new DP Regulation (discussed above), or existing legislation (for example, that covering the telecoms and financial services sectors). 

In March 2014 the European Parliament voted in support of the Cyber Security Directive, but proposed a number of amendments to the original text, including removing public administrators and enablers of information society services specifically from the Directive’s scope and expanding the list of operators of critical infrastructure that are within its scope. 

In October 2014, the European Council was given a mandate to start informal exploratory talks with the European Parliament and the European Commission (referred to as “trilogues”) on the proposed Directive. The first and second informal trilogues took place in October and November 2014; at the time of going to press a third and final trilogue is expected imminently. The main outstanding issue between the European Parliament and the Council is the scope of coverage of the Directive; the European Council text would allow Member States to assess whether or not certain operators in identified sectors would be subject to the obligations, whereas the European Parliament text envisages all operators in all sectors being subject to the obligations. 

31 December 2015 – Important court cases

While legislative reform is progressing slowly, significant cases are being heard by the courts at a European and national level and further developments are expected to arise from those cases throughout 2015. Google has been involved in some of the most important recent cases: 

  • The ECJ decision in May 2014 involving Google Spain, regarding the “right to be forgotten” was important in a number of respects, including with regard to the territorial scope of the Data Protection Directive 1995. 
  • In that decision, it was also held that Google was a data controller and as a consequence, in January 2015, the High Court ruled that Max Mosley has a viable claim against Google under section 10 of the Data Protection Act 1998 over its failure to block images and links that direct to websites displaying his personal data from its search engine results. The case will now go to trial and an ECJ reference may be made on the application and interaction of the Data Protection Directive and the E-Commerce Directive, which could raise interesting and difficult questions on the application of those directives.
Share
Interested in hearing more from Osborne Clarke?

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?