The Push for Privacy: A Lens on Privacy-Related Developments in the EU

As the world immerses itself in a process of digital transformation, the EU has recognised the importance of prioritising the protection of the fundamental rights and security of its citizens. Data protection matters have taken centre-stage in Brussels, with new initiatives, rules and regulations – partially a result of the EU’s efforts to ensure that the law does not lag behind the fast pace of technological development – being proposed and debated on a recurring basis. In this article, Dr Emma Grech, Partner at City Legal, provides an overview of some of the more salient regulatory developments in the “privacy” realm at an EU level.                                             

It’s not all about the GDPR!

Businesses and advisers everywhere are still recovering from the 25 May 2018 tidal wave that was the entry into force of the General Data Protection Regulation (EU) 2016/679 (the “GDPR”). Although it largely built on the concepts introduced by its predecessor, the Data Protection Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, the GDPR’s newfound areas of focus – such as enhanced data subject rights, increased obligations on organisations that process data, an emphasis on the concept of “accountability”, and, last but not least, exorbitant fines for non-compliance – were quick to hone in a culture shift that saw organisations begin prioritising the manner in which they protect personal data. Or else!

The GDPR, however, does not reside in a vacuum. While admittedly constituting the foundation of privacy toolkits across the globe, the GDPR is only one of the recent measures the EU has adopted in order to bolster the supranational drive towards enhanced data protection. In this article, we take a look at some other privacy-related regulatory developments in the EU.

Enhanced cybersecurity efforts

The GDPR requires that organisations that process personal data adopt appropriate “technical and organisational measures”. Although the GDPR does not provide a black-on-white response as to what these measures are, in practice, these are understood to comprise the functions, controls, processes, procedures and, generally, all measures taken by an entity to secure personal data. Naturally, the deployment of robust cybersecurity systems carries substantial weight in evidencing that an organisation has implemented adequate “technical and organisational measures”.

EU Network and Information Security Directive

The Network and Information Security Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 (the “NISD”) is the first ever piece of EU-wide cybersecurity legislation, and, aside from its objective to enhance cybersecurity standards across the EU, it is also aimed at promoting cooperation between member states in managing the risks brought about by the digital age.

The NISD imposes minimum cybersecurity requirements on:

• operators of essential services (OEPs) that are vital for the economy and society in general, such as the banking, healthcare, transport and energy sectors; and
• digital service providers (DSPs), including cloud service providers and operators of online search engines.

Organisations falling under the remit of the NISD are required to adopt appropriate security policies and (technical and organisational) measures in line with the cybersecurity risks they may face, focusing on, for instance, risk analyses, incident handling, supply chain security, and the use of cryptography and encryption. All in a bid to protect their systems and, of course, their data.

It is important to note that unlike the GDPR, which is directly applicable in all EU member states, the NISD has had to be transposed into member state law. By 2020, all member states had informed the European Commission that they had fully transposed the NISD into their legislative frameworks.

…NISD2?

On 16 December 2020 – that is less than a year after the NISD’s transposition! – the Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union (or the “NISD2”), intended to repeal and replace the NISD, was published. The NISD2 was likely spurred on by various factors, in particular: (i) the fast increase in sophisticated cybersecurity attacks across the globe; as well as (ii) the EU’s ambition to be a forerunner in the sphere of critical technologies, such as the blockchain, quantum computing and 5G tech.

Of the changes being introduced by the NISD2, perhaps one of the most pertinent is its extended scope of applicability. OEPs and DSPs have been replaced by a wider reference to “essential” or “important” entities, including, in addition to the vital sectors mentioned earlier such as banking and healthcare: public administration, food, postal and courier services, manufacturing of certain critical products (e.g. pharmaceuticals and medical devices), space and waste management, among others.

It is expected that the “trilogue” negotiations between the three bodies involved in the EU Legislative process (the European Commission, the Parliament and the Council of Ministers) will commence later on in 2022.

ePrivacy overhaul

Back in 2017, the Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications (the “ePrivacy Regulation”) – intended to repeal and replace the Directive on Privacy and Electronic Communications 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (the “ePrivacy Directive”) – was published.

The ePrivacy Regulation was primarily intended to align the “antiquated” ePrivacy Directive with the GDPR, as well as, in a sense, “close the gaps” the GDPR left in respect of privacy matters in the online sphere. As a “lex specialis” (special law), its provisions will take precedence over the GDPR in the matters it is intended to govern. The ePrivacy Regulation shall increase user security, reinforce the confidentiality of communications and metadata, and define more direct rules for the deployment of cookies and similar technologies. The ePrivacy Regulation’s scope has been widened to cover newer tech, such as VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications, such as the IoT (Internet of Things).

Drawing from the GDPR, the ePrivacy Regulation imposes severe penalties in the case of breaches. Violations of the rules for processing electronic communications data or sending commercial communications may result in fines of up to EUR10 million of 2% of the corporate group’s annual worldwide turnover. Breaches of the rules relating to cookies, the protection of electronic communication confidentiality, or non-compliance with corrective action carry fines of up to EUR20 million or 4% of the corporate group’s annual worldwide turnover.

In February 2021 – four years after its original publication – the EU Council of Ministers agreed on a final version of the ePrivacy Regulation text. Then commenced the trilogue negotiations. In light of various points of conflict during the ongoing discussions, it is not likely that the ePrivacy Regulation will enter into force before 2023.

Developments remain ongoing. Watch this space!

For more information on how we may assist with your privacy and cybersecurity matters, please contact: Dr Emma Grech, Partner – emma.grech@thecitylegal.com

DISCLAIMER: The information contained in this document does not constitute legal advice or advice of any nature whatsoever. Although we have carried out research to ensure, as far as is possible, the accuracy and completeness of the information contained in this article, we assume no responsibility for errors or other inconsistencies herein.