SlideShare a Scribd company logo

20131009 aon security breach legislation

Download as PPTX, PDF
Jos Dumortier
Jos Dumortier

The document discusses recent EU legislation around security breach notification duties. It summarizes that the 2009 EU ePrivacy Directive first introduced security breach notification requirements for telecom providers and ISPs. Recent EU proposals aim to expand these duties to other sectors by 1) extending notification to data protection authorities and individuals under the 2012 General Data Protection Regulation and 2) requiring notifications for public administrations and critical infrastructure operators under the 2013 Network and Information Security Directive. The proposals seek to increase harmonization of security breach response across EU member states but questions remain around practical implementation details.

TechnologyBusiness
1 of 30
EU Security Breach Legislation Impact on Enterprise Risk Management jos.dumortier@timelex.eu
Forbes, October 3, 2013
EU 2009 • new provisions inserted in the EU electronic communications privacy (ePrivacy) directive (art. 4) • introduction of first EU security breach notification duty • limited scope: providers of public electronic communications networks and services • Belgium 2012: transposition in art. 114/1 and 114/2 of the e-communications act
Summary • notification of specific risk of network security breach • to the NRA (Belgium: BIPT) • to subscribers • notification of actual security breach with important impact • to the NRA (Belgium: BIPT) • NRA can notify further to EU • notification of security breach regarding personal data • to the NRA (Belgium: BIPT) • to subscribers and/or users
Details • timeframe? • which information to communicate? • via which channel? • when should individuals be notified? • role of encryption • ...
Recent example :
EU Proposals to extend the notification duty 1. Draft general data protection regulation (January 2012) 2. Draft e-identification and trust services regulation (June 2012) 3. Draft network and information security (NIS) directive (February 2013)
Draft NIS Directive a) Obligations for Member States b) Cooperation mechanism c) Requirements for market operators and public administrations Note: minimum harmonisation (minimum common capacity building)!
NIS: Duties for public administrations and market operators • Obligation to take appropriate technical and organisational measures to manage the risks • Obligation to notify to the national competent authority incidents having a significant impact on the security of core services • National competent authority may inform the public where it determines that it is in the public interest • EC will be empowered to adopt delegated acts (art. 18)
“Market operators”: Annex II of the Draft NIS Directive • Providers of “information society services” (operating in the EU) • e-commerce platforms • internet payment gateways • social networks • search engines • cloud computing services • application stores • Operators of “critical information infrastructures” (CIIP operators) • Energy • Transport • Banking • Financial market infrastructures (stock exchange, clearinghouses) • Health sector
EU Proposals to extend the notification duty 1. Draft general data protection regulation (January 2012) 2. Draft e-identification and trust services regulation (June 2012) 3. Draft network and information security (NIS) directive (February 2013)
Draft EU e-Identification and Trusted Services Regulation 1. e-Identification 2. Trust Services
“e-Identification”: mutual recognition • idea: • if an online (government) service in a Member State requires access authentication by means of an e-ID, • then this service should be accessible for e-ID’s notified by other Member States
“Trust Services” • stricter rules for “trust service providers” (e.g. annual security audit) • “trust services”: services related to e-signatures, timestamps, e-documents, e- delivery, website authentication, digital certificates • introduction of security breach notification (to supervisory bodies and data protection commissioners) • “qualified” trust services : presumption of legal validity
EU Proposals to extend the notification duty 1. Draft general data protection regulation (January 2012) 2. Draft e-identification and trust services regulation (June 2012) 3. Draft network and information security (NIS) directive (February 2013)
On 25 January 2012 the European Commission has officially released a proposal for a comprehensive reform of the 1995 data protection rules on personal data processing.
1. One single European law If adopted, the proposed Regulation will be valid across the EU. As a consequence, companies established in more than one EU country will no longer experience difficulties to cope with the divergent rules of the EU Member States.
2. Every company supervised by one data protection commissioner Personal data processing by companies established in more than one EU country will be monitored by one single supervisory authority. In principle this will be the data protection commission of the country where the company has its main establishment.
3. Also applicable to companies outside the EU Theoretically the proposed Regulation claims to be applicable on the processing of personal data of data subjects residing in the EU by a controller not established in the EU, … where the processing activities are related to the offering of goods or services to such data subjects, or to the monitoring of the behaviour of such data subjects.
4. Basic rules remain but would be better implemented The supervisory authorities will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company. Moreover responsibility and liability of the controller for any processing of personal data is more clearly established.
5. Abolition of the general obligation to notify The general notification obligation would be abolished, and replaced by procedures and mechanisms which focus instead on those processing operations which are likely to present specific risks.
6. Data protection officers The controller and the processor would in the future be requested to designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body; or b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.
7. Consent: always explicit Tacit consent will no longer be sufficient as a legal ground for personal data processing. Moreover consent can no longer be integrated into terms and conditions but must be presented distinguishable in its appearance from this other matter.
8. Right to be forgotten? The right to erasure would be extended in such a way that a controller who has made the personal data public would be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data.
9. “Data portability” The data subject would be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract.
10. Security breach notification As soon as a controller becomes aware that a personal data breach has occurred, he would be obliged to notify this breach to the supervisory authority without undue delay and, where feasible, within 24 hours. The individuals whose personal data could be adversely affected by the breach would also have to be notified without undue delay in order to allow them to take the necessary precautions.
Conclusions • current scope still limited (telecom providers, ISPs, etc.) • extension to other sectors under discussion • lack of co-ordination between proposed rules is criticized • many questions remain about practical implementation
Jos Dumortier time.lex - Information & Technology Law Congresstraat 35 B-1000 Brussel (t) +32 (0)2 229 19 47 www.timelex.eu / jos.dumortier@timelex.eu

Recommended

Dumortier draft data protection regulation
Dumortier draft data protection regulationDumortier draft data protection regulation
Dumortier draft data protection regulationJos Dumortier
 
20131008 agoria big data vs data protection
20131008 agoria big data vs data protection20131008 agoria big data vs data protection
20131008 agoria big data vs data protectionJos Dumortier
 
Ubicomp challenges for privacy law
Ubicomp challenges for privacy lawUbicomp challenges for privacy law
Ubicomp challenges for privacy law
blogzilla
 
Zimbabwe's cybercrime & cybersecurity bill 2017
Zimbabwe's cybercrime & cybersecurity bill 2017Zimbabwe's cybercrime & cybersecurity bill 2017
Zimbabwe's cybercrime & cybersecurity bill 2017
Povo News
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake Morgan
 
Data Privacy & Compliance Considerations on Using Cloud Services
Data Privacy & Compliance Considerations on Using Cloud ServicesData Privacy & Compliance Considerations on Using Cloud Services
Data Privacy & Compliance Considerations on Using Cloud Services
Amazon Web Services
 
Dataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxDataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptx
Marco Gioanola
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?
Edouard Nguyen
 

Recommended

Dumortier draft data protection regulation
Dumortier draft data protection regulationDumortier draft data protection regulation
Dumortier draft data protection regulationJos Dumortier
 
20131008 agoria big data vs data protection
20131008 agoria big data vs data protection20131008 agoria big data vs data protection
20131008 agoria big data vs data protectionJos Dumortier
 
Ubicomp challenges for privacy law
Ubicomp challenges for privacy lawUbicomp challenges for privacy law
Ubicomp challenges for privacy law
blogzilla
 
Zimbabwe's cybercrime & cybersecurity bill 2017
Zimbabwe's cybercrime & cybersecurity bill 2017Zimbabwe's cybercrime & cybersecurity bill 2017
Zimbabwe's cybercrime & cybersecurity bill 2017
Povo News
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake Morgan
 
Data Privacy & Compliance Considerations on Using Cloud Services
Data Privacy & Compliance Considerations on Using Cloud ServicesData Privacy & Compliance Considerations on Using Cloud Services
Data Privacy & Compliance Considerations on Using Cloud Services
Amazon Web Services
 
Dataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxDataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptx
Marco Gioanola
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?
Edouard Nguyen
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be Forgotten
Edouard Nguyen
 
EU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh NetworksEU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh Networks
Alberto Peñaranda Echevarría
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security PrinciplesLisa Catanzaro
 
euregs
euregseuregs
euregsbwgoodman
 
Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...
Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...
Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...
FIA2010
 
Case by case - moving data centres to Romania
Case by case - moving data centres to RomaniaCase by case - moving data centres to Romania
Case by case - moving data centres to Romania
Țuca Zbârcea & Asociații
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-OverviewErica Walker
 
Uia presentation Eng
Uia presentation EngUia presentation Eng
Uia presentation EngFabio Marazzi
 
28014_EY Safe Harbor_UK
28014_EY Safe Harbor_UK28014_EY Safe Harbor_UK
28014_EY Safe Harbor_UKNicola Hermansson
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016John Greenwood
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
Fahad Ameen
 
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)Privacy Act, Spam Act and "the Cloud" seminar (May 2014)
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)
Tom Meagher
 
Data privacy Legislation in India
Data privacy Legislation in IndiaData privacy Legislation in India
Data privacy Legislation in India
LATHA H C
 
Quick Guide to GDPR
Quick Guide to GDPRQuick Guide to GDPR
Quick Guide to GDPRPavol Balaj
 
1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais
IBE_USP
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Morgan
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
IISPEastMids
 
Quick guide gdpr
Quick guide gdprQuick guide gdpr
Quick guide gdpr
Miguel Mello
 
SCCE Processors and GDPR
SCCE Processors and GDPRSCCE Processors and GDPR
SCCE Processors and GDPRRobert Bond
 
Service provider liability: Legal Issues in Research Data Collection and Shar...
Service provider liability: Legal Issues in Research Data Collection and Shar...Service provider liability: Legal Issues in Research Data Collection and Shar...
Service provider liability: Legal Issues in Research Data Collection and Shar...
EUDAT
 
ShareForMore
ShareForMoreShareForMore
ShareForMore
Artax Consulting Group
 
Salomidi&Panayotidis Text.Mytilene
Salomidi&Panayotidis Text.MytileneSalomidi&Panayotidis Text.Mytilene
Salomidi&Panayotidis Text.Mytilene
aigaiopelagitis
 

More Related Content

What's hot

Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be Forgotten
Edouard Nguyen
 
EU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh NetworksEU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh Networks
Alberto Peñaranda Echevarría
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security PrinciplesLisa Catanzaro
 
Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...
Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...
Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...
FIA2010
 
Case by case - moving data centres to Romania
Case by case - moving data centres to RomaniaCase by case - moving data centres to Romania
Case by case - moving data centres to Romania
Țuca Zbârcea & Asociații
 
Uia presentation Eng
Uia presentation EngUia presentation Eng
Uia presentation EngFabio Marazzi
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016John Greenwood
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
Fahad Ameen
 
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)Privacy Act, Spam Act and "the Cloud" seminar (May 2014)
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)
Tom Meagher
 
Data privacy Legislation in India
Data privacy Legislation in IndiaData privacy Legislation in India
Data privacy Legislation in India
LATHA H C
 
Quick Guide to GDPR
Quick Guide to GDPRQuick Guide to GDPR
Quick Guide to GDPRPavol Balaj
 
1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais
IBE_USP
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Morgan
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
IISPEastMids
 
Quick guide gdpr
Quick guide gdprQuick guide gdpr
Quick guide gdpr
Miguel Mello
 
SCCE Processors and GDPR
SCCE Processors and GDPRSCCE Processors and GDPR
SCCE Processors and GDPRRobert Bond
 
Service provider liability: Legal Issues in Research Data Collection and Shar...
Service provider liability: Legal Issues in Research Data Collection and Shar...Service provider liability: Legal Issues in Research Data Collection and Shar...
Service provider liability: Legal Issues in Research Data Collection and Shar...
EUDAT
 

What's hot (20)

Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be Forgotten
 
EU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh NetworksEU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh Networks
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
 
euregs
euregseuregs
euregs
 
Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...
Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...
Innocenzo Genna, Genna Cabinet, Bruxelles: Privacy in the electronic communic...
 
Case by case - moving data centres to Romania
Case by case - moving data centres to RomaniaCase by case - moving data centres to Romania
Case by case - moving data centres to Romania
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
 
Uia presentation Eng
Uia presentation EngUia presentation Eng
Uia presentation Eng
 
28014_EY Safe Harbor_UK
28014_EY Safe Harbor_UK28014_EY Safe Harbor_UK
28014_EY Safe Harbor_UK
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
 
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)Privacy Act, Spam Act and "the Cloud" seminar (May 2014)
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)
 
Data privacy Legislation in India
Data privacy Legislation in IndiaData privacy Legislation in India
Data privacy Legislation in India
 
Quick Guide to GDPR
Quick Guide to GDPRQuick Guide to GDPR
Quick Guide to GDPR
 
1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
 
Quick guide gdpr
Quick guide gdprQuick guide gdpr
Quick guide gdpr
 
SCCE Processors and GDPR
SCCE Processors and GDPRSCCE Processors and GDPR
SCCE Processors and GDPR
 
Service provider liability: Legal Issues in Research Data Collection and Shar...
Service provider liability: Legal Issues in Research Data Collection and Shar...Service provider liability: Legal Issues in Research Data Collection and Shar...
Service provider liability: Legal Issues in Research Data Collection and Shar...
 

Viewers also liked

ShareForMore
ShareForMoreShareForMore
ShareForMore
Artax Consulting Group
 
Salomidi&Panayotidis Text.Mytilene
Salomidi&Panayotidis Text.MytileneSalomidi&Panayotidis Text.Mytilene
Salomidi&Panayotidis Text.Mytilene
aigaiopelagitis
 
OA Network: Heading for Joint Standards and Enhancing Cooperation: Value‐Adde...
OA Network: Heading for Joint Standards and Enhancing Cooperation: Value‐Adde...OA Network: Heading for Joint Standards and Enhancing Cooperation: Value‐Adde...
OA Network: Heading for Joint Standards and Enhancing Cooperation: Value‐Adde...
Stefan Buddenbohm
 
ShareForMore
ShareForMoreShareForMore
ShareForMore
Artax Consulting Group
 
APS Chapter 07 Notes
APS Chapter 07 NotesAPS Chapter 07 Notes
APS Chapter 07 Notes
WCalhoun
 
Chapter 01 – Section 01
Chapter 01 – Section 01Chapter 01 – Section 01
Chapter 01 – Section 01
WCalhoun
 
20130911 oid dumortier_draft regulation
20130911 oid dumortier_draft regulation20130911 oid dumortier_draft regulation
20130911 oid dumortier_draft regulationJos Dumortier
 
Onsite Presentation
Onsite PresentationOnsite Presentation
Onsite Presentation
tdillahunt
 
Panayotidis 7 Feb 2009
Panayotidis 7 Feb 2009Panayotidis 7 Feb 2009
Panayotidis 7 Feb 2009
aigaiopelagitis
 
Caimeiju SNS marketing
Caimeiju SNS marketing Caimeiju SNS marketing
Caimeiju SNS marketing Richard Liu
 
Blaxos & Louloudis
Blaxos & LouloudisBlaxos & Louloudis
Blaxos & Louloudis
aigaiopelagitis
 
Professor D. Vokou about Greek Nature Management Bodies and Biodiversity
Professor D. Vokou about Greek Nature Management Bodies and BiodiversityProfessor D. Vokou about Greek Nature Management Bodies and Biodiversity
Professor D. Vokou about Greek Nature Management Bodies and Biodiversity
aigaiopelagitis
 
Research Grigoriadis
Research GrigoriadisResearch Grigoriadis
Research Grigoriadis
aigaiopelagitis
 

Viewers also liked (13)

ShareForMore
ShareForMoreShareForMore
ShareForMore
 
Salomidi&Panayotidis Text.Mytilene
Salomidi&Panayotidis Text.MytileneSalomidi&Panayotidis Text.Mytilene
Salomidi&Panayotidis Text.Mytilene
 
OA Network: Heading for Joint Standards and Enhancing Cooperation: Value‐Adde...
OA Network: Heading for Joint Standards and Enhancing Cooperation: Value‐Adde...OA Network: Heading for Joint Standards and Enhancing Cooperation: Value‐Adde...
OA Network: Heading for Joint Standards and Enhancing Cooperation: Value‐Adde...
 
ShareForMore
ShareForMoreShareForMore
ShareForMore
 
APS Chapter 07 Notes
APS Chapter 07 NotesAPS Chapter 07 Notes
APS Chapter 07 Notes
 
Chapter 01 – Section 01
Chapter 01 – Section 01Chapter 01 – Section 01
Chapter 01 – Section 01
 
20130911 oid dumortier_draft regulation
20130911 oid dumortier_draft regulation20130911 oid dumortier_draft regulation
20130911 oid dumortier_draft regulation
 
Onsite Presentation
Onsite PresentationOnsite Presentation
Onsite Presentation
 
Panayotidis 7 Feb 2009
Panayotidis 7 Feb 2009Panayotidis 7 Feb 2009
Panayotidis 7 Feb 2009
 
Caimeiju SNS marketing
Caimeiju SNS marketing Caimeiju SNS marketing
Caimeiju SNS marketing
 
Blaxos & Louloudis
Blaxos & LouloudisBlaxos & Louloudis
Blaxos & Louloudis
 
Professor D. Vokou about Greek Nature Management Bodies and Biodiversity
Professor D. Vokou about Greek Nature Management Bodies and BiodiversityProfessor D. Vokou about Greek Nature Management Bodies and Biodiversity
Professor D. Vokou about Greek Nature Management Bodies and Biodiversity
 
Research Grigoriadis
Research GrigoriadisResearch Grigoriadis
Research Grigoriadis
 

Similar to 20131009 aon security breach legislation

Presentatie Giorgos Rossides, Europese Commissie
Presentatie Giorgos Rossides, Europese CommissiePresentatie Giorgos Rossides, Europese Commissie
Presentatie Giorgos Rossides, Europese CommissieEuropadialoog
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
ESET
 
The new data privacy regulation framework
The new data privacy regulation framework The new data privacy regulation framework
The new data privacy regulation framework Thiebaut Devergranne
 
The Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsThe Data Retention Directive: recent developments
The Data Retention Directive: recent developments
blogzilla
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012
lilianedwards
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Metering
nuances
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
Lilian Edwards
 
Factsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingFactsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" ruling
Silesia SEM
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_enGreg Sterling
 
E-privacy Directive and Performance Marketing - Andrew Tibber
E-privacy Directive and Performance Marketing - Andrew TibberE-privacy Directive and Performance Marketing - Andrew Tibber
E-privacy Directive and Performance Marketing - Andrew Tibberauexpo Conference
 
The E-Privacy Directive and Performance Marketing
The E-Privacy Directive and Performance MarketingThe E-Privacy Directive and Performance Marketing
The E-Privacy Directive and Performance MarketingAndrew Tibber
 
How does the data protection reform strengthen citizens rights?
How does the data protection reform strengthen citizens rights? How does the data protection reform strengthen citizens rights?
How does the data protection reform strengthen citizens rights? - Mark - Fullbright
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech Wiewiorowski
Krowdthink
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
Kate Chan
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
Lumension
 
New Media Internet Expression and European Data Protection
New Media Internet Expression and European Data ProtectionNew Media Internet Expression and European Data Protection
New Media Internet Expression and European Data Protection
David Erdos
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
Symantec
 

Similar to 20131009 aon security breach legislation (20)

Presentatie Giorgos Rossides, Europese Commissie
Presentatie Giorgos Rossides, Europese CommissiePresentatie Giorgos Rossides, Europese Commissie
Presentatie Giorgos Rossides, Europese Commissie
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
 
The new data privacy regulation framework
The new data privacy regulation framework The new data privacy regulation framework
The new data privacy regulation framework
 
The Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsThe Data Retention Directive: recent developments
The Data Retention Directive: recent developments
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Metering
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
EU data protection issues in IoT
EU data protection issues in IoTEU data protection issues in IoT
EU data protection issues in IoT
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
Factsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingFactsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" ruling
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_en
 
E-privacy Directive and Performance Marketing - Andrew Tibber
E-privacy Directive and Performance Marketing - Andrew TibberE-privacy Directive and Performance Marketing - Andrew Tibber
E-privacy Directive and Performance Marketing - Andrew Tibber
 
The E-Privacy Directive and Performance Marketing
The E-Privacy Directive and Performance MarketingThe E-Privacy Directive and Performance Marketing
The E-Privacy Directive and Performance Marketing
 
How does the data protection reform strengthen citizens rights?
How does the data protection reform strengthen citizens rights? How does the data protection reform strengthen citizens rights?
How does the data protection reform strengthen citizens rights?
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech Wiewiorowski
 
1st draft
1st draft1st draft
1st draft
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
 
New Media Internet Expression and European Data Protection
New Media Internet Expression and European Data ProtectionNew Media Internet Expression and European Data Protection
New Media Internet Expression and European Data Protection
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 

Recently uploaded

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 

Recently uploaded (20)

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 

20131009 aon security breach legislation

  • 1. EU Security Breach Legislation Impact on Enterprise Risk Management jos.dumortier@timelex.eu
  • 3.
  • 4. EU 2009 • new provisions inserted in the EU electronic communications privacy (ePrivacy) directive (art. 4) • introduction of first EU security breach notification duty • limited scope: providers of public electronic communications networks and services • Belgium 2012: transposition in art. 114/1 and 114/2 of the e-communications act
  • 5. Summary • notification of specific risk of network security breach • to the NRA (Belgium: BIPT) • to subscribers • notification of actual security breach with important impact • to the NRA (Belgium: BIPT) • NRA can notify further to EU • notification of security breach regarding personal data • to the NRA (Belgium: BIPT) • to subscribers and/or users
  • 6.
  • 7. Details • timeframe? • which information to communicate? • via which channel? • when should individuals be notified? • role of encryption • ...
  • 9. EU Proposals to extend the notification duty 1. Draft general data protection regulation (January 2012) 2. Draft e-identification and trust services regulation (June 2012) 3. Draft network and information security (NIS) directive (February 2013)
  • 10. Draft NIS Directive a) Obligations for Member States b) Cooperation mechanism c) Requirements for market operators and public administrations Note: minimum harmonisation (minimum common capacity building)!
  • 11. NIS: Duties for public administrations and market operators • Obligation to take appropriate technical and organisational measures to manage the risks • Obligation to notify to the national competent authority incidents having a significant impact on the security of core services • National competent authority may inform the public where it determines that it is in the public interest • EC will be empowered to adopt delegated acts (art. 18)
  • 12. “Market operators”: Annex II of the Draft NIS Directive • Providers of “information society services” (operating in the EU) • e-commerce platforms • internet payment gateways • social networks • search engines • cloud computing services • application stores • Operators of “critical information infrastructures” (CIIP operators) • Energy • Transport • Banking • Financial market infrastructures (stock exchange, clearinghouses) • Health sector
  • 13. EU Proposals to extend the notification duty 1. Draft general data protection regulation (January 2012) 2. Draft e-identification and trust services regulation (June 2012) 3. Draft network and information security (NIS) directive (February 2013)
  • 14. Draft EU e-Identification and Trusted Services Regulation 1. e-Identification 2. Trust Services
  • 15. “e-Identification”: mutual recognition • idea: • if an online (government) service in a Member State requires access authentication by means of an e-ID, • then this service should be accessible for e-ID’s notified by other Member States
  • 16. “Trust Services” • stricter rules for “trust service providers” (e.g. annual security audit) • “trust services”: services related to e-signatures, timestamps, e-documents, e- delivery, website authentication, digital certificates • introduction of security breach notification (to supervisory bodies and data protection commissioners) • “qualified” trust services : presumption of legal validity
  • 17. EU Proposals to extend the notification duty 1. Draft general data protection regulation (January 2012) 2. Draft e-identification and trust services regulation (June 2012) 3. Draft network and information security (NIS) directive (February 2013)
  • 18. On 25 January 2012 the European Commission has officially released a proposal for a comprehensive reform of the 1995 data protection rules on personal data processing.
  • 19. 1. One single European law If adopted, the proposed Regulation will be valid across the EU. As a consequence, companies established in more than one EU country will no longer experience difficulties to cope with the divergent rules of the EU Member States.
  • 20. 2. Every company supervised by one data protection commissioner Personal data processing by companies established in more than one EU country will be monitored by one single supervisory authority. In principle this will be the data protection commission of the country where the company has its main establishment.
  • 21. 3. Also applicable to companies outside the EU Theoretically the proposed Regulation claims to be applicable on the processing of personal data of data subjects residing in the EU by a controller not established in the EU, … where the processing activities are related to the offering of goods or services to such data subjects, or to the monitoring of the behaviour of such data subjects.
  • 22. 4. Basic rules remain but would be better implemented The supervisory authorities will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company. Moreover responsibility and liability of the controller for any processing of personal data is more clearly established.
  • 23. 5. Abolition of the general obligation to notify The general notification obligation would be abolished, and replaced by procedures and mechanisms which focus instead on those processing operations which are likely to present specific risks.
  • 24. 6. Data protection officers The controller and the processor would in the future be requested to designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body; or b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.
  • 25. 7. Consent: always explicit Tacit consent will no longer be sufficient as a legal ground for personal data processing. Moreover consent can no longer be integrated into terms and conditions but must be presented distinguishable in its appearance from this other matter.
  • 26. 8. Right to be forgotten? The right to erasure would be extended in such a way that a controller who has made the personal data public would be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data.
  • 27. 9. “Data portability” The data subject would be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract.
  • 28. 10. Security breach notification As soon as a controller becomes aware that a personal data breach has occurred, he would be obliged to notify this breach to the supervisory authority without undue delay and, where feasible, within 24 hours. The individuals whose personal data could be adversely affected by the breach would also have to be notified without undue delay in order to allow them to take the necessary precautions.
  • 29. Conclusions • current scope still limited (telecom providers, ISPs, etc.) • extension to other sectors under discussion • lack of co-ordination between proposed rules is criticized • many questions remain about practical implementation
  • 30. Jos Dumortier time.lex - Information & Technology Law Congresstraat 35 B-1000 Brussel (t) +32 (0)2 229 19 47 www.timelex.eu / jos.dumortier@timelex.eu