Digital era legal change

In December 2015, European Parliament and council came to a political agreement regarding data protection reform.

By 14 April 2016 the council adopted the regulation project - The General Data Protection Regulation (intended to replace directive 95/46/EC) – which will come into force by 2018. Will the regulation’s implied administrative burden be able to counter the consequences associated with a data breach arising from a cyber attack?

Data processor’s obligations

Through this regulation’s territorial scope, data controllers and processors outside the EU will have to designate an EU representative when its processing activities relate to offering of goods or services (even if they are free) or monitoring the behaviour of EU data subjects.

Data processors will be obliged to maintain a written record of processing activities carried out on behalf of each controller and:

  • Designate a data protection officer where required.
  • Appoint a representative (when not established in the EU) in certain circumstances.
  • Notify the controller on becoming aware of a personal data breach without undue delay.

Data subject’s rights

In order to provide an easy and transparent use of, and access to personal data, the new regulation aims to widen user’s rights and further develop user’s legal status:

  • The need for each user to freely consent having their data processed, which has to be specific concerning sensitive data.
  • The right of erasure or “right to be forgotten”, when a user withdraws consent to have their data processed or simply requests the rectification or erasure of such personal data.
  • Data controllers are also required to specify the recipient to whom the personal data is to be or has been disclosed, as well as the purposes of the processing and storage period.

Also, users are entitled to request from controllers a copy of their electronic data, which is currently undergoing processing, for them to handle and make further use of.

Data controllers must notify data breaches to its national supervisory authority. This must be done without undue delay and, where feasible, within 72 hours of awareness. A reasoned justification must be provided if this timeframe is not met. When the data breach may affect the protection of personal data or privacy, the data controller must also notify the affected data subjects without undue delay.

Cyber risk management issues

Although this is a step forward, it may also place a huge administrative burden on data controllers and supervisory authorities. According to an estimate by the Center for Media, Data and Society at the Central European University, there have been at least 200 breaches in Europe involving 227 million records since 2005. Bearing in mind that if data controllers and national agencies are to comply with the timelines of data breach notifications, more often than not these will be incomplete. Maybe even more likely, the controller will try to demonstrate to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. The Council adds that this includes encryption:

Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

Therefore, the effects of this administrative burden on data controllers will extend to all concerned and its lack of effectiveness may also mean added costs as the Regulation allows the supervisory authority to impose a fine - of whichever is the higher of up to €20 million or 4% of the annual worldwide turnover in the case of an enterprise.

As the post-Brexit legal landscape approaches, it is unclear whether this regulation will be maintained in the UK or if a different set of rules is to be applied there.

Although the demand for cyber products has not yet seen a boom, its price and lack of awareness can be a significant barrier to businesses appreciating the need for cyber coverage as the frequency and sophistication of cyber attacks and related incidents continues to increase. In fact, cybercrime was reported to cost the UK approximately £27 billion in 2013, with the average costs for small businesses between £65,000 and £115,000, while for large business the range was between £600,000 and £1.15 million.

Cyber risk insurance providing cover for third party liabilities is one mechanism to offset losses deriving from data breach, however, the weight falls on businesses’ ability to understand their own exposures and defending themselves against the ever-evolving nature of cyber risks. On a wider view, this General Data Protection Regulation demonstrates the European legislator’s compromise with cyber security issues

Related item: EU data protection: regulation awakens