UK organisations face hidden 'double jeopardy' under two EU data security laws
As the UK Information Commissioner (ICO) updates its digital services guidance, lawyers are warning that critical infrastructure organisations and digital services providers could be fined twice for the same security breach under two separate EU laws.
Dr Kuan Hon, director of Privacy, Security and Information at European law firm Fieldfisher, says that both the General Data Protection Regulation (GDPR) and the EU directive on the security of Networks and Information Systems (NIS Directive) could lead to separate fines for the same security breach.
The NIS Directive imposes security and incident reporting obligations on two classes of organisations:
Operators of essential services (OESs), basically critical infrastructure service providers, and
Digital service providers (DSPs), meaning cloud computing providers, online marketplaces and search engines (although small/micro enterprises are exempt).
The NIS Directive concerns the protection and improvement of security of network and information systems. It is not limited to personal data or cyber breaches.
The GDPR, however, is concerned with the protection of individuals' personal data. In the UK, OESs are regulated by sectoral regulators, while DSPs are regulated by the ICO.
Organisations within scope must comply with both regimes and risk being fined separately for the same incident if personal data are involved – thereby creating a "double jeopardy" situation for those organisations that fall foul of either or both pieces of legislation.
Kuan Hon, a Director in Fieldfisher's Privacy, Security and Information group, explains: "The NIS Directive and UK NIS Regulations say that NIS regulators should 'consult and cooperate' with data protection regulators, and the UK government had previously agreed that organisations should not be tried for the same offence twice. However, it has also said, 'there may be reason for them [organisations] to be penalised under different regimes for the same event because the penalties might relate to different aspects of the wrongdoing and different impacts'.
"Furthermore, in updated NIS Directive guidance issued on 17 October, the ICO confirmed that NIS enforcement powers 'are separate from those we have available under data protection law. In cases where a NIS incident impacts on personal data, we are able to take action under both NIS and data protection law if it is appropriate and proportionate to do so'.
"Compliance with both laws is therefore essential for organisations to manage the risks of fines or reputational damage for any future data, cyber or other security breach.
"Regulators can levy fines under the UK NIS Regulations in four tiers depending on seriousness, with ceilings ranging from £1 million to £17 million (equivalent to the €20 million figure under the GDPR). Under GDPR, however, the maximum fine could reach 4 per cent of turnover, which in some cases may be much greater than €20 million. Furthermore, NIS regulators could notify the public of NIS incidents if they consider it necessary."
EU organisations need to assess to what extent their services are caught by the NIS Directive and consider registering as required, e.g. for UK DSPs it's by 1 November 2018.
OESs could be considered by the relevant authorities to be providing essential services in more than one Member State, in which case they'd have to comply with all those Member States' NIS Directive laws.
Non-EU DSPs who offer digital services in the EU need to assess each service as to where its EU "main establishment" (EU head office) is located. If a company has no EU establishment, it needs to decide where to appoint an EU representative to benefit from an EU "one stop shop", as national NIS Directive laws vary.
Companies also need to check that their security measures comply with relevant Member State NIS laws, competent authority and other relevant security requirements. In the UK, for example, OESs should assess against the National Cybersecurity Centre's NIS security principles, Cyber Assessment Framework and sector-specific guidance. EU DSPs' security measures must comply with a detailed Commission Implementing Regulation.
Incident management response plans and processes must enable recording and assessment of metrics to measure incidents against NIS sectoral thresholds, and to enable regulatory notification if necessary, eg the UK deadline is 72 hours maximum (under the GDPR, it's 72 hours only "where feasible").
Evidence of compliance is also important and organisations need to check off and document their compliance against each of their NIS sectoral requirements to prepare for regulatory information requests or inspections.
More information from:
Kuan Hon, Director, Fieldfisher, firstname.lastname@example.org / 020 7861 4545 / 07391 419 940
Laura Syrett, Communications Manager, Fieldfisher, email@example.com/ 020 7861 4164