UK organisations face hidden 'double jeopardy' under two EU data security laws
As the UK Information Commissioner (ICO) updates its digital services guidance, lawyers are warning that critical infrastructure organisations and digital services providers could be fined twice for the same security breach under two separate EU laws.
Dr Kuan Hon, director of Privacy, Security and Information at European law firm Fieldfisher, says that both the General Data Protection Regulation (GDPR) and the EU directive on the security of Networks and Information Systems (NIS Directive) could lead to separate fines for the same security breach.
The NIS Directive imposes security and incident reporting obligations on two classes of organisations:
Operators of essential services (OESs), basically critical infrastructure service providers, and
Digital service providers (DSPs), meaning cloud computing providers, online marketplaces and search engines (although small/micro enterprises are exempt).
The NIS Directive concerns the protection and improvement of security of network and information systems. It is not limited to personal data or cyber breaches.
The GDPR, however, is concerned with the protection of individuals' personal data. In the UK, OESs are regulated by sectoral regulators, while DSPs are regulated by the ICO.
Organisations within scope must comply with both regimes and risk being fined separately for the same incident if personal data are involved – thereby creating a "double jeopardy" situation for those organisations that fall foul of either or both pieces of legislation.
Kuan Hon, a Director in Fieldfisher's Privacy, Security and Information group, explains: "The NIS Directive and UK NIS Regulations say that NIS regulators should 'consult and cooperate' with data protection regulators, and the UK government had previously agreed that organisations should not be tried for the same offence twice. However, it has also said, 'there may be reason for them [organisations] to be penalised under different regimes for the same event because the penalties might relate to different aspects of the wrongdoing and different impacts'.
"Furthermore, in updated NIS Directive guidance issued on 17 October, the ICO confirmed that NIS enforcement powers 'are separate from those we have available under data protection law. In cases where a NIS incident impacts on personal data, we are able to take action under both NIS and data protection law if it is appropriate and proportionate to do so'.
"Compliance with both laws is therefore essential for organisations to manage the risks of fines or reputational damage for any future data, cyber or other security breach.
"Regulators can levy fines under the UK NIS Regulations in four tiers depending on seriousness, with ceilings ranging from £1 million to £17 million (equivalent to the €20 million figure under the GDPR). Under GDPR, however, the maximum fine could reach 4 per cent of turnover, which in some cases may be much greater than €20 million. Furthermore, NIS regulators could notify the public of NIS incidents if they consider it necessary."
EU organisations need to assess to what extent their services are caught by the NIS Directive and consider registering as required, e.g. for UK DSPs it's by 1 November 2018.
OESs could be considered by the relevant authorities to be providing essential services in more than one Member State, in which case they'd have to comply with all those Member States' NIS Directive laws.
Non-EU DSPs who offer digital services in the EU need to assess each service as to where its EU "main establishment" (EU head office) is located. If a company has no EU establishment, it needs to decide where to appoint an EU representative to benefit from an EU "one stop shop", as national NIS Directive laws vary.
Companies also need to check that their security measures comply with relevant Member State NIS laws, competent authority and other relevant security requirements. In the UK, for example, OESs should assess against the National Cybersecurity Centre's NIS security principles, Cyber Assessment Framework and sector-specific guidance. EU DSPs' security measures must comply with a detailed Commission Implementing Regulation.
Incident management response plans and processes must enable recording and assessment of metrics to measure incidents against NIS sectoral thresholds, and to enable regulatory notification if necessary, eg the UK deadline is 72 hours maximum (under the GDPR, it's 72 hours only "where feasible").
Evidence of compliance is also important and organisations need to check off and document their compliance against each of their NIS sectoral requirements to prepare for regulatory information requests or inspections.
More information from:
Kuan Hon, Director, Fieldfisher, firstname.lastname@example.org / 020 7861 4545 / 07391 419 940
Antonis Patrikios, Head of Cybersecurity, Fieldfisher, email@example.com / 020 7861 4354 / 07872 822 389
Chris Bond, PR & Brand Manager, Fieldfisher, firstname.lastname@example.org / 020 7861 4175 / 07407 312 618
Laura Syrett, Communications Manager, Fieldfisher, email@example.com/ 020 7861 4164
About Antonis: https://www.fieldfisher.com/people/p/antonis-patrikios
Fieldfisher is a European law firm with market leading practices in many of the world's most dynamic sectors. We are an exciting, forward-thinking organisation with a particular focus on technology, finance & financial services, energy & natural resources, life sciences and media.
Our cybersecurity practice is one of Europe's leading specialist teams and has been advising on data breaches and cyber incidents for many years.
Our growing European network of offices supports an international client base alongside our Silicon Valley and China colleagues. Among our clients we count social media sites and high street coffee chains as well as pharmaceutical, life sciences and medical devices companies, energy suppliers, banks and technology leaders.
Clients choose to work with us because we deliver commercial, pragmatic and innovative solutions through our exceptional legal expertise and experience, on time and on budget.
Our network has more than 1,450 people working across 24 offices providing highly commercial advice based on an in-depth understanding of our clients' needs.
We operate across our offices in Amsterdam, Barcelona, Beijing, Belfast, Birmingham, Bologna, Brussels, Düsseldorf, Frankfurt, Guangzhou, Hamburg, London, Luxembourg, Madrid, Manchester, Milan, Munich, Paris, Rome, Shanghai, Turin, Venice and Silicon Valley.
Fieldfisher is currently Law Firm of the Year - Legal Business Awards 2018 and British Legal Awards 2017.