Ross McKean

The UK Competition regulator, the Competition and Markets Authority, has just launched a call for information into the commercial use of consumer data. Given the exponential rise of data as a business asset in the digital age, competition regulators and commentators have been talking about personal data as a potential anti-trust issue for some time; this inquiry is a first step in the direction of potential competition intervention in an area hitherto the preserve of privacy regulators. Businesses wishing to share information with the CMA (and the wider world) about how they collect and monetise data have until 6 March to respond.

The CMA published its “Call for information: the commercial use of consumer data” on 27 January. The purpose of the fact-finding exercise is to “understand the potential for the collection and use of consumer data to generate concerns, both in terms of competition and markets, as well as consumer protection”. The document seeks responses from (among others) organisations collecting consumer data and infomediaries who process and analyse such information. There are 12 specific questions relating to the following 4 broad areas:

  • The consumer data collected, sold and its value
  • Uses to which the data is put and any restrictions in gaining access to it
  • The benefits to, and risks to, both consumers and businesses of using this data
  • The policy implications and future developments

Competition regulators’ interest in personal data is not new: for example in 2012 the then EU Competition Commissioner Joaquin Almunia gave this speech in which he highlighted the need for competition policy to be “vigilant” to the commercial use (and potential abuse) of data. His successor, Margrethe Vestager, in her hearing before the EP acknowledged the role of data as the “new currency of the Internet”. As she considers the next steps in the probe into Google’s dominance in search advertising markets, it will be interesting to see what stance EU policy will take on data. Last but not least, the new European Data Protection Supervisor, Giovanni Butarelli, has recently called for a more joined-up approach between competition and data regulators, following on from his predecessor’s opinion on “privacy and competitiveness in the age of big data”, published in March 2014.

With regulators (both competition and privacy) taking an ever keener interest in businesses’ use and abuse of personal data, organisations should be mindful that any information they elect to share with the CMA potentially becomes disclosable (to regulators, to rivals, to the press) under the Freedom of Information Act, as explained by the CMA in this note. Some of the questions – for example on how firms use data and share it with other organisations, and on how it is collected (and in particular how well consumers understand and consent to these uses) have the potential for self-incrimination.

As Datonomy readers may already be aware, today is Data Protection Day, an annual event initiated in 2007 to raise awareness of data protection. Although the CMA was one day early, the timing of the Call For Information is fitting in this sense, in that it shows that data is now officially on the radar of anti-trust as well as privacy regulators – and if that doesn’t serve to raise personal data up the business agenda, nothing can.

Datonomy wishes all its readers a happy, and competitive, Data Protection Day 2015!

Posted in EDPS Opinions, FoI, freedom of information | Leave a comment
Katharine Alexander

A weekly round-up of legal and regulatory developments and news in the field of cybersecurity, brought to you by the Datonomy blogging team at Olswang LLP.

UK developments

  • Further to our coverage last week of the UK/ US collaboration on cybersecurity, the issue continues to receive much coverage both in the mainstream media and trade press. The tech press gave positive coverage of David Cameron’s recent trip to the US after he took a delegation of UK cybersecurity companies to the US to meet with the Obama administration about responses to cyber threats.  Mr Cameron has appointed Andy Williams of Tech UK’s Cyber Connect project as the UK cyber envoy to be based in the British Embassy in Washington, DC.
  • The first initiative in this UK/US collaboration will be the planned “war games” to test each other’s preparedness for a cyber attack.  The drill will simulate attacks on the City of London and Wall Street in order to test the resilience of financial institutions.  In order to plan further joint war games, Cameron and Obama have spoken of setting up cyber cells either side of the Atlantic in which GCHQ and the NSA can share information and review strategies. In a second initiative, MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) will compete against the University of Cambridge in a ‘hackathon’ as part of an attempt to share expertise.
  • British high street shoe-retailer Office, has given an undertaking to the Information Commissioner’s Office after a recent data breach exposed more than one million customers’ details.  ICO officials have stated that the hack highlights two important issues: the unnecessary storage of older personal data and the lack of security in hosting infrastructure. In response, Office has given undertakings with regard to penetration testing, implementing new policies (to include data retention and disposal) and staff training (read the full undertaking here).
  • Last week, a cross-party group of peers tabled amendments to the Counter Terrorism and Security Bill; these changes seek to introduce the extended law enforcement powers, originally proposed by the 2012 Communications Data Bill, to access internet data. The Lords are due to debate the proposals this afternoon (Monday 26 January). Full information about the stages of the current Bill can be found on the parliament website here.

EU developments

  • The European Network and Information Security Agency (ENISA) has published a guide detailing the current information-sharing landscape in the context of cybersecurity information that requires reporting.  The report then outlines a series of existing tools and standards, best practices and recommendations for improvement.
  • ENISA’s Executive Director, Udo Helmbrecht, participated in the discussion panel regarding “Secure identities – An effective tool to increase information security?” at the Omnicard event in Berlin on 21 January 2015. The panel discussed the challenges to electronic identification procedures being made secure for both businesses and individual consumers using everyday online services.
  • The European Commission has announced that the Cybersecurity & Privacy Innovation Forum will be held on 28-29 April 2015 in Brussels.  The forum aims to bring policy-makers and researchers together in order to discuss future challenges and research priorities.
  • GDPR – latest predictions on adoption: In the long-running saga of negotiations to agree the draft GDPR, which includes revised rules on data security and data breach notification, the latest prediction comes from Commission Vice President for the Digital Single Market, Andrus Ansip. According to this interview reported by the Euractiv service Mr Ansip stated “The Data Protection regulation discussions can and should be finalised in 2015. This is one of the Commission’s top priorities” and that he believes the next hurdle – general agreement by the Council on the draft – can be achieved by the end of June 2015.  However, this is just the latest in a series of target dates which have come and gone.  On 22 January, Jan Albrecht (the EP’s Rapporteur for the proposal) was quoted as saying he was optimistic that the Council would reach its negotiating position by the summer, and that he was “optimistic we can reach a solution in 2015”.  Even if the Council reaches its common position by the summer, the three institutions still need to hammer out a compromise text before the measure can be adopted.  Some commentators are sceptical that the measure will be adopted before 2016 – and then there will be a two year lead in period before the Regulation takes effect.
  • In related news, viEUws, the EU policy broadcaster, hosted an online debate regarding the European Commission’s General Data Protection Regulation (GDPR) this week.  Discussion focused on public confidence in the GDPR given the legislative hold-up and harmonisation with any potential ePrivacy directive.

US 

  • President Obama used his State of the Union speech to reinforce his recent legislative push for greater cybersecurity.  The speech mirrored his recent legislative language, focussing on three specific issues: cybersecurity information sharing, modernisation of law enforcement agencies against cyber crime and national data breach reporting.

Attacks, statistics and other news

  • Coinciding with last week’s World Economic Forum in Davos, the newly-published World Economic Forum’s 2015 report into global risks lists cyber attacks as the among the most likely high-impact threats in the modern world (only behind water crises, interstate conflict and failure of climate-change adaptation).  The WEF report highlights the serious dangers associated with cyber threats including interstate conflict, terrorism and the proliferation of WMDs.  In addition, the report stresses how the power of interconnectivity has broadened the potential effects of cyber threats, noting “Assessments must go beyond cybersecurity, as the risks are not just about external threats but also about the fundamentally unstable dynamics of digital infrastructures and the complex, chaotic and unpredictable ways they can interact with civic, social and economic systems.”
  • Cisco’s 2015 Annual Security Report suggests that government agencies, in general, appear to be better able to cope with data breaches/have stronger cybersecurity than the private sector.  About 43% of the public sector fell into the “highly sophisticated” category while financial services and pharmaceutical companies registered 39% and 32% respectively.
  • The tech press are reporting that this year’s ESG IT spending intentions survey has revealed that “security/IT risk management initiatives” is the most popular initiative driving IT spending at large organisations this year.  This marks the first year that security has topped the list.
  • According to the IT governance blog, one of Australia’s largest travel insurance companies, Aussie Travel Cover, attracted criticism for failing to notify customers following a recent cyber attack.  Having become aware of the attack on 18 December 2014, they notified third-party agents on the 23rd, but never notified customers despite 870,000 records (which included names, phone numbers, email addresses, travel dates and policy details) being affected.  The Australian Information Commissioner’s Office guidance strongly recommends notifying individuals.

More cyber news from the Datonomy team at Olswang next week.

 

Posted in cyber crime, cyber-privacy, cybersecurity, data breach, privacy., privacy. identity.sensitive personal data | Leave a comment
Katharine Alexander

With cyber attacks now routinely in the headlines, with the global cost of cybercrime estimated at $400 billion for this year and with governments responding with a host of counter-measures, The Datonomy team  is launching a weekly round-up to help you stay up to date the latest legal, regulatory and news developments from around the world. Given the inextricable link between data privacy and cybersecurity, we hope that Datonomy’s growing readership  will find this update useful. We look forward to hearing your comments, and welcome news and updates from Datonomy readers  around the globe.

UK developments

  • Cyber security was again front page news last week with the announcement by the UK and US that they will stage cyber attack war games, initially in the financial services sector, and improve the exchange of cyber intelligence between the two powers – read the BBC’s coverage here. In related news, twelve UK cyber defence firms, including Darktrace, Cambridge Intelligence and Digital Shadows, have joined David Cameron on his trip to the US to discuss cybersecurity with the Obama administration.  The effort hopes to reinforce the international perception of the UK as a leading player in terms of the skills, knowledge and intellectual property in cyber defence.
  • The UK government has published updated cybersecurity guidance (originally published in 2012) for businesses.  In an interdepartmental report between the CESG, Cabinet Officer, Centre for the Protection of National Infrastructure and DBIS, a 10 step approach to bolstering information risk management regimes was presented as the most cost-effective way to protect businesses against cyber threats. Although the 10 steps remain the same, the updated guidance includes a new paper entitled “Common Cyber Attacks: Reducing The Impact”.

EU developments 

  • Progress on the draft EU Network and Information Security Directive: This update will be keeping a keen eye on the progress of the EU’s proposed Network and Information Security Directive, also known as the Cyber Security Directive. As Datonomy readers will be aware, it is almost two years since the European Commission published its proposals, which include the mandatory reporting of cyber attacks by providers of key infrastructure – see our original summary here and our status update as at the end of October 2014 here. A revised draft (with significantly narrowed scope) was passed by the European Parliament in March 2014, and  trilogue negotiations between the Commission, Parliament and  Council to finalise the Directive  began in October and were predicted (by the Council) to conclude in early December. However, there have been no official progress reports since November. The scope of the “market operator” definition – and in particular whether ecommerce and social networks should be caught (as per the Commission’s original proposal) or not (as per the Parliament’s text)  – is one key area of debate. It remains to be seen when the Directive will be adopted; the incoming Latvian Presidency of the Council has included it as one of its policy priorities for the six months ahead. Once adopted, Member States are likely to be given an 18 month transposition deadline – although some Member States such as France and Germany  are already pre-emption it with new cyber legislation   Watch this space for future updates.
  • The European Network and Information Security Agency (ENISA) has published a report aimed at internet infrastructure owners and operators highlighting the threat landscape and best practice with regard to cybersecurity.  The report details specific threats that can disrupt connectivity, including: routing threats, DNS threats and denial of service threats.
  • ENISA has also published its findings in relation to the draft Network and Information Security Directive (NISD) specific to the EU’s finance sector.  Despite varying approaches in the 28 member states, the study largely demonstrates a good understanding of the risk landscape and appropriate response strategies within the sector.
  • To cap off a busy week, ENISA has published another new report, “Privacy and Data Protection by Design – from policy to engineering”, detailing leading privacy design strategies.  The report lays out a plan to marry the EU’s existing legal framework with expected technological implementation measures in the field.  Targeted towards data protection authorities, policy makers, regulators, engineers and researchers, the report suggests producing further incentives for adopting privacy by design measures and new standards for electronic communication.
  • A recent survey of French, German and British companies found that only 39% of organisations have met the new requirements introduced by the NISD and even fewer (20%) in the case of the General Data Protection Regulation (GDPR).  The survey details the strain placed on in-house IT departments to pay for and implement the necessary additional hardware, software and security policies.

US developments 

  • Following recent reports of the resurfacing of a Cybersecurity Bill in Washington, President Obama is pushing forward in attempting to implement the findings of his Cyberspace Policy review with a host of new legislative proposals focused on the following issues: enabling cybersecurity information sharing between the private sector and the government, modernising law enforcement authorities to combat cyber crime and harmonising national data breach reporting protocols.  Within the legislative proposal is a specific bill, the Student Digital Privacy Act, preventing companies from selling student data to third parties, and another, the Personal Data Notification & Protection Act, mandating that companies alert consumers within 30 days of discovering a security breach involving customer information.  President Obama does however face an uphill challenge to get the legislation approved with a Republican-led Congress, which he has already threatened with three vetoes within the first week of sitting.  Read more here and here.
  • Vice President Joe Biden has announced a bump of $25 million in funding to be applied to cybersecurity education efforts throughout the US.  The investment, which will mainly be provided to 13 historically black colleges and universities, aims to address the recent understanding that the demand for cybersecurity workers is growing 12 times faster than the US job market.

Attacks, statistics and other news 

  • In the biggest cyber news story of the past seven days, the Obama administration was given a stark reminder of the threat posed by hackers after the US military’s Central Command twitter account was allegedly hacked by ISIS this week. The terrorist group posted the message, “American soldiers, we are coming, watch your back. ISIS” on the account and provided a link to a statement that claimed the terror cell were already inside all the military’s computers.
  • Cybercrime has even made it onto the agenda for this week’s annual World Economic Forum, in Davos, Switzerland.  The members of over 40 heads of state want to progress discussion regarding cybersecurity after an estimate that cyber crime will cost the world around $400 billion this year. See the 2015 Edition of the WEF’s Global Risks Report available here.
  • The Australian government are concerned about the rising threat of cyber espionage after reports that Chinese spies have stolen the designs of its new F-35 Joint Strike Fighter jet.
  • The threat of cyber attacks from criminal gangs in Russia and China is not being abated according to a top-secret US cybersecurity report.  The report points to the failure of public and private entities to implement sophisticated encryption technologies fast enough.
  • Venture capital funding in new cybersecurity companies increased by more than a third in 2014 according research company Privco, as reported by the FT.  Over $2.3 billion was invested last year as high-profile hacks fuel early stage investment in online security companies.
  • Games developer, Money Horse, has been forced to abandon the development of its game “Glorious Leader!”  The game allowed players to assume the role of the North Korean leader as he bids to take on the US Army.  Hackers recently penetrated the game’s data files and shut down production completely. 

More cyber news from the Datonomy team next week.

Posted in BBC, cyber crime, EU, UK, United States | Tagged , , , | Leave a comment

Datonomy’s correspondents in Asia take an in-depth look at the new ISO 27018 and evaluate how it can help cloud customers meet the requirements of Singapore’s new Personal Data Protection Act.

Back in September I blogged on the then newly-published ISO 27018, the first global security standard specifically applying to cloud services. In this recent post my colleague Daniel Jung and I take an in-depth look at how the new ISO measures up to Singapore’s new PDPA.

The article will also be of wider interest to cloud customers and cloud providers as it considers the various ways a cloud provider can demonstrate compliance with the new standard. To read the post, please visit Datonomy’s sister blog Watching The Connectives at this link.

Posted in Cloud computing, data breaches, data loss, data security standards, ISO 27018, ISOs, Singapore | Leave a comment
Andreas Splittgerber

The 2014 Year End Newsletter looks at:

I. Article 29 Working Party publishes Opinion on “Internet of Things”

II. Data protection and competition law – statement by the Federal and State Commissioners for Data Protection

III. Are IP-addresses personal data? – German Federal Court of Justice ask ECJ

IV. Data processing for marketing: new guidelines

V. Outlook on current draft laws and recommended reading

 

A brief summary of each point is below – to read the full newsletter, please click here.

 

I. Article 29 Working Party publishes Opinion on “Internet of Things”

The WP29 considers IoT as generally permitted, but clearly states that any stakeholder is responsible for data protection. Despite of consent requirements and transparency obligations, personal data should be aggregated to the greatest extent possible and the principles of privacy by default and privacy by design shall be applied by the
stakeholders.

II. Data protection and competition law – statement by the Federal and State Commissioners for Data Protection

While competition authorities should not turn into data protection authorities (and vice versa), the nexus between data and competition needs to be given more attention in future competition investigations in data-driven high-tech markets.

III. Are IP-addresses personal data? – German Federal Court of Justice ask ECJ

The decision by the ECJ will above all affect all EU operators of Websites that allow surfing without personal registration. The decision by ECJ is not expected before well into 2015, but perhaps the European legislator takes the topic into account in the course of finalising the European Data Protection Regulation.

IV. Data processing for marketing: new guidelines

The Guidelines provide solid assistance and relatively secure guidelines with regard to data protection and marketing.

V. Outlook on current draft laws and recommended reading

Draft laws in IT security and Data Protection:
• Draft Directive on the Protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure
• Draft bill of the IT-Security Act (IT-Sicherheitsgesetz)
• Draft of the General Data Protection Regulation (inofficial consolidated version)

New papers by the Article 29 Working Party:
• Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” c-131/121 – WP 225
• Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting – WP 224
• Working Document on surveillance of electronic communications for intelligence and national security purposes – WP228

Posted in Uncategorized | Tagged , , | Leave a comment
Ross McKean

Just what IS the state of play on the draft Regulation? This was the hot topic at the recent IAPP conference in Brussels. The Datonomy Team has been taking stock of progress and has produced a guide to the Top 12 issues and their practical impact for business.

Two weeks ago, members of the Datonomy Team attended the IAPP conference in Brussels. Despite the fact that the draft Regulation didn’t feature heavily on the draft agenda, it was the main topic of conversation between in house privacy counsel, regulators and private practice lawyers during the networking breaks.

As Datonomy readers will be aware, the new Commission President has tasked the new EU Commissioners who now share responsibility for the data protection portfolio with steering inter-institutional negotiations on the text to agreement by May 2015. That would mean the Regulation would take direct effect in Member States by 2017. Over recent weeks, various sources have stated that the Regulation is “coming along nicely” and is even “close to finalisation”. However those trilogue negotiations cannot begin until the Council has adopted a common position on all 11 Chapters of the draft Regulation.  At present, the Council has reached a “partial general approach” on just a few of the 11 Chapters.  So, there is still much work for the institutions to do.

However, since it is clearly now a case of “when” not “if” the Regulation will come into force, and as there are clear shapes forming in the shifting sand, businesses too have a lot of work to do – to prepare for a regime which is significantly stricter and which will be backed up with fines of up to 5% of global turnover.

The Datonomy’s pan-European Team has been taking stock of progress on the Top 12 issues and the practical impact the various changes will have on businesses.  You can read the guide in full in PDF here, a one page bluffer’s guide here and issue-by-issue coverage here.

Posted in breach notification, data breaches, data protection regulation, EU data protection reform, EU Legislation, eu proposals, European Commission, European Parliament, IAPP, International Association of Privacy Professionals | Tagged | Leave a comment
Blanca Escribano

Datonomy takes a look at the recent recommendations in the Article 29 Working Party Opinion on the Internet of Things, and what these mean for players in the value chain.

Consumers’ fear of potentially intrusive new technologies is often cited as one of the main barriers to the adoption of the Internet of Things.

Regulators in the US and Europe are starting to get to grips with the issue. As Datonomy readers will be aware, the Article 29 Working Party recently issued an Opinion on the topic, with recommendations on how to embed privacy compliance at every stage of the IoT value chain.

In this paper on the Olswang website here I consider the key privacy and security challenges posed by a connected world, and analyse the latest best practice for suppliers – from device manufacturers, through to app developers and providers of operating systems.

Stakeholders who can demonstrate privacy compliance and ethical practices will be best placed to win consumers’ trust and gain competitive advantage in this brave new and connected world.

Posted in Uncategorized | Leave a comment
Ross McKean

As Datonomy readers may know October is Cybersecurity Month – a good time to read the second edition of Olswang’s Cyber Alert. There is no doubt that cyber security is rising up the international as well as the business agenda. NATO recently adopted an amendment to its charter to put cyber attacks on the same footing as armed attacks – see paragraph 72 of NATO’s Declaration.

In this edition:

  • In our lead article, EJ Hilbert, Managing Director, Cyber investigations, Kroll EMEA, considers the true cost of cybercrime;
  • In our standards and benchmarks section we consider the new ISO standard for processing PII in the cloud, new standardisation guidelines for cloud computing SLAs and look at the UK’s new certification scheme Cyber Essentials.
  • On our regulatory radar in this edition we  track the  progress of EU legislation on data and cyber breach notification, and draft US legislation and look in depth at new cyber security legislation in France and Germany and proposals to strengthen criminal penalties in the UK. We also look at a first of its kind ruling by the French data protection regulator, the CNIL, over supply chain security breaches, and at the impact UK fines are having on security compliance.
  • In our threat vectors section we highlight just some of the breaches and threats which have been in the headlines over the summer.

We hope Datonomy readers will enjoy the Cyber Alert. There is a printable PDF version of it here.

Posted in Cloud computing, cyber crime, cyber-privacy, cybersecurity, data, data breach, data breaches, data loss, e-Privacy, Germany, information security, internet, New publication, online data protection, outsourcing | Tagged | Leave a comment

Threat Vectors

Tom Errington - October 22nd, 2014
Tom Errington

A small selection of the cyber threats and statistics that have made recent headlines.

  • Sources including censorship watch dog GreatFire have alleged that the Chinese authorities are staging a “man-in-the-middle” attack on Apple’s iCloud, just days after the iPhone went on sale in China. The attack is designed to intercept user’s iCloud account usernames and passwords, using a fake login site that looks exactly like the Apple iCloud login site. Read more from The WHIR and ITProPortal.
  • A new bug, which could be affecting hundreds of millions of computers, servers and devices using Linux and Apple’s Mac operating system, has been discovered. System administrators have been urged to apply patches to combat the bug, which has been dubbed “Shellshock”. Read more from the BBC.
  • US companies Home Depot, Supervalu and JPMorgan Chase & Co have all been hit by high profile cyber attacks.
  • Mark Boleat, head of policy for the City of London, has echoed comments made by New York’s financial regulator Benjamin Lawsky that an “Armageddon style” cyber attack will trigger the next global financial crisis by making a major bank “disappear”. Mr Boleat also said that the City of London police had uncovered a huge underground economy, and a huge underground network” capable of conducting movie-style cyber attacks. Read more from The Telegraph.
  • As has been widely reported, there has been an extremely targeted hack against celebrities, resulting in numerous nude photographs being temporarily floated in the public domain. In the fallout, cyber-thieves reportedly sent out fake notification messages to iCloud users to trick people into handing over their login details.
  • Similarly, 13 GB worth of photos from popular mobile phone app Snapchat have been dumped online. The attack has been dubbed “The Snappening” and was carried out by the use of insecure third-party software designed to let users store “disappearing” snaps. Many are blaming Snapchat for the breach. Read more from The Independent.
  • Security firm Hold Security has announced the “largest data breach known to date”, after a Russian gang dubbed “CyberVor” stole over 2 billion credentials. More details here and here.
  • As ZDNet reports, new research published by FireEye claims that 68% of the most popular free Android apps could become a pathway for cybercriminals to lift sensitive data.
  • An interesting blog by CBR highlights six cyber security trends to watch out for during the rest of 2014, which includes more focus being placed on cyber education and an increase in infrastructure targeting by hackers.
  • The “very alarming” level of cyber threats organisations face is unlikely to fall for at least 10 years, says Suleyman Anil, head of cyber defence at the emerging security challenges division of NATO. Mr Anil asserted there are three prime reasons for this; cyber crime is low risk with the promise of high profits, there has been an increase in opportunity to attack systems and most worryingly, there is growth in state-sponsored cyber attacks. Read more here.

 

Posted in cyber crime, cyber-privacy, cybersecurity, data | Tagged , , | Leave a comment
Claire Walker

As  reported  in our first edition, there are two proposals making their way through the Brussels legislature which will change the legal landscape for the reporting of cyber attacks. These are the draft Network and Information Security Directive, which will impose reporting obligations on providers of critical infrastructure, and the draft General Data Protection Regulation which will impose data breach reporting requirements on all data controllers. The summer has seen much institutional change in the EU, first with the European Parliament elections in May, the start of Italy’s Council Presidency in July and now with the reorganisation of the European Commission and appointment of a new Commission President and Commissioners with effect from 1 November.  The summer has seen little procedural progress, although trilogue negotiations on the NISD have now begun, and on the GDPR the Council (representing the Member States) has, according to this Council press release, just reached a broad consensus on the security and breach provisions in Chapter IV of the draft Regulation (although the Council has not yet agreed its position on the whole proposal).  We will continue to monitor progress in our Cyber Alert.

We summarise the state of play – as at 22 October 2014 – on both proposals in a table available here

Posted in cyber-privacy, cybersecurity, data | Tagged , , | Leave a comment