Before Datonomy readers head off for their well-earned summer holidays, here’s a quick round up of “end of term” UK and EU regulatory activity. The weekly cyber update will also be taking a break during the rest of August, but will return – with batteries re-charged – in the Autumn to continue monitoring regulatory developments in the fields of data and cyber security.
EU POLICY AND REGULATION
- Network and Information Security Directive: Another glimmer of progress in the long-running saga of the NISD, and in particular the still unresolved question of the extent to which online platforms will be caught by the new breach reporting requirements. Following the recent sighting of a Council document on the scope of “essential services” (reported last week), on 31 July another potentially very significant new document was listed on the Consilium website. Entitled “Proposed approach to digital service platforms”, this promising-sounding document is, at the time of writing, still not available, either on Consilium, nor elsewhere in the public domain. Regular readers will be aware that in June the Council announced that agreement on the main principles of the Directive had been agreed with the EP but with digital service platforms to “be treated in a different manner from essential services”, with these all-important details “to be discussed at a technical level”. To find out the Council’s intentions towards online services, Datonomy readers should keep their eyes peeled over the Summer for this document to be published.
- General Data Protection Regulation: There has also been a pre-holiday flurry of activity in Brussels on the GDPR. The Presidency’s debrief document reporting the outcome of the trilogue negotiation on 14 July, still not officially available, has now been leaked by Statewatch.org here (93 pages) http://www.statewatch.org/news/2015/jul/eu-council-dp-reg-debriefing-trialogue-10680-15.pdf The mark up shows the issues on which the institutions have reached tentative agreement in relation to a number of provisions including territorial scope and international transfers – and some other provisions. This tentative agreement on these issues is on the basis that “nothing is agreed until all is agreed”.
Statewatch has also leaked the Council’s trilogue prep document for Chapter II of the Regulation, i.e. Principles – that 89 pager is here http://www.statewatch.org/news/2015/jul/eu-council-dp-reg-prep-trilogue-10790-15.pdf Chapter II is due for negotiation after the summer break.
European Union Agency for Network and Information Security: On 28 July, ENISA announced the publication of its latest Annual Report, outlining its key achievements and flagship projects over the past year. The full report can be accessed here.
- Cyber security month: Datonomy does not want to wish the Summer away, but it would be remiss of us not to put in a plug for the EU’s official Cyber Security Month in October. ENISA’s call for partners for the event is now open.
UK POLICY AND REGULATION
- Cyber security give- away: The UK Government has announced a new cyber security funding scheme. Run by the government body Innovate UK , the scheme will award Cyber Security Innovation Vouchers of up to £5000 to eligible small businesses to enable them to obtain advice from a range of experts on protecting their businesses and their intellectual property from cyber threats. Details of how to enter Round 13 of the draw (deadline 20 October) are here.
- ICO enforcement action: Data breaches and lax security practices continue to dominate as the trigger for formal enforcement actions taken by the ICO. In the past week the ICO has published two new undertakings, and one follow up action to a previous undertaking. All relate to breaches of the 7th Principle, all three relate to the public sector, and the consistent theme running through all the ICO’s required actions is the need to implement and repeat staff training. You can view the latest enforcement actions here.