The likely demise of the US Safe Harbor is dominating the data news headlines – but what else is happening in the world of data and cyber regulation? Datonomy provides a round up of other recent developments in Europe and Asia.

With contributions from Andreas Splittgerber and Christian Leuthner in Germany, Sofia Fontanals in Spain and Matthew Hunter, Daniel Jung and Aisling O’Dwyer in Asia, in this update we cover:

  • EU policy and regulation including latest news from Brussels on the GDPR and NISD
  • News from the UK
  • News from Germany
  • News from Spain
  • News from Asia


  • GDPR and NISD: Commission President Junker has yet again affirmed the “swift adoption” of the GDPR and NISD as priorities in this open letter of 9 September to the European Parliament. Below we take a more detailed look at the recent procedural progress of these two (not-so-swift) proposals.
  • ECJ’s Safe Harbor decision expected 6 October: Not long to wait to find out whether the CJEU will follow AG Bot’s Opinion sounding the death-knell for the current Safe Harbor as a means to legitimise data transfers to the US. Most commentators are advising businesses to put alternative adequacy mechanisms – such as model contracts – in place. The Euractiv service yesterday carried this report of the US reaction to the damning opinion. The CJEU’s ruling is scheduled to be made public first thing on 6 October on the Curia website here
  • Negotiations on Safe Harbor II: Meanwhile, what has happened to the long-running renegotiation of the Safe Harbor? The latest official word from the Commission – pre dating the AG’s Opinion – appears to be this press release and this fact sheet dated 8 September, announcing the “finalisation and initalling” of the EU- US data protection Umbrella Agreement. Although this marks an important step towards the restoration of trust in EU-US data flows (or, in practical terms, US data transfers based on Safe Harbor  being lawful once more), there is still some way to go. As the releases note, the Umbrella Agreement cannot be formally entered into until the adoption of the Judicial Redress Bill by the US Congress. Commissioner Jourova states that she isconfident that we will be able to soon conclude our work on strengthening the Safe Harbour Arrangement for exchange of data for commercial purposes”.


Behind closed doors in Brussels, trilogue negotiations on the GDPR continue, with much activity evident from documents referred to on the Council’s website but with little detail reaching the public domain as yet.  There is helpful timetable provided by MEPs in the EPP group here.   Negotiations on Chapters II (Principles) and III (Rights of Data Subjects) took place on 16 and 17 September. The Council received a debrief last week, according to a document listed on the Council website (contents not yet in the public domain).

Trilogues on Chapter IV (Controller and Processor) are reported to be taking place on 29 and 30 September. Again, the Council’s website lists preparatory documents but does not make them available.

The next topics up for negotiation in October are, according to the EPP, Chapters V (international transfers), VI (supervisory authorities) and VII (cooperation and consistency). The Council’s preparatory documents for these three chapters have been listed on the Consilium website – but you’ve guessed it, these are not yet available.

So, as we watch and wait for the fine detail of the GDPR to be agreed and to emerge, what can businesses do on a practical level to prepare? The ICO has published this short article highlighting the key areas on which businesses should start to gear up for what will inevitably a stricter regulatory regime.

The ICO has also published a user-friendly update on progress of the trilogue negotiations (as at August) to accompany its more detailed comments on the Council’s position


With attention focused on the GDPR, let’s not forget the other part of the Data Protection Package, namely the Law Enforcement Directive (or, if you prefer its full title, the Directive on  protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data). Over recent weeks there has been a flurry of preparatory documents on Council’s website, some officially published and some leaked by Statewatch, as the Council prepares its general approach and gears up for  for trilogue. Expect more news when the Justice and Home Affairs Council meets on 8th and 9th October.


So much for hype about the principles of the NISD being “agreed” back in June (see our coverage of the Council’s optimistic announcement here). There is evidently still a lot of work going on behind the scenes to resolve the all-important question of which online service providers will be caught by the new reporting obligations. Recent documents listed (but not published) on the Council’s website focus on the following tricky issues: drafting suggestions on operators providing essential services; drafting suggestions on “internet enablers”. We’ll continue to monitor developments. Meanwhile President Junker in his open latter of 9 September reiterated that agreeing the NISD remains one of his priorities for “swift adoption”.


  • The themes of security breaches and unlawful marketing continue to dominate the formal enforcement actions taken by the ICO over the Summer. Of particular interest is  this undertaking  given by UK charity Anxiety after it fell foul of the ICO over lax website security. Security breaches exposed names, addresses – and anxiety conditions – of the charity’s users over a 12 month period. The lessons to learn from Anxiety’s misfortunes are not new: the need to exercise proper control over processors (in this case the website company responsible for building the website), the need for extra care with sensitive personal data, the need for adequate vulnerability testing, and the importance of not retaining data longer than needed.
  • The ICO’s technical team has published this useful blog post highlighting some common security flaws in websites and apps – and how to avoid them.


The latest IT update from Datonomy’s correspondents in Germany is here. It includes news that the Bavarian Data Protection Authority has recently imposed significant fines:

  • on both parties to an asset deal for failure to obtain customers’ consent to the transfer of email addresses, phone numbers and credit card details
  • on a principal for failing to have a sufficiently detailed data processor contract in place.


  • The regulation on the protection of critical infrastructure in Spain is moving forward with the Decision of the Security State Department, of 8 September 2015, approving the new minimum content of the Operator Security Plans and the Specific Protection Plans.
  • The Spanish National Cybersecurity Institute, INCIBE, detected more than 5,000 attacks against domestic routers in a single day. The purpose of these attacks was to install denial of service malware. A post on the risks to which domestic routers are exposed has also been published on INCIBE’s blog.
  • INCIBE, has launched the first Cybersecurity Olympics targeted towards secondary schools, high schools and vocational training schools nationwide.
  • On 29 and 30 October ISACA CV (the Information Systems Audit and Control Association of the Valencian Community) will hold the IX National Congress on IT Audit, Security and Governance on the theme of “Governing cybersecurity”.


Hong Kong:

  • The Hong Kong Privacy Commissioner for Personal Data recently published an information leaflet which provides guidance on the protection of personal data in the use of cloud computing.  It sets out the data protection principles applicable to data users when engaging cloud service providers. The leaflet also recognizes the usefulness of the new international standard, ISO/IEC 27018 that deals with the protection of personal data protection by cloud service providers.


  • It is reported that the Malaysian Personal Data Protection Commissioner (“PDPC”) published draft Personal Data Code of Practice for the banking and financial sector as well as for licensees under the Communications and Multimedia Act 1998.  These draft Codes of Practice aim to set standards of conduct and stipulate measures that the relevant data users should comply with in order to protect personal data. The PDPC has asked for public feedback on these drafts.  We will keep you posted as and when the drafts come into force.


  • The Cyber Security Agency (“CSA”) in Singapore has signed a Memorandum of Understanding with the Cabinet Office of the United Kingdom to enhance cyber security cooperation. The MOU promotes co-operation in certain areas including cyber security incident response, cyber security talent development and joint cyber research and development.


  • The Indonesian Government has published a draft regulation for the protection of personal data in electronic form.  Currently, there are no omnibus laws or regulations in Indonesia that regulate privacy and data protection.  If adopted, this regulation would be the first comprehensive data protection law in Indonesia. There was a 10 day consultation period (now closed) and we will keep you updated as and when the regulation comes into force. More information is available on the Ministry of Communication’s website.


  • The 2020 Tokyo Olympics have focused attention on cyber security. A cyber security strategy team was established along with the National Center of Incident Readiness and Strategy for Cybersecurity (NISC). A draft cyber security strategy was published in May, calling for the establishment of Computer Security Incident Response Team (CSIRT) to minimize damage from cyber attacks.  The government also announced plans to invest heavily in training to boost Japan’s cybersecurity capacity. The draft strategy was immediately revised after a significant hacking incident.  The revised strategy, with an increased focus on hacking prevention, was approved by Cabinet on 4 September.  The revised strategy places an increased emphasis on cooperation and information sharing with both local agencies and global partners.  In addition, the strategy bolsters the monitoring capabilities for the Government Security Operation Coordination team (GSOC), which sits within the NISC. Until now, the GSOC has only monitored central government ministries, but the revised strategy extends the GSOC’s remit to government-affiliated organisations.

One thought on “Not another Safe Harbor update – a round up of other data and cyber news”

Leave a Reply

Your email address will not be published. Required fields are marked *