Skip to main content

Regulation of Data Breaches in the European Union: Private Companies in the Driver’s Seat of Cybersecurity?

Abstract

This chapter illustrates how EU law on data breaches has come to put private companies that are not PMSCs in the driver’s seat of cybersecurity, due to their pivotal role for network and information security and the prevention of cybercrime, which are two of the three pillars of the Union cybersecurity strategy. The applicable law divides into a double regime, depending on whether the breach of security concerns personal or impersonal data. However, the differences between the two regimes are trumped by a number of important commonalities. The analysis of the bridging role played by ENISA unveils that commonalities between the two regimes are not casual, but rather relate to the applicable law’s common pursuit of network and information security. The instruments are informed by the logics of risk management and assessment, as well as the prevention of security incidents. These logics frame the norms on data breaches notification and mitigation, which appear part of a wider infrastructure of security aimed at the prevention of cybercrime. This is the case irrespective of whether the breach concerns personal or impersonal data, as demonstrated by means of an analysis of the notion of information security, and of the ‘risks’ entailed by personal data breaches. It is in this light that private companies managing data breaches implicitly become cybersecurity agents, or drivers of cybersecurity. To continue along the lines of the car metaphor, it is as if EU law tries to supply private company with a specific route—the implementation of risk-based network and information security measures—and fit the car with emergency breaks—the notification of data breaches. Whether private companies are ready—or sufficiently incentivized—to ‘start the engine’ of cybersecurity, drive along the designated route, and break when needed is, however, a different question. In fact, data breaches obligations may appear as the (only?) ‘stick’ available to the state to ensure that private companies do not take all the gains of the information society at the risk for critical (information) infrastructure, begging the question of the effectiveness of the stick.

Keywords

  • Personal Data Breach
  • European Network And Information Security Agency (ENISA)
  • Cybercrime
  • Impersonal Data
  • Digital Service Providers

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-63010-6_12
  • Chapter length: 25 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   149.00
Price excludes VAT (USA)
  • ISBN: 978-3-319-63010-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   199.99
Price excludes VAT (USA)
Hardcover Book
USD   199.99
Price excludes VAT (USA)

Notes

  1. 1.

    Know-how is excluded from the notion of personal data. Deceased individuals do not enjoy the protection of the GDPR (recital 27).

  2. 2.

    For instance, “identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller” (recital 57 of the GDPR).

  3. 3.

    The GDPR was accompanied by the adoption of Directive 2016/680, which substitutes the much-criticized Council Framework Decision 977/2008/JHA, and addresses what has long been a legal grey area. It will apply to the prevention, investigation, detection and prosecution of criminal offences, but not to national security, which is the sole responsibility of Member States (article 72 TFEU). Since it concerns public bodies, which are beyond the scope of this discussion, I will not perform an analysis of the provisions on data breaches contained therein.

  4. 4.

    Adopted pursuant to article 5(5) and 14a(2) of the e-Privacy Directive, the Commission Regulation lays down “technical implementing measures concerning the circumstances, format and procedures applicable to the information and notification requirements referred to” (recital 3) in Directive 2002/58/EC.

  5. 5.

    For the purposes of this definition: (1) ‘at a distance’ means that the service is provided without the parties being simultaneously present; (2) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means; (3) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.

  6. 6.

    A closer reading of the relevant provisions seems to favour an understanding of ‘high’ risks as very likely ones, whereas ‘significant’ risks seems to relate to the intensity of the potential damage suffered by individuals.

  7. 7.

    The Regulation does not explicitly qualify the nature of the services as information society services (ISSs). It can be argued that eIDAS would not fall under the definition of ISS because they do not operate entirely by electronic means, in that they need a physical support (i.e. hardware) to work.

  8. 8.

    Defined in article 4 as follows: (13) ‘internet exchange point (IXP)’ means a network facility which enables the interconnection of more than two independent autonomous systems, primarily for the purpose of facilitating the exchange of internet traffic; an IXP provides interconnection only for autonomous systems; an IXP does not require the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomous system, nor does it alter or otherwise interfere with such traffic; (14) ‘domain name system (DNS)’ means a hierarchical distributed naming system in a network which refers queries for domain names; (15) ‘DNS service provider’ means an entity which provides DNS services on the internet.

  9. 9.

    Measures must be ‘appropriate’ in the case of essential services; the obligation concerns digital services referred to in Annex III that are offered within the Union.

  10. 10.

    Digital service providers must identify measures; the obligation concerns operators in the Union; moreover, “having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed, and shall take into account the following elements: (a) the security of systems and facilities; (b) incident handling; (c) business continuity management; (d) monitoring, auditing and testing; (e) compliance with international standards.” (article 16 (1)).

  11. 11.

    It is not possible to predict whether ‘continuity’ of the service will be given more weight than ‘security’ in the national rules transposing the articles on the notification of breaches, but shoud this happen, it would represent a betrayal of the spirit of the NIS Directive.

  12. 12.

    Codified Directive 2015/1535/EU on Information Society Services.

  13. 13.

    The differences between the definitions concern the following: the scope of threats to security, which may include natural disasters (ENISA’s definition); the scope of data which can include further operations on top of transmission and storage (NIS and Framework Directive); and the explicit ambit of application.

  14. 14.

    As discussed in Sect. 12.3.1, in the implementation phase integrity has been interpreted as availability of the service (European Network and Information Security Agency 2017). However, this betrays the intention of maintaining security. A more authentic interpretation would require taking into account both meanings, i.e. available and secure.

  15. 15.

    Statistics are available at: http://ec.europa.eu/eurostat/statistics-explained/index.php/ICT_security_in_enterprises (last accessed 12 June 2017).

References

  • Article 29 Data Protection Working Party. (2007). Opinion 4/2007 on the Concept of Personal Data (WP 136). Brussels.

    Google Scholar 

  • Article 29 Data Protection Working Party. (2011). Working Document 01/2011 on the Current EU Personal Data Breach Framework and Recommendations for Future Policy Developments (WP 184). Brussels.

    Google Scholar 

  • Article 29 Data Protection Working Party. (2014). Statement on the Role of a Risk-based Approach in Data Protection Legal Frameworks (WP 218). Brussels.

    Google Scholar 

  • Article 29 Data Protection Working Party, & Working Party on Police and Justice. (2009). The Future of Privacy: Joint Contribution to the Consultation of the European Commission on the Legal Framework for the Fundamental Right to Protection of Personal Data (WP 168). Brussels.

    Google Scholar 

  • Barcelo, R. (2009). EU: Revision of the ePrivacy Directive. Computer Law Review International, 31(5), 31.

    Google Scholar 

  • Buttarelli, G. (2012). Latest Developments in Data Protection. Paper presented at the meeting of the Heads of Agencies, Stockholm, 19 October 2012.

    Google Scholar 

  • Charter of Fundamental Rights of the European Union, OJ C 303/1 (2007).

    Google Scholar 

  • Commission Regulation 611/2013/EU of 24 June 2013 on the Measures Applicable to the Notification of Personal Data Breaches under Directive 2002/58/EC of the European Parliament and of the Council on Privacy and Electronic Communications (Commission Regulation on Data Breaches) (2013).

    Google Scholar 

  • Consolidated versions of the Treaty on European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU), OJ C 83/01 (Lisbon Treaty).

    Google Scholar 

  • Council Directive 2008/114/EC of 8 December 2008 on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve their Protection, OJ L 345.

    Google Scholar 

  • Council Framework Decision 2001/413/JHA of 28 May 2001 combating fraud and counterfeiting of non-cash means of payment, OJ L 149.

    Google Scholar 

  • Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (Data Protection Directive) OJ L 281.

    Google Scholar 

  • Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a Common Regulatory Framework for Electronic Communications Networks and Services (Framework Directive), OJ L 108.

    Google Scholar 

  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, OJ L 201 (e-Privacy Directive), OJ L 201.

    Google Scholar 

  • Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 Amending Directive 2002/22/EC on Universal Service and Users’ Rights relating to Electronic Communications Networks and Services, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector and Regulation (EC) No 2006/2004 on Cooperation between National Authorities Responsible for the Enforcement of Consumer Protection Laws, OJ L 337 (Citizens’ Rights Directive).

    Google Scholar 

  • Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services, OJ L 337 (Better Regulation Directive).

    Google Scholar 

  • Directive 2013/40/EU of the European Parliament and the Council of 12 August 2013 on Attacks against Information Systems and Replacing Council Framework Decision 2005/222/JHA, OJ L 218.

    Google Scholar 

  • Directive 2015/1535/EU of the European Parliament and of the Council of 9 September 2015 Laying down a Procedure for the Provision of Information in the Field of Technical Regulations and of Rules on Information Society services (codification), OJ L 241.

    Google Scholar 

  • Directive 2016/1148/EU of the European Parliament and of the Council of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union, OJ L 194.

    Google Scholar 

  • European Commission. (2010a). A Digital Agenda for Europe. (Communication) COM (2010) 245 final.

    Google Scholar 

  • European Commission. (2010b). A Comprehensive Approach on Personal Data Protection in the European Union (Communication) COM (2010) 609 final.

    Google Scholar 

  • European Commission. (2017). Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (Communication) COM (2017) 10 final, 2017/0003(COD).

    Google Scholar 

  • European Commission and High Representative of the European Union for Foreign Affairs and Security Policy. (2013). Cyber Security Strategy: An Open, Safe and Secure Cyberspace (Joint Communication) JOIN (2013) 01 final.

    Google Scholar 

  • European Network and Information Security Agency (ENISA). (2012). Recommendations on Technical Implementation Guidelines of Article 4.

    Google Scholar 

  • European Network and Information Security Agency (ENISA). (2014). Technical Guideline on Security measures for Article 4 and Article 13a. Crete, Greece.

    Google Scholar 

  • European Network and Information Security Agency (ENISA). (2017). Annual incident reports 2016. Analysis of Article 13a annual incident reports in the telecom sector, Crete, Greece.

    Google Scholar 

  • Porcedda, M. G. (2017). Cybersecurity and privacy rights in EU Law. Moving beyond the trade-off model to appraise the role of technology. (PhD Thesis), European University Institute.

    Google Scholar 

  • Reding, V. (2011). The Review of the EU Data Protection Framework, SPEECH/11/183.

    Google Scholar 

  • Regulation 526/2013/EU of the European Parliament and the Council of 21 May 2013 Concerning the European Union Agency for Network and Information Security (ENISA) and Repealing Regulation (EC) No 460/2004, OJ L 165.

    Google Scholar 

  • Regulation 910/2014/EU of the European Parliament and Council of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC, OJ L 257.

    Google Scholar 

  • Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such data, and Repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119.

    Google Scholar 

Download references

Acknowledgment

The completion of this chapter has been supported by the EPSRC-funded project CRITiCaL—Combatting cRiminals In The CLoud.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Maria Grazia Porcedda .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer International Publishing AG

About this chapter

Cite this chapter

Porcedda, M.G. (2018). Regulation of Data Breaches in the European Union: Private Companies in the Driver’s Seat of Cybersecurity?. In: Bures, O., Carrapico, H. (eds) Security Privatization. Springer, Cham. https://doi.org/10.1007/978-3-319-63010-6_12

Download citation