In the wake of the Colonial pipeline hack, the US Transportation Security Administration (TSA) issued a security directive applying to all operators and owners of liquid and gas pipelines. Its objective, as with the E.U. NIS Directive 2016/1148, is to standardise the minimum acceptable level of cyber security.
Whilst the TSA Directive targets a specific sector, the NIS applies to identified critical infrastructure. In 2021, an updated version labelled NIS2 is expected to pass into law. This new regulation extends to medium sized entities, not just large-scale companies. It also removes the distinction between operators of essential services and providers of digital services.
Crucially for US Big-Tech, the expansion of NIS2 includes social media platforms. With penalties of up to €10 million or 2% of global turnover, this is a regulation that will need addressing by an increasing number of corporations, regardless of geographic location.
NIS2 may appear to be very specific in its target sectors, affecting only large to medium sized businesses. However, it extends to even micro entities where they are judged to have a potentially high impact upon critical services. As such, a niche contractor may become subject to the Directive where, for example, a TelCo outsources its’ 5G mast installations – a common practice. Where you are the owner of a small, technical services company, it would be worthwhile referring to the forthcoming regulation to ensure you do not fall within its scope.
Where you find that your business falls within the domain, you will be required to “adopt appropriate and proportionate technical and organizational measures to manage threats to the security of networks and IT systems and minimize any incidents’ impact”.
Almost secretly, an amendment made to the GDPR was rolled out by the E.U. on the 4th June 2021. This took the form of amended Standard contractual clauses for international transfers within the GDPR. The summary changes address new scenarios covering data transfers between address data transfers processor-to-processor and processor-to-controller. Additionally, the extension applies to non-E.U. data exporters which GDPR applies and for onward transfers, effectively now controlling the entire data supply chain.
There is a far higher burden placed upon a data exporter, who must now guarantee the suitability of any data importer they use in their ability to meet the obligations of the standard contractual clauses by employing both technical and organizational measures. Similarly, there is also a broadening of the liability clauses impacting data importers in that the penalties are financial, with an unlimited cap on refunds for damages caused to both the other party AND data subjects. In effect, this creates a vicarious liability placed upon the data importer.
Adding further to the burdens upon data exporters, there remains a requirement for a transfer impact assessment, but rather than the previous broad outline of requirements, the updated clauses specify that the exporter must fully document the laws applying within the third party’s geographical location, as well as the technical, contractual and organizational measures implemented to minimise risks within the transfer. Conversely, the data importer now must notify the data exporter of any changes that may and/or will impact the data transfer assessment e.g. a new domestic change in law, as in the case of the new Irish laws requiring users to provide passwords for devices to the Irish police. https://www.thejournal.ie/gardai-new-powers-5465628-Jun2021/
A forthcoming regulation with far greater impact and geographical coverage is the E.U.’s ePrivacy2 Directive that will replace the 2016 version. Having been agreed on 10th February 2021, it is anticipated that there will be a short timeline to ratification and passing into law, with the usual 2-year period for implementation across the Member States.
The new law seeks to account for the rapid changes in technology adoption in the intervening period between ePrivacy 1 and now. In particular it addresses data transfers between connected devices i.e. IoT. It also includes the use of metadata by data processors; a new component that will impact most companies that collect data on users and covers off the current ability to evade GDPR and ePrivacy1 cookie laws by using alternatives to cookies e.g. Google’s shift to cohort analysis.
With a new restriction on the ability to e-market to citizens of the E.U. impacting business models, a further impact is met out by the inclusion of its applicability to social media platforms, instant messaging apps, email service providers, and internet calling services e.g. WhatsApp, Skype, Facetime, etc.
The previous conditions of use of anonymised data have been updated to now require a DPIA to be conducted where an entity passes data to a third party and also requires explicit consent of the user to be obtained prior to such data exchanges.
It is not all negative however, with some reformulations of existing elements, including permission to further process data where the subsequent processing aligns with the original intent of the data collection. This addresses big data, deep learning and potentially AI.
Further, where there is a contract in place, service providers are permitted to access a users’ device data for its performance, whereas under ePrivacy1, this was only allowed where it was a technical necessity.
Whilst the global pandemic has accelerated existing changes to work practices, digitisation and integration into everyday life, so Covid-19 has increased awareness at Regulatory level globally of interdependencies and digital security.
Allied to major ransomware attacks and hacks, the increase in the rate of new laws affecting how organizations address cyber threats indicates a shift from autopsy risk management to the creation of globally accepted minimum security. Maintaining compliance with such a shift will require substantial effort and a continuous horizon scanning approach by all entities.
Standard contractual clauses: