Cybersecurity, anyone? On the EU policy news front, the review of the Network and Information Security Directive on cybersecurity is almost final. This week, the European Parliament’s Committee on Industry, Research and Energy approved the agreement reached with the council in May. This review updates baseline requirements and significantly broadens the material scope of the first EU-wide cybersecurity legislation implemented in 2016. It also includes several provisions relevant to privacy compliance. I am highlighting just a few here:

First, it establishes cooperation rules between the competent authorities under NIS and data protection authorities to deal with infringements related to personal data.

Second, Recital 69 explicitly refers to legitimate interest as a legal basis for processing personal data in alignment with the General Data Protection Regulation and lists very specific measures — including identification, containment and coordinated vulnerability disclosure — for which this legal base can be used. The original draft the commission proposal was not that clear.

Third, the updated Directive departs from the GDPR breach notification timeline (granted a breach does not always, theoretically, involve personal data). Entities in scope still have 72 hours to notify about an incident (see text for specifics and threshold) but now they also have an obligation to submit an “early warning” to their competent authority within 24 hours of becoming aware of the incident. This early warning is meant to make the competent authority aware of the incident, and whether the incident is presumably caused by unlawful or malicious action or could have a cross-border impact.

The next step is a final vote in Plenary before the publication of the text to the Official and likely some guidelines from authorities on what actually constitutes an early warning.

Two other developments to flag this week:

  • Earlier this week, the European Data Protection Board released a statement on personal data transfers to the Russian Federation. The two-page statement gives a theoretical account of the EDPB’s stance on data transfers to third countries and mentions that some DPAs are conducting investigations pertaining to the lawfulness of data transfers to Russia. But, it does not offer any formal assessment of Russia’s legal framework.
  • On 14 July , U.K. Information Commissioner John Edwards presented the ICO25 strategic plan for the next three years. Edwards announced a focus on both “empowering people" (looking at the impact of predatory marketing calls, the use of algorithms within the benefits system, the impact of using artificial intelligence in recruitment and ongoing work on children’s privacy) as well as on reducing burden for businesses (through more training material, a database of ICO advice, new templates, etc.). Edwards also wants to encourage a “dispute resolution approach" to freedom of information requests.

As we go deeper into the holiday season (at least in the Northern Hemisphere), you may be looking at a nice get-together with other privacy pros. Make sure you sign up to receive your local KnowledgeNet updates.