Review 2016 and prospects for 2017
These have been and will be the legal topics in the areas of privacy and IT security
2016 brought some important legal developments in the areas of privacy and IT security. We will show what has been important and what to expect in 2017.
Internet of Things, M2M, Big Data, Cloud Computing…As globalized digitalization and networking substantially increase in all areas of life and economic sectors, issues in the field of privacy, data security and IT security gain. The high amount of successful attacks on IT-Systems and data leaks discovered in 2016 demonstrate a considerable need for further action in these areas. New statutory provisions meet these needs and provide extensive obligations. These are the highlights:
1. EU General Data Protection Regulation
In the area of privacy, the most fundamental development is the EU General Data Protection Regulation (GDPR) which came into force in May 2016. It establishes uniform rules for the processing of personal data within the EU and provides some major changes.
Companies and the public authorities need to implement the new rules until May 2018, when the GDPR applies directly in all EU Member States. Thus the adaption of their data processing operations will be of high importance for most companies in 2017. Are you ready for May 2018?
2. New German Privacy Law
Until May 2018 the German legislator has to take action as well. New national rules are required to specify and complement the GDPR, e.g. in the area of employee privacy. Two drafts of a new German Privacy Law were published by the Federal Ministry of the Interior in 2016. They faced criticism in the privacy community in particular due to the intended restriction of the rights of the data subject. The year 2017 will add clarity on the upcoming national privacy rules and respective obligations.
3. International data transfer
In 2016 there have been some changes in the area of international data transfer as well:
After the European Court of Justice (ECJ) declared the EU-U.S. data transfer to the based on the Safe Harbor Agreement unlawful in 2015, the EU and the U.S. agreed on the EU-U.S. Privacy Shield (Privacy Shield) in summer 2016. Currently the Privacy Shield serves as a legal basis for the transfer of personal data to participating U.S. companies. However, the supervisory authorities announced that they will examine if the Privacy Shield meets the requirements after one year and against it there are already two legal actions pending before the European General Court (EGC). Therefore the year 2017 will reveal if and how the Privacy Shield will exist in the future.
The transfer of personal data to third countries outside the EU/EEA can also be based on an adequacy decision of the European Commission as well as on EU Standard Contract Clauses. In December 2016 the European Commission revised the basis for the adequacy decisions and the EU Standard Contract Clauses and incorporated new competences and obligations of the supervisory authorities. For the moment, there are no changes in practice as the text of the EU Standard Clauses did not change. However, the developments in 2017 shall be kept in view, because in form and content they are not adapted to the requirements of the GDPR yet. They will be revised until May 2018.
4. E-Privacy Regulation
In December 2016 the first draft of the new E-Privacy Regulation was published. Complementing the GDPR, the E-Privacy Regulation provides uniform rules for the processing of personal data and the protection of privacy regarding electronic communications services within the EU. The regulation will apply to providers of telecommunications and internet services, like browsers, websites, over the top services (messengers) and Internet of Things (IoT) solutions. The year 2017 will provide more clarity on the future obligations of such providers.
5. Rising litigation risks regarding privacy
Privacy breaches may not only be pursued by supervisory authorities but also by competitors and interest groups as well as trade associations. That leads to an increased risk of litigation.
A change of the German law on injunctive reliefs (UKlaG) already came into force in February 2016. Now, breaches of specified consumer protection privacy rules may lead to claims for injunctive relief and removal. Inter alia, interest groups like consumer protection groups and trade associations are entitled to claims.
II. IT security
1. Critical infrastructures
In July 2016 the German law on IT security (IT-Sicherheitsgesetz) came into force. It entails new obligations for providers of critical infrastructures (KRITIS). They have to guarantee and prove an appropriate and state of art protection of their IT and telecommunications systems (ITK systems). Moreover they are obliged to designate a contact person for IT security and to report significant malfunctions of their ITK systems. A regulation substantiates which infrastructures are considered critical. The first regulation that determines KRITIS in the sectors energy, information technology, telecommunications, water and nutrition came into force in May 2016 (BSI KritisV).
Providers of KRITIS in these sectors have to implement the new requirements until May 2018. A further regulation for the sectors transport and traffic, health, finance and insurance is announced for 2017.
2. NIS Directive
IT security also is the main topic of the Directive concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) that came into force in July 2016. On the one hand it contains rules for providers of critical infrastructures, which match the requirements of the German IT Security Law in most parts. On the other hand it provides new obligations for digital service providers like online market places, search engines and cloud computing services. In the future they will have to adopt appropriate, state of art IT security measures and report security incidents. The NIS Directive has to be implemented into national law until May 2018.