Andreas Splittgerber

The 2014 Year End Newsletter looks at:

I. Article 29 Working Party publishes Opinion on “Internet of Things”

II. Data protection and competition law – statement by the Federal and State Commissioners for Data Protection

III. Are IP-addresses personal data? – German Federal Court of Justice ask ECJ

IV. Data processing for marketing: new guidelines

V. Outlook on current draft laws and recommended reading


A brief summary of each point is below – to read the full newsletter, please click here.


I. Article 29 Working Party publishes Opinion on “Internet of Things”

The WP29 considers IoT as generally permitted, but clearly states that any stakeholder is responsible for data protection. Despite of consent requirements and transparency obligations, personal data should be aggregated to the greatest extent possible and the principles of privacy by default and privacy by design shall be applied by the

II. Data protection and competition law – statement by the Federal and State Commissioners for Data Protection

While competition authorities should not turn into data protection authorities (and vice versa), the nexus between data and competition needs to be given more attention in future competition investigations in data-driven high-tech markets.

III. Are IP-addresses personal data? – German Federal Court of Justice ask ECJ

The decision by the ECJ will above all affect all EU operators of Websites that allow surfing without personal registration. The decision by ECJ is not expected before well into 2015, but perhaps the European legislator takes the topic into account in the course of finalising the European Data Protection Regulation.

IV. Data processing for marketing: new guidelines

The Guidelines provide solid assistance and relatively secure guidelines with regard to data protection and marketing.

V. Outlook on current draft laws and recommended reading

Draft laws in IT security and Data Protection:
• Draft Directive on the Protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure
• Draft bill of the IT-Security Act (IT-Sicherheitsgesetz)
• Draft of the General Data Protection Regulation (inofficial consolidated version)

New papers by the Article 29 Working Party:
• Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” c-131/121 – WP 225
• Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting – WP 224
• Working Document on surveillance of electronic communications for intelligence and national security purposes – WP228

Posted in Uncategorized | Tagged , , | Leave a comment
Ross McKean

Just what IS the state of play on the draft Regulation? This was the hot topic at the recent IAPP conference in Brussels. The Datonomy Team has been taking stock of progress and has produced a guide to the Top 12 issues and their practical impact for business.

Two weeks ago, members of the Datonomy Team attended the IAPP conference in Brussels. Despite the fact that the draft Regulation didn’t feature heavily on the draft agenda, it was the main topic of conversation between in house privacy counsel, regulators and private practice lawyers during the networking breaks.

As Datonomy readers will be aware, the new Commission President has tasked the new EU Commissioners who now share responsibility for the data protection portfolio with steering inter-institutional negotiations on the text to agreement by May 2015. That would mean the Regulation would take direct effect in Member States by 2017. Over recent weeks, various sources have stated that the Regulation is “coming along nicely” and is even “close to finalisation”. However those trilogue negotiations cannot begin until the Council has adopted a common position on all 11 Chapters of the draft Regulation.  At present, the Council has reached a “partial general approach” on just a few of the 11 Chapters.  So, there is still much work for the institutions to do.

However, since it is clearly now a case of “when” not “if” the Regulation will come into force, and as there are clear shapes forming in the shifting sand, businesses too have a lot of work to do – to prepare for a regime which is significantly stricter and which will be backed up with fines of up to 5% of global turnover.

The Datonomy’s pan-European Team has been taking stock of progress on the Top 12 issues and the practical impact the various changes will have on businesses.  You can read the guide in full in PDF here, a one page bluffer’s guide here and issue-by-issue coverage here.

Posted in breach notification, data breaches, data protection regulation, EU data protection reform, EU Legislation, eu proposals, European Commission, European Parliament, IAPP, International Association of Privacy Professionals | Tagged | Leave a comment
Blanca Escribano

Datonomy takes a look at the recent recommendations in the Article 29 Working Party Opinion on the Internet of Things, and what these mean for players in the value chain.

Consumers’ fear of potentially intrusive new technologies is often cited as one of the main barriers to the adoption of the Internet of Things.

Regulators in the US and Europe are starting to get to grips with the issue. As Datonomy readers will be aware, the Article 29 Working Party recently issued an Opinion on the topic, with recommendations on how to embed privacy compliance at every stage of the IoT value chain.

In this paper on the Olswang website here I consider the key privacy and security challenges posed by a connected world, and analyse the latest best practice for suppliers – from device manufacturers, through to app developers and providers of operating systems.

Stakeholders who can demonstrate privacy compliance and ethical practices will be best placed to win consumers’ trust and gain competitive advantage in this brave new and connected world.

Posted in Uncategorized | Leave a comment
Ross McKean

As Datonomy readers may know October is Cybersecurity Month – a good time to read the second edition of Olswang’s Cyber Alert. There is no doubt that cyber security is rising up the international as well as the business agenda. NATO recently adopted an amendment to its charter to put cyber attacks on the same footing as armed attacks – see paragraph 72 of NATO’s Declaration.

In this edition:

  • In our lead article, EJ Hilbert, Managing Director, Cyber investigations, Kroll EMEA, considers the true cost of cybercrime;
  • In our standards and benchmarks section we consider the new ISO standard for processing PII in the cloud, new standardisation guidelines for cloud computing SLAs and look at the UK’s new certification scheme Cyber Essentials.
  • On our regulatory radar in this edition we  track the  progress of EU legislation on data and cyber breach notification, and draft US legislation and look in depth at new cyber security legislation in France and Germany and proposals to strengthen criminal penalties in the UK. We also look at a first of its kind ruling by the French data protection regulator, the CNIL, over supply chain security breaches, and at the impact UK fines are having on security compliance.
  • In our threat vectors section we highlight just some of the breaches and threats which have been in the headlines over the summer.

We hope Datonomy readers will enjoy the Cyber Alert. There is a printable PDF version of it here.

Posted in Cloud computing, cyber crime, cyber-privacy, cybersecurity, data, data breach, data breaches, data loss, e-Privacy, Germany, information security, internet, New publication, online data protection, outsourcing | Tagged | Leave a comment

Threat Vectors

Tom Errington - October 22nd, 2014
Tom Errington

A small selection of the cyber threats and statistics that have made recent headlines.

  • Sources including censorship watch dog GreatFire have alleged that the Chinese authorities are staging a “man-in-the-middle” attack on Apple’s iCloud, just days after the iPhone went on sale in China. The attack is designed to intercept user’s iCloud account usernames and passwords, using a fake login site that looks exactly like the Apple iCloud login site. Read more from The WHIR and ITProPortal.
  • A new bug, which could be affecting hundreds of millions of computers, servers and devices using Linux and Apple’s Mac operating system, has been discovered. System administrators have been urged to apply patches to combat the bug, which has been dubbed “Shellshock”. Read more from the BBC.
  • US companies Home Depot, Supervalu and JPMorgan Chase & Co have all been hit by high profile cyber attacks.
  • Mark Boleat, head of policy for the City of London, has echoed comments made by New York’s financial regulator Benjamin Lawsky that an “Armageddon style” cyber attack will trigger the next global financial crisis by making a major bank “disappear”. Mr Boleat also said that the City of London police had uncovered a huge underground economy, and a huge underground network” capable of conducting movie-style cyber attacks. Read more from The Telegraph.
  • As has been widely reported, there has been an extremely targeted hack against celebrities, resulting in numerous nude photographs being temporarily floated in the public domain. In the fallout, cyber-thieves reportedly sent out fake notification messages to iCloud users to trick people into handing over their login details.
  • Similarly, 13 GB worth of photos from popular mobile phone app Snapchat have been dumped online. The attack has been dubbed “The Snappening” and was carried out by the use of insecure third-party software designed to let users store “disappearing” snaps. Many are blaming Snapchat for the breach. Read more from The Independent.
  • Security firm Hold Security has announced the “largest data breach known to date”, after a Russian gang dubbed “CyberVor” stole over 2 billion credentials. More details here and here.
  • As ZDNet reports, new research published by FireEye claims that 68% of the most popular free Android apps could become a pathway for cybercriminals to lift sensitive data.
  • An interesting blog by CBR highlights six cyber security trends to watch out for during the rest of 2014, which includes more focus being placed on cyber education and an increase in infrastructure targeting by hackers.
  • The “very alarming” level of cyber threats organisations face is unlikely to fall for at least 10 years, says Suleyman Anil, head of cyber defence at the emerging security challenges division of NATO. Mr Anil asserted there are three prime reasons for this; cyber crime is low risk with the promise of high profits, there has been an increase in opportunity to attack systems and most worryingly, there is growth in state-sponsored cyber attacks. Read more here.


Posted in cyber crime, cyber-privacy, cybersecurity, data | Tagged , , | Leave a comment
Claire Walker

As  reported  in our first edition, there are two proposals making their way through the Brussels legislature which will change the legal landscape for the reporting of cyber attacks. These are the draft Network and Information Security Directive, which will impose reporting obligations on providers of critical infrastructure, and the draft General Data Protection Regulation which will impose data breach reporting requirements on all data controllers. The summer has seen much institutional change in the EU, first with the European Parliament elections in May, the start of Italy’s Council Presidency in July and now with the reorganisation of the European Commission and appointment of a new Commission President and Commissioners with effect from 1 November.  The summer has seen little procedural progress, although trilogue negotiations on the NISD have now begun, and on the GDPR the Council (representing the Member States) has, according to this Council press release, just reached a broad consensus on the security and breach provisions in Chapter IV of the draft Regulation (although the Council has not yet agreed its position on the whole proposal).  We will continue to monitor progress in our Cyber Alert.

We summarise the state of play – as at 22 October 2014 – on both proposals in a table available here

Posted in cyber-privacy, cybersecurity, data | Tagged , , | Leave a comment
Thibault Soyer

With the text of the draft Network and Information Security Directive (“NISD”) still being negotiated between EU institutions, and the national transposition deadline for the Directive likely to be 18 – 24 months from the date of EU adoption, some Member States are pre-empting the new regime with national legislation of their own. France has already implemented the principles enshrined in the draft Directive via its Military Programming Act, which was published at the end of 2013.


France has already implemented many of the principles enshrined in the Draft NISD into national law. The French Government published its strategy on Information systems and defence in February 2011. This included reviewing and where necessary strengthening cyber laws. As a result, the government passed Article 22 of Act n°2013-1168 dated 18 December 2013 (the “Military Programming Act”) which sets out several obligations applicable to vitally important operators (“VIOs”) which are comparable to those imposed by the Draft NISD on operators of critical infrastructures.

 It should be noted that Article 22 of the Military Programming Act has not yet come into force; various decrees and Ministerial orders which will spell out the detail of the regime have not yet been published – for example, those specifying security standards applicable to VIOs, the notification procedure, criteria defining an “incident” triggering the notification obligation and conditions and limits of “inspection” powers of the Prime Minister.

 The French National Agency for the Security of Information Systems (“ANSSI”), i.e. the regulatory authority which has been empowered to define implementing and enforcement measures of Article 22, is currently working with the French government as well as with public and private entities to define the application conditions of this framework. The implementing decree had been announced by the ANSSI to be due by Autumn 2014. As of the date of publication of this article, however, no such decree has been published.

When published, the decree will set out general principles, and following such publication, ministerial orders will be published to define sector-specific rules (if any) and implementation deadlines. At a cyber security conference in September, the ANSSI director indicated that France was “the first to go down this road. Other countries have tried, without succeeding” and that implementation conditions remain “unclear”, even at the NATO level (therefore not providing a reference framework for the ANSSI).

 NISD vs Military Programming Act – how do they compare?

 Below we highlight the key similarities and differences between the French legislation and the proposed NISD. Note that there are significant differences between the Commission’s original draft of the NISD published in February 2013 and the amended text approved by the European Parliament in March 2014. It remains to be seen what the final compromise text of the NISD agreed by all three EU institutions will look like. As things stand, here’s how the new French regime compares to the proposed EU-wide regime.

Key similarities:

  • Breach notification deadlines: the Draft NISD (as amended by the European Parliament) requires breach notification “without undue delay” (Article 14 (2)) and the Military Programming Act requires notification “without delay”.
  • Audits: the broad obligation for VIOs to subject themselves to security Audits under the NISD (as originally proposed by the European Commission, Article 15(2)) is similar to the “inspection” obligation under the Military Programming Act. However, the EP’s text has significantly watered down the audit requirement.

Key differences:

  • Scope: the notions of VIOs in the Military Programming Act and of “vitally important sectors” under the relevant French legislation are slightly broader than the scope of “critical infrastructure” (in the sense of the Council directive 2008/114/EC) and of “market operators” in the Draft NISD (see the table for more detail).
  • Inspection and audit: the extent of inspection/auditing powers of VIOs by the French Prime Minister is deeper than the equivalent proposals under the EP’s version of the Draft NISD.
  • Sanctions: the French law includes specific sanctions for a VIO’s failure to comply with any of the obligations specified in Article 22, following a formal notice (up to EUR 750.000 for corporate entities). However, such formal notice is not required prior to imposing a fine in case of failure by a VIO to notify the Prime Minister “without delay” of a cyber-breach.
  • Notification triggers: no materiality threshold for cyber security incidents triggering the notification requirement is yet provided by the Military Programming Act, compared to the “significant impact” threshold and criteria included in the European Parliament’s proposed version of Article 14(2) of the Draft NISD.
  • Notification to the public: whereas the Draft NISD (European Parliament’s version, Article 14 (4)) provides for precise criteria and conditions for notification to the public of cyber security incidents, the Military Programming Act remains silent on this possibility.

For further details on the similarities and differences between the Draft NISD and the Military Programming Act, please refer to the comparative table available here.

Posted in cybersecurity, data | Tagged , , | Leave a comment
Tom Errington

The ICO has published a review of the impact of its civil monetary penalties (CMPs), the vast majority of which have related to security breaches. The review canvassed the views of representatives from 14 organisations who had received a CMP and 85 peer organisations who had not. The findings suggest that overall CMPs are effective at improving data protection compliance. However some respondents felt that there was a lack of transparency about how CMPs have been calculated and some showed a lack of understanding of just what poor practices trigger the CMP threshold.

Posted in civil monetary penalties, cybersecurity, data | Tagged , , | Leave a comment
Katharine Alexander

UK: Cyber security certification scheme launched

Following the consultations on the requirements for a preferred standard for cyber security, which concluded in November 2013 (background information here), the Government has launched a new cyber security certification scheme. The scheme focuses on five main controls for basic cyber hygiene:

  • boundary firewalls and internet gateways;
  • secure configuration;
  • access control;
  • malware protection; and
  • patch management.

Businesses can apply for a “Cyber Essentials” certificate (based on independently verified self-assessment) or a “Cyber Essential Plus” certificate (offering a higher level of assurance through external testing). The scheme is designed to be affordable and offers a snapshot of the organisation’s cyber security effectiveness on the day of assessment. Guidance on meeting the Cyber Essentials requirements can be downloaded from the government-approved cyberstreetwise website here, and a summary of the scheme can be found here. Vodafone has become the first telecoms company to gain the UK ‘cyber essentials plus’ accreditation.

Posted in cybersecurity | Tagged , , | Leave a comment
Claire Walker

These new guidelines were published in June by the Cloud Select Industry Group.

Forming part of the European Commission’s wider Cloud Computing strategy which was unveiled in 2012, the guidelines have been described as a first step towards standardised building blocks for terminology and metrics in cloud SLAs. They aim to improve the drafting clarity and customer understanding of cloud SLAs. European Commission Vice-President Viviane Reding said: “[the] new guidelines will help generate trust in innovative computing solutions and help EU citizens save money. More trust means more revenue for companies in Europe’s digital single market.”  The 62 page guidelines – created by a drafting team which included participants from IBM, Amazon, Microsoft and T-Systems – deal with service levels relating to availability, reliability, security, support services and data management, and take into account the guidance of the Article 29 Working Party.

Posted in Cloud computing, cybersecurity | Tagged , , | Leave a comment