The European Commission published its first draft of the EU General Data Protection Regulation (“GDPR“) in January 2012, which set out a comprehensive reform of the current existing EU regime. The reform was designed to give citizens more control and protection over their personal data. In April 2016, the final text of the GDPR was formally approved.
The GDPR then entered into force on 25 May 2016 with a two year implementation period before it comes into effect. This period gives organisations until 25 May 2018 to prepare for the new rules to apply. Continue reading
The Digital Economy Act (the “Act“) finally received Royal Assent on 27 April 2017 and the final text was published at the beginning of May. First introduced in the House of Commons in July 2016, it has been the subject of much scrutiny and debate by both Houses of Parliament. In the run up to the General Election, the legislation was passed in a final sweep as part of the so-called “wash up” period before the dissolution of Parliament.
It covers a wide assortment of areas falling under the “digital economy” umbrella but at its heart it seeks to “modernise the UK for enterprise” – focusing on improving access to digital communication services (including through improved connectivity and infrastructure), supporting new digital industries and enhancing protections for citizens using those services.
The new report referenced in the article above, follows comprehensive guidelines (the “Guidelines“) published by ENISA in February 2017 for Member States and the European Commission on how to implement incident notification for “digital service providers” (“DSPs“) across the EU, in the context of the Cyber Security Directive.
DSPs: The Cyber Security Directive sets out obligations in respect of “operators of essential services” and DSPs, with a slightly “lighter touch” approach applying to the latter. DSPs are limited to three types of services:
- online marketplaces – which allow consumers and traders to conclude online sales or service contracts with traders and are the final entity where the contract is concluded. The term excludes both online “intermediaries” to third party services through which a contract can be concluded, as well as online price comparison services of different traders that redirect the user to the preferred trader to purchase the product;
- online search engines – excluding search functions that are limited just to the content of a specific website; or
- cloud computing service providers – spanning a wide range of activities that can be delivered according to different models.
In April 2017, the Society for Worldwide Interbank Financial Telecommunications (SWIFT) published a final version of its Customer Security Controls Framework (the “Framework“), as part of its Customer Security Programme which launched in June 2016. SWIFT is a messaging network that allows more than 11,000 banking and securities organisations to securely send information and instructions through a standardised system of codes.
The new Framework comprises 16 mandatory and 11 advisory controls, designed to reflect good security practice and support SWIFT’s three overarching security objectives: “Secure your Environment”; “Know and Limit Access”; and “Detect and Respond”. Continue reading
April 2017 welcomed two insightful publications on the current cyber security landscape. The UK Department for Culture, Media and Sport’s annual Cyber Security Breaches Survey (the “Survey“) and Verizon’s 2017 Data Breach Investigations Report (the “Report“), highlight the changing attitude of businesses toward cyber security, the specific threats facing organisations, and the opportunities for mitigating cyber crime. Whilst the results of these two publications suggest some advances in cyber security awareness, they also highlight a lack of preparedness which makes the extent of the recent “WannaCry” cyber attack in May 2017 (see above) somewhat unsurprising. Continue reading
On 12 July 2016, the European Commission adopted an “adequacy decision” allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the “Privacy Shield“).
Two privacy advocacy groups have however since filed actions in the European General Court to annul the adequacy decision. On 28 October 2016 the Irish privacy advocacy group, Digital Rights Ireland, filed an “action for annulment” on the basis that the Privacy Shield does not sufficiently protect the privacy rights of EU citizens. If successful, the action would invalidate the European Commission’s adequacy decision that approved and adopted the Privacy Shield. The group filed the challenge in the General Court based in Luxembourg, the second highest EU Court after the CJEU. A further challenge was also filed in the General Court by a French civil society group at the end of October 2016. It could take the General Court twelve months or more before a decision is handed down.
On 15 May 2017, the Council of the European Union published its progress report (the “Report“) on the first draft of the ePrivacy Regulation (the “Draft Regulation“).
The Draft Regulation focuses on the processing of personal data and protection of privacy in electronic communications. Among other areas, it covers direct marketing, cookies and other forms of online tracking; principally seeking to bring e-privacy law up to date with the “evolution of technological and market reality” and align the law with the incoming EU General Data Protection Regulation (“GDPR“). It was published by the European Commission in January of this year and is expected to replace the existing Privacy and Electronic Communications Directive (the “ePrivacy Directive“).
The Mirai malware gained its infamy in October 2016 following its record breaking attack on systems operated by domain name system provider Dyn, using unsecured Internet of Things (“IoT“) enabled “smart” devices (such as CCTV recorders, webcams and routers). It resulted in the widely reported outage of Twitter, Netflix, Spotify and Airbnb, amongst others.
Mirai is highly effective as it targets devices which often run unattended, do not have anti-virus installed, and have no external visual indication that they have been compromised. Mirai works by systematically trying the 62 most common default username/password combinations against the Telnet/SSH port of internet connected devices in an attempt to gain administrative access to the device. Whilst simple, the sheer number of vulnerable devices on the internet means that “botmasters” (the creators and controllers of the collections of compromised computers and IoT devices (each a bot and together a botnet)) have been able to create and sustain botnets containing up to 100,000 devices. Botmasters are then able to sell the use of their botnets online to the highest bidder for use in, for example, Distributed Denial of Service attacks against specific targets (e.g. Dyn). Continue reading