European Commission prioritizes cybersecurity, GDPR compliance and free flow of data

On 13 September 2017, the European Commission presented its draft work program for the next sixteen months up to the end of 2018.  In addition to boosting jobs, growth and investments, the European Commission’s main priority is to improve and strengthen the Single Digital Market, where individuals as well as businesses can seamlessly access and exercise online activities under conditions of fair competition and a high level of consumer and personal data protection.  With that objective in mind, the European Commission plans to launch the following initiatives between now and the end of 2018:

  • A “cybersecurity package” with concrete measures to respond to the changed cyber threats landscape and increase cyber resilience, including: i) a proposed regulation transforming the current Agency for Network and Information Security (ENISA) into an EU Cybersecurity Agency and establishing a framework for EU cybersecurity certification schemes, ii) a toolkit to facilitate the transposition of the Network and Information Security (NIS) Directive into EU Member State law by 9 May 2018, iii) a blueprint for effective response in case of cyber attacks impacting several EU Member States, and iv) initiatives to boost research capacity and build cyber defense/hygiene.   In addition, on 13 September 2017 the European Commission and the High Representative of the EU for Foreign Affairs and Security Policy issued a joint communication reiterating the need for strong cybersecurity in the EU and suggesting measures to increase cyber resilience and create effective cyber deterrence. This package makes concrete a significant expansion of the EU’s role in cybersecurity.
  • A “data package” aimed at ensuring free flow of non-personal data within the EU. To that effect, the European Commission is proposing a regulation setting out a new legal framework that focuses on data flows within the EU that are not regulated by the General Data Protection Regulation (GDPR).  A key feature of this framework is that it will ban data localization requirements at EU Member State level, unless they are justified based on the grounds of public security.
  • GDPR guidance to help citizens, businesses and public administrations comply with the EU’s new data protection rules as of 25 May 2018.  The European Commission intends to prepare this guidance in close consultation with the Article 29 Working Party and the European Data Protection Board (once it is established). The guidance will presumably supplement the GDPR guidance documents and guidelines that have already been issued by the Article 29 Working Party as well as data protection authorities at EU Member State level.
  • Initiatives that will stimulate a fair, predictable, sustainable and trusted business environment for online platforms, and that address the challenges which online platforms face around the spreading of fake information.
  • The swift adoption of all 14 EU legislative proposals aimed at completing the Digital Single Market, including the telecoms package, the copyright package, and the e-Privacy Regulation.
  • The revision of the European Commission’s guidelines on market analysis and the assessment of significant market power in the electronic communication sector.

According to the European Commission, these initiatives will foster the confidence of EU citizens, which is critical to the success of the (connected) Digital Single Market.  Many businesses, however, may view these initiatives as raising potential additional hurdles for companies trying to do business in the EU.  The practical effects, burdens or benefits of each of these initiatives will have to be considered as each initiative materializes in the coming months.