The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: European Union

  • From Vol. 3 No.7 (Apr. 5, 2017)

    A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part Two of Two)

    The E.U.’s General Data Protection Regulation, a sweeping law with harsh fines, is set to take effect in May 2018. Ireland, the European home of many large multinationals, is expected to be at the center of enforcement. We spoke to Helen Dixon, Ireland’s Data Protection Commissioner, about the upcoming changes and how companies can prepare for them. In this second article in our series, she discusses compliance with the non-harmonized areas of the GDPR, the GDPR's enforcement structure, enforcement challenges for the data protection authorities, and answers criticism of the law's penalties. The first article in the series contained her views on the most challenging compliance issues for companies, strategies to get buy-in from the C-suite for compliance resources and successful compliance models she has seen. See also “Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)” (Jan. 25, 2017); Part Two (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)

    With the effective date of the GDPR fast approaching, Ireland – the site of the European headquarters of tech giants like Apple, Google and Facebook – is at the forefront of data protection and privacy enforcement. Leading the effort is Helen Dixon, Ireland’s Data Protection Commissioner. We spoke to Commissioner Dixon about the “game-changing” nature of the GDPR. This first part of our two-part series includes her views on the most challenging compliance issues for companies, strategies to get buy-in from the C-suite for compliance resources (including the threat of the heavy fines the Commissioner can levy), and successful compliance models she has seen. See also “Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)” (Jan. 25, 2017); Part Two (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Marsh and FireEye Take the Pulse of European Cybersecurity Climate

    FireEye, Inc. and Marsh & McLennan Companies recently released their joint 2017 European cyber risk report, which is based in part on data collected by Marsh in a survey of 750 of its European clients. It analyzes the current European threat environment, benchmarks companies’ cyber perceptions, discusses coming regulations that should provide increased transparency on cyber attacks and provides best practices for cybersecurity preparedness. For more insight from FireEye, see “How the Financial Services Industry Can Manage Cyber Risk” (Jul. 20, 2016). For more from Marsh, see our two-part series: “Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part One of Two)” (Nov. 25, 2015) and Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Getting to Know the DPO and How to Adapt Corporate Structure to Comply With GDPR Requirements for the Role (Part Two of Two)

    The GDPR introduces the statutory position of the Data Protection Officer, who will have a key role in ensuring compliance with the regulation. But where and how does the DPO position function within the company? In this second installment in our two-part article series on the role, DPOs and counsel from around the world discuss how the DPO best fits in the corporate structure, and offer considerations for determining whether the role should be fulfilled internally or externally and five steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. Part one examined when appointing a DPO is mandatory, how to select a DPO, and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)

    Looking toward the GDPR’s May 25, 2018 implementation date, many organizations preparing for compliance are focused on the DPO role. While the position is not novel, the GDPR introduces new requirements. We spoke with experienced DPOs and counsel from around the world to clarify and shed light on the GDPR provisions and recent Article 29 Working Party guidelines relevant to the DPO role. This first part of our two-part series on the topic examines when appointing a DPO is mandatory, how to select a DPO, and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. Part two will discuss how the DPO best fits in the corporate structure, how to manage the budget for this role and steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Navigating Data Privacy Laws in Cross-Border Investigations

    Conducting a cross-border investigation or performing global due diligence each has its own set of unique challenges, which only become more formidable when coupled with a government inquiry. In the E.U. in particular, issues range from confusing and often conflicting privacy laws, to language and cultural barriers, to custodian access and local coordination. According to more than half of those who responded to a recent BDO survey, disparate data privacy laws are the biggest challenge to managing cross-border e-discovery. In a guest article, Deena Coffman and Nina Gross, managing directors at BDO, provide insight on the data privacy landscape in the E.U. and how to comply with competing demands during a cross-border investigation. See also “Foreign Attorneys Share Insight on Data Privacy and Privilege in Multinational Investigations” (May 25, 2016).

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Navigating U.S. and E.U. Cybersecurity Requirements

    Complicating cybersecurity’s rapidly evolving legal landscape is the lack of any single government or regulatory entity providing umbrella legislation or universal legal guidance. At a recent PLI program, Paul Tiao and Adam Solomon, a partner and associate, respectively, in Hunton & Williams’ global privacy and cybersecurity practice, examined the existing framework, steps that led there, and recent changes in cybersecurity’s legal landscape, both in the U.S. and in the E.U. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

     

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty

    Over two hundred companies have become Privacy Shield-certified and hundreds more have begun the process. Others are taking their time and weighing their options, particularly because a challenge to the Privacy Shield has already been filed in Europe. “This is a serious privacy program . . . that we intend to have implemented and administered in a way that maintains the confidence of data protection authorities and stakeholders in Europe,” Ted Dean, Assistant Secretary for Services at the Department of Commerce said. During a recent webinar hosted by Data Guidance, Dean and attorneys at Sidley Austin discussed how to approach the self-certification process and whether this mechanism for transatlantic data transfer is the right choice for all companies. For more on the Privacy Shield’s specific requirements, see “Key Requirements of the Newly Approved Privacy Shield” (Jul. 20, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    Key Requirements of the Newly Approved Privacy Shield

    The European Union formally adopted the long-awaited Privacy Shield last week, which replaces the Safe Harbor framework as a mechanism to comply with E.U. data protection requirements for the E.U.-U.S. transfer of personal data. Companies can begin to self-certify compliance with the framework on August 1, 2016. “Companies cannot take the Privacy Shield lightly. It’s a much more detailed framework with more accountability” than Safe Harbor, Sidley Austin senior counsel Cam Kerry told The Cybersecurity Law Report. We review the Privacy Shield’s background, its key requirements and examine whether, when and how to join. See also “Deal Struck to Maintain the Transatlantic Data Flow” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    How Will Brexit Affect U.K. Data Protection and Privacy Laws?

    The U.K.’s historic vote to exit the E.U. – the Brexit – raises a myriad of legal and business questions. Among those is whether the U.K. will adopt the E.U.’s General Data Protection Regulation. The law takes effect in May 2018 and will usher in a host of regulatory changes. The Cybersecurity Law Report spoke to Eduardo Ustaran, a partner in the London office of Hogan Lovells, about how Brexit may impact how certain companies handle their data. See also “Making Sense of Cybersecurity and Privacy Developments in the E.U.” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Foreign Attorneys Share Insight on Data Privacy and Privilege in Multinational Investigations

    Regulatory investigations spanning borders are proliferating and subject companies must manage competing requests and competing legal regimes. At the recent White Collar Crime Institute presented by the New York City Bar Association, a panel of foreign lawyers delved into the challenges faced by counsel confronting multinational regulatory actions, including coordinating requests from multiple jurisdictions, preserving attorney-client privilege, conducting witness interviews and navigating data privacy laws. The panel featured attorneys based in London, Geneva, Hong Kong and Sao Paulo. See also “Prosecuting Borderless Cyber Crime Through Proactive Law Enforcement and Private Sector Cooperation” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Ten Steps to Minimize Data Privacy and Security Risk and Maximize Compliance

    Increasingly, general counsel, privacy officers and even CEOs are taking on more and more data privacy and security compliance burdens because of the significant legal implications of not just breaches, but failure to comply with a range of privacy and cybersecurity regulations. That applies to international transfers of data as well. In a guest article, Aaron Charfoos, Jonathan Feld and Stephen Tupper, members of Dykema, discuss recent global developments and ten ways companies can ensure compliance with new regulations to increase data security and minimize the risk of enforcement actions. See also “Liability Lessons From Data Breach Enforcement Actions” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    Steps for Companies to Take This Week, This Month and This Year to Meet the Challenges of International Cyberspace Governance

    The borderless nature of cyberspace demands adequate global security and governance, and companies must protect their data across jurisdictions. At the recent 2016 RSA Conference, experts explored the challenges of global cybersecurity and governance; identified key efforts to address these issues; provided nine practical steps companies should be taking now to protect themselves; and examined the cybersecurity laws of 13 countries. The panel featured Alan Charles Raul, a Sidley Austin partner; John Smith, Raytheon vice president, legal, cybersecurity and privacy; and Michael Sulmeyer, director of the Cyber Security Project at Harvard Kennedy School’s Belfer Center. See also “Deal Struck to Maintain the Transatlantic Data Flow” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    Making Sense of Cybersecurity and Privacy Developments in the E.U.

    Two years after the European Commission set out its Cybersecurity Strategy, the data security and privacy landscape in the European Union is being reshaped. In this guest article, Eduardo Ustaran and Nick Westbrook, respectively a partner and associate in the London office of Hogan Lovells, explain why four new developments – the NIS Directive, the GDPR, PSD2 and the eID Regs – merit particular attention for companies. See also “The E.U.’s New Rules: Latham & Watkins Partner Gail Crawford Discusses the Network Information Security Directive and the General Data Protection Regulation” (Jan. 20, 2016).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Synthesizing Breach Notification Laws in the U.S. and Across the Globe

    Does your company have a comprehensive breach disclosure plan that complies with regulatory and legal obligations across the globe? In a recent panel held at Georgetown Law School, Harriet Pearson and Allison Bender, a partner and associate, respectively, at Hogan Lovells, discussed the changing legal landscape of breach notification obligations, including the proliferation of disclosure obligations at the state, national and transnational level, as well as disclosure obligations among organizations. See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Deal Struck to Maintain the Transatlantic Data Flow 

    Two days after the expiration of a deadline set by Europe’s data protection authorities, and after months of negotiations, the European Commission and U.S. Department of Commerce reached an understanding that intends to allow transatlantic transfer of digital data by thousands of companies to continue. With data flows impacting billions of dollars in bilateral trade at stake, the so-called “privacy shield” agreement “makes existing cooperation between the FTC and E.U. DPAs [data protection authorities] more robust, with better enforcement mechanisms and means of redress for E.U. citizens whose privacy rights may have been infringed by E.U.-U.S. cross border transfers,” Davina Garrod, a London-based Akin Gump partner told The Cybersecurity Law Report. However, she added that “the shield is by no means a panacea, and does not fix all of the problems identified by the [E.U. Court of Justice] in the Schrems judgment” that invalidated the previous safe harbor data transfer pact. We discuss the agreement, the important steps that remain before the privacy shield can be finalized, and the immediate impact on companies. See also “Dangerous Harbor: Analyzing the European Court of Justice Ruling” (Oct. 14, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Safe Harbor 2.0 Agreement Reached

    The European Commission has announced a new agreement with the U.S. for the transfer of data to replace the invalidated Safe Harbor pact. “For the first time ever, the United States has given the E.U. binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms,” E.U. Commissioner for Justice Věra Jourová said in press release. We share an article from our sister publication, Policy and Regulatory Report (PaRR).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    The E.U.’s New Rules: Latham & Watkins Partner Gail Crawford Discusses the Network Information Security Directive and the General Data Protection Regulation

    December was a busy month in Europe for data security and breach reporting with representatives of the European Parliament, Council and Commission agreeing to a sweeping new data protection regulation, the General Data Protection Regulation (GDPR) in the “trilogue” process. The GDPR toughens European data privacy law, already at odds with U.S. privacy law, by issuing heavier fines for non-compliance and by imposing more stringent obligations for both data controllers and processors. It also expands the territorial scope to apply to any company processing data in the E.U. and companies outside the E.U. who offer goods and services to, or monitor the behavior of, E.U. residents. European Justice Commissioner Vera Jourova said that E.U. citizens and businesses “will profit from [these] clear rules that are fit for the digital age,” but many companies claim that the new law is less clear than originally hoped. The trilogue also announced its agreement on the proposed Network Information Security Directive, which is aimed at improving cybersecurity capabilities and mandating breach reporting in certain sectors. Latham & Watkins partner Gail Crawford explains the key points of each of these legal developments and what they mean for companies. See also “Seeking Solutions to Cross-Border Data Realities” (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    Dangerous Harbor: Analyzing the European Court of Justice Ruling

    An Austrian graduate student’s lawsuit against Facebook has resulted in the invalidation of a 15-year old data privacy treaty relied upon by thousands of multi-national companies.  On October 6, 2015, the Court of Justice of the European Union (ECJ), the highest court in the E.U., held that the Safe Harbor framework that allowed companies to transfer personal data from the E.U. to the U.S., including data for cross-border investigations and discovery, is invalid.  The ECJ found that the U.S. does not ensure adequate protection for personal data, primarily because of the access rights that the ECJ said U.S. agencies have.  Although the ruling is immediate, the “sky is not falling,” said Harriet Pearson, a partner at Hogan Lovells.  On October 16, 2015, a group of E.U. member state privacy regulators, the Article 29 Working Party, called for renewed negotiations on a treaty and recommended interim actions for companies.  There will need to be a “transition to a more complex and perhaps a more work-intensive compliance strategy than Safe Harbor had previously afforded companies,” Pearson said.  See also “ECJ Hearing on Safe Harbor Challenges How U.S. Companies Handle European Data,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    Seeking Solutions to Cross-Border Data Realities

    Transnational companies face complex challenges arising from their operations across jurisdictions, ranging from payroll logistics to responding to foreign governments’ evidentiary requests for digital data stored throughout the world.  In this interview with The Cybersecurity Law Report, Bryan Cunningham, a partner at Cunningham Levy, and Paul Rosenzweig, a partner at Red Branch Consulting, both senior advisors to The Chertoff Group, discuss myriad issues in transferring digital data across nations that have different privacy regimes, potential solutions, and their take on pending cases that could change how companies handle data.  See also “ECJ Hearing on Safe Harbor Challenges How U.S. Companies Handle European Data,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    Ropes & Gray Bolsters Privacy & Data Security Practice in Boston and London

    Ropes & Gray recently announced that Heather Egan Sussman and Rohan Massey have joined as partners in the firm’s privacy & data security practice.  Sussman joins in Boston, and Massey joins in London.  Sussman and Massey previously served as leaders of privacy & data security and technology practices at McDermott Will & Emery and, together with Doug Meal, will lead the privacy & data security practice at Ropes & Gray.  

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Can an Employee Be Liable for Inadvertently Providing Security Details to a Fraudulent Caller?

    An investment management firm’s CFO allowed a fraudulent caller to obtain security details leading to the illegitimate transfer of nearly $1.16 million from the firm’s accounts and is liable for the damages, a new claim filed in the U.K. High Court of Justice alleges.  The firm says that its CFO acted negligently and in breach of his contractual, tortious and fiduciary duties in failing to protect assets in corporate bank accounts.  The CFO – who believed he was providing security details to a member of the anti-fraud team of the firm’s’ private bank – denies these allegations, asserting that he was acting honestly, in what he reasonably and genuinely believed to be the best interests of his employer.  We examine the claim, the defense, and six issues the case raises relating to cybersecurity and employees.  See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015); Part Two of Two, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    ECJ Hearing on Safe Harbor Challenges How U.S. Companies Handle European Data

    Can U.S. companies continue to rely on the Safe Harbor program that permits them to transmit and store data originating in the EU despite the EU’s stricter privacy laws?  The European Court of Justice is now considering how and where U.S. companies are permitted to handle EU data.  The court heard arguments in Luxembourg on March 24, 2015 related to Austrian Facebook user Maximilian Schrems’ challenge to the 15 year-old Safe Harbor structure.  Clara Rosales Rosado of Policy and Regulatory Report (PaRR), a sister publication of The Cybersecurity Law Report, talked to Schrems about the case and his strategy and reported on the hearing.

    Read Full Article …