Resilience is a prerequisite for agility
On the basis of the Digital Single Market Strategy adopted in 2015, Europe has taken a number of measures to enhance the digital single market, facilitate the supply of and access to digital services, and remove market barriers. This includes various regulatory measures, of which regulation on data protection and cybersecurity is of particular importance. Since 2013, the protection of digital markets from manipulation and spying has become a key political issue. Edward Snowden’s disclosures of the activities of the NSA, alleged cases of Chinese economic espionage, and the numerous data leaks in the electoral sphere, presumably by Russian actors, have considerably intensified the discussion. In recent years, many foreign companies from South America, Asia, and the Arab regions reacted to these revelations by moving their virtual services to Europe – a trend we can expect to accelerate. It is precisely because IT security and data protection are increasingly vital to today’s business models that EU regulations will have a positive impact on European digital innovation and competitiveness.
In 2016, the European Parliament and the Council concluded two major legislative proposals: the EU’s General Data Protection Regulation (GDPR) and the EU Directive on Network and Information Security (NIS Directive). The GDPR replaces the previously nationally regulated data protection laws with new rules that apply throughout Europe. When the Regulation enters into force in May 2018, all companies that do business in the European single market are subject to uniform data protection standards. The market location principle provided for in the Regulation ensures that non-European service providers – especially global platforms such as Google, Apple, Facebook, and Amazon – must also comply with European law.
Data protection compliance
Many of the new rules are based on the well-known (and high) German standard. Of most significance, the GDPR tightens compliance pressure. Companies need to do much more to ensure and prove that data protection rules are observed. The reporting obligation for data protection violations has been made considerably harder. Both the supervisory authority and, in serious cases, affected persons must be informed promptly if data breaches, hacker attacks, or malpractice have resulted in data protection violations. The rights of data protection officers are strengthened. Above all, however, sensitive fines are introduced. Up to 4% of the company’s global annual turnover must be paid in the event of a serious breach of the data protection law. The GDPR also recognizes and strengthens the importance of technology for compliance with data protection. The requirements for the security of the systems used for the processing of personal data are increased, “privacy by design” is prescribed, and follow- up assessments must be carried out and submitted in certain cases.
The NIS Directive follows a similar regulatory strategy. It was originally drafted primarily to protect critical infrastructure from digital attacks. Operators of such infrastructures – from energy supply to hospitals, from food wholesalers to banks and insurance companies – must meet considerable technical requirements. Here, too, there is a duty to report security incidents to the authorities, including the imposition of fines for insufficient security measures.
In addition to critical infrastructures, European legislators have also decided to regulate certain particularly important digital services. This addresses the “critical infrastructure of the digital space”: online search engines such as Google, online marketplaces such as eBay or Amazon, and the cloud services that all the major platforms offer. These services must also adopt technical measures that are “state of the art,” report incidents and, if in doubt, expect high fines. Unlike the GDPR, the NIS Directive is not directly applicable but must be transposed into national law by the Member States by May 2018. Because of its forthcoming Bundestag elections, Germany was the first country to do so. It's IT security law, adopted in 2015, had already been changed to meet the requirements of European law so that companies operating in Germany will fall under the tightened law as early as the summer of 2017.
Averting disaster, welcoming opportunity
Issues of data protection and IT security are often central issues for infrastructure digitalization and for digital business models. This applies, for example, to the digitalization of payment transactions and the handling of customer data therein.
Take, for example, the digitalization of energy supply. At the core of planning for a more decentralized and flexible energy supply with a much higher share of renewable energies is the installation of digital meters (“smart meters”) in private households. Whether these devices could be hacked and who has rights to access their generated data are issues that play a significant role in the social and regulatory debate.
A comparable situation has emerged with the digitalization of the health care sector, in which a multitude of highly sensitive data is generated and collected. How this can positively contribute to the delivery of health care services is undeniable. Yet the possibility of externally manipulated medical devices – from pacemakers to insulin pumps – is nevertheless a terrifying scenario. Unsurprisingly, eHealth initiatives and health care startups are facing particularly stringent security requirements under European legislators.
Much has been said about the value of Big Data and the major innovations made possible by digital networks. And Europe is undoubtedly the market leader for secure and trustworthy digital services. Yet uniform data protection and IT security rules will ensure that network operators become even more resilient. Despite higher compliance requirements and related implementation costs for companies, the new rules open up opportunities for the single market. An overall significantly increased level of security and data protection strengthens Europe’s importance as a digital market in the competition of global markets.