Answer ... In the European Union, cyber statutes and regulations are enforced at EU member state level. This means that in each EU member state, different governmental agencies and authorities are tasked with ensuring compliance and, where needed, sanctioning infringements of cyber statutes and regulations. The precise roles of these agencies and authorities, as well as their powers, vary from member state to member state.
Under the General Data Protection Regulation (GDPR), each EU member state has established one or more supervisory authorities (also referred to as data protection authorities) in charge of monitoring compliance with the GDPR on its territory. They also have jurisdiction over the processing of personal data carried out by a ‘controller’ or ‘processor’ (as defined below) not established in the European Union that targets individuals residing in their territory.
The GDPR, as well as EU member state law supplementing the GDPR, provides data protection authorities with a wide range of investigation and enforcement powers. They include powers to:
- order a controller or processor to provide information;
- conduct audits;
- access premises and data;
- issue warnings and reprimands;
- order controllers and processors to bring their practices in compliance;
- ban data processing activities (including cross-border data transfers); and
- impose administrative fines.
Administrative fines for GDPR infringements relating to cyber incidents can reach up to €10 million or 2% of the undertaking’s worldwide annual revenues of the previous financial year, whichever is higher. Administrative fines can reach up to €20 million or 4% of the undertaking’s worldwide annual revenues of the previous financial year if the controller or processor is deemed not to have met its overarching obligation to comply with the GDPR’s basic data protection principles, including the ‘integrity and confidentiality’ principle.
In addition to these enforcement powers, data protection authorities are empowered to bring GDPR infringements to the attention of judicial authorities and, where appropriate, to commence or engage otherwise in legal proceedings in accordance with national laws and procedures. The GDPR does not explicitly provide for criminal penalties, but some EU member state laws include the possibility of imposing criminal sanctions in case of (serious) infringements of data protection law.
Where cross-border data processing is carried out either through multiple establishments in the European Union or by only a single establishment, the data protection authority for the main or single establishment acts as lead authority in respect of that cross-border processing. However, the lead authority must cooperate with other ‘concerned’ authorities, and all authorities are expected to exchange information and reach consensus on possible enforcement action. If the lead authority and the concerned authorities do not agree, the GDPR’s consistency and dispute resolution mechanism kicks in. A key role is played here by the European Data Protection Board, which is an independent EU body composed of representatives of the EU member state data protection authorities and the European Data Protection Supervisor. Its main task is to contribute to the consistent application of data protection rules throughout the European Union and promote cooperation between the EU data protection authorities. This includes adopting a binding decision if a lead authority and the concerned authorities cannot reach consensus on the enforcement action to be taken in case of a GDPR infringement.
Pursuant to the Network and Information Systems (NIS) Directive, EU member states are required to designate one or more competent authorities that have the necessary powers and means to assess the compliance of operators of essential services with the NIS Directive’s security and incident notification requirements. The NIS Directive further requires that EU member states provide the competent authorities with the power to conduct security audits into the compliance of operators of essential services. They must also be able to issue binding instructions to operators of essential services with a view to remedying any deficiencies identified as a result of a security audit. When addressing cybersecurity incidents that also constitute personal data breaches (as defined in the GDPR), the competent authorities must closely cooperate with the data protection authorities in their jurisdiction.
In addition, the competent authorities are assigned with acting – if necessary, through ex post supervisory measures – against digital service providers that do not meet the security and incident notification requirements imposed by the NIS Directive. Their lack of compliance can also be demonstrated by a competent authority of another EU member state where the digital service is being provided. If a digital service provider has its main establishment or a representative in one EU member state, but its networking information systems are located in another, the competent authority of the EU member state of the main establishment/representative and the competent authority of the other EU member state are required to cooperate and assist each other as necessary. Competent authorities must have the powers and means to require digital service providers to provide any information necessary to assess their compliance and to remedy any non-compliance. Depending on the EU member state, the range of enforcement actions that a competent authority can take include serving information notices, conducting inspections, serving enforcement notices and ultimately issuing monetary penalties.
Civil penalties for violation of NIS Directive requirements are issued against operators of essential services and digital service providers, which are typically legal entities. Whether criminal penalties can also be imposed – potentially against directors, officers or employees – depends on the laws of the EU member state in question.
In terms of territorial reach, digital service providers that are not established in the European Union, but offer their services within the European Union are required to designate a representative for NIS Directive purposes, which must be in an EU member state. In that case, the competent authorities of the EU member state in which the representative is located have jurisdiction over the digital service provider (established outside of the European Union).
The e-Privacy Directive leaves it to EU member states to establish their own penalties, including criminal sanctions, applicable to infringements of e-privacy rules. The e-Privacy Directive requires only that the penalties provided for be effective, proportionate and dissuasive, and that they be applied to cover the period of any infringement, even where the infringement has subsequently been rectified. Each EU member state has designated a competent national authority in charge of monitoring compliance measures taken and promoting best practices among providers of publicly available electronic communications services. The competent national authorities have the power to order the cessation of e-privacy infringements. They can be assisted by other national bodies with the necessary investigative powers and resources to obtain any relevant information needed to monitor and enforce provisions adopted by the EU member state pursuant to the e-Privacy Directive. The e-Privacy Directive further encourages regulatory authorities at EU member state level to adopt measures to ensure effective cross-border cooperation in the enforcement of the e-privacy rules and to create harmonised conditions for the provision of electronic communications services involving cross-border data flows.
The principles of security supervision and enforcement under the European Electronic Communications Code (EECC) are a continuation of the e-privacy rules; however, there will be a number of important changes once the EU member states have transposed the EECC into their national laws (by the end of 2020). Pursuant to the EECC, EU member states will have to ensure that their national competent authorities have the power to receive assistance from national computer security incident response teams (CSIRTs). These national competent authorities will also have to consult and cooperate with other authorities, such as law enforcement, authorities under the NIS Directive and data protection authorities under the GDPR. In addition, telecoms authorities at EU member state level shall have the power to require that providers of public electronic communications networks or publicly available electronic communications services mitigate significant threats and take preventive measures within a certain timeframe (even before an actual security accident has occurred).
According to the EU Agency for Cybersecurity (ENISA), enforcement vis-à-vis ‘over-the-top’ (OTT) providers will bring new challenges to the national competent authorities. Incidents affecting OTT communications services will be mostly cross border, and therefore close cooperation between the national competent authorities will be needed in order to allow for effective and efficient supervision.