Developments in the European Union: NIS Directive, Data Protection Reform, EP’s response to U.S. surveillance

Prior to the forthcoming parliamentary elections in May 2014, the European Parliament (EP) was successful in adopting several significant proposals influencing the European Union’s developments in cyber security and data protectionThe Parliament approved the draft Network & Information Security (NIS) Directive, supported the Commission’s data protection reform by endorsing the General Data Protection Regulation and the Police and Criminal Justice Data Protection Directive, and passed a resolution on findings and recommendations with regard to the U.S. National Security Agency’s surveillance program.

European Parliament passes the Network & Information Security Directive

The NIS Directive (also known as the Cybersecurity Directive) was first proposed in February 2013 by the European Commission (EC) as a significant part of EU Cybersecurity Strategy. The draft Directive1 passed the European Parliament by a large majority on 13 March 2014,2 and the final text of the Directive will now be negotiated in the EU legislative bodies. An ambitious aim to reach a final agreement by the end of 2014 was expressed by Neelie Kroes, EU Commissioner for the Digital Agenda.3

The purpose of the Directive is to guarantee a high common level of NIS across the EU through a set of comprehensive measures that will create cooperation and information sharing mechanisms and set minimum requirements for a broad scope of public and private actors.4 For example, Member States are expected to adopt national NIS strategies, designate an NIS authority, set up national CERTs and cooperate closely with EU institutions.

Perhaps the most contested aspect of the Directive relates to the scope of private companies which fall under the proposed security and reporting requirements. In addition to setting requirements for the providers of critical infrastructure such as private companies in the energy, transport, financial services and health sectors, the initial proposal by the EC also targeted the ‘enablers of key internet services’. These services include cloud computing, search engines, social networks and app stores.5 The exemption of the ‘internet enablers’ from the list is considered one of the main reasons why the Directive was successfully passed in the EP.6

The EU has been criticised for trying to achieve greater cybersecurity by creating additional regulation. This contrasts with the US approach, which is industry-led and on a more voluntary basis.7 Nevertheless, when fully implemented, the Directive will serve as a global standard for cybersecurity.3

Moving forward with data protection reform

The EU is also moving forward with the data protection reform initiated in 2012.8 The EP passed the compromise texts of the General Data Protection Regulation9 and the Police and Criminal Justice Data Protection Directive10 on 12 March 2014. This development can be considered an important step in data protection reform since it confirms the approval of the EP just before the parliamentary elections in May.11 Before final adoption, the Regulation and the Directive will be submitted to the EU Council of Ministers and be subject to trilateral negotiations between the EU legislative bodies. The Commission hopes for the regulation to become law in late 2014.12

The aim of the General Data Protection Regulation is to unify and update data protection laws across the European Union. The Regulation would supersede the 1995 Data Protection Directive (95/46/EC) which, inter alia, does not take into account developments such as social networks and cloud computing.13 The scope of the Regulation goes beyond the borders of the EU and it will also apply to all non-EU organisations involved in processing the data of EU citizens.3

Dealing with data protection in the context of law enforcement, the Police and Criminal Justice Data Protection Directive is also a significant part of the overall data reform process.14

As expressed in the EU’s press release of 12 March 2014, the need to harmonise data protection standards in Europe is seen as a ‘necessity’3 and a sense of urgency to the issue has been fostered by the recent U.S. spying scandals.3

European Parliament’s response to the U.S. surveillance

The Snowden revelations alleging that the U.S. has conducted mass surveillance of EU citizens were also the driving force behind a six month investigation carried out by the Committee for Civil Liberties, Justice and Home Affairs (LIBE). The findings and recommendations of the committee were wrapped up in a resolution15 approved by the EP on 12 March 2014. As a sign of consent, the Resolution was backed by an overwhelming majority.16

In addition to describing the scope of the surveillance, the Resolution requested measures which could negatively influence the cooperation between the EU and the United States. The resolution called for ‘(1) withholding the Parliament’s consent to the Transatlantic Trade and Investment Partnership if European data protection principles are not fully respected; (2) suspending the Terrorist Finance Tracking Program until alleged breaches of the underlying data disclosure agreements have been fully clarified; and (3) suspending the Safe Harbor Framework immediately, alleging that it does not adequately protect European citizens’.17 The Parliament also declared its support for more Europe-based cloud providers and suggested a ‘European whistle-blower protection programme’.18 From the perspective of data protection, the suspension of the Safe Harbor Framework would be the most important development since it could disrupt U.S.-EU data flows. The Safe Harbor Framework essentially provides a method for U.S. businesses to transfer personal data from the EU in accordance with the EU Data Protection Directive (95/46/EC).19

The revelations have had a negative effect on transatlantic relations, but the legal implications of the Resolution will likely be limited. This is because the EC is the only organ that has the mandate to formally renegotiate agreements and is unlikely to share the view of the Parliament on this issue.20 Indeed, on 27 March 2014, the EU was still able to issue a communiqué with the US emphasising further cooperation on cybersecurity.21

  1. European Union, European Parliament legislative resolution of 13 March 2014 on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (COM(2013)0048 – C7-0035/2013 – 2013/0027 (COD) ), 13 March 2014, available at:… []
  2. European Commission, “Great news for cyber security in the EU: The EP successfully votes through the Network & Information Security (NIS) directive,” press release, March 13, 2014. []
  3. Ibid. [] [] [] [] []
  4. Waszin, Paul. “Network and information security (NIS): EU Strategy and Directive,” Lexology, May 4, 2013. available at:… []
  5. Young, Mark.”European Parliament Votes to Ensure that the Proposed Network and Information Security Directive Focuses on Protecting Critical Infrastructure,” Inside Privacy, March 14, 2014.… []
  6. Shooter, Simon. ”MEPs vote strongly in favour of the proposed European Cybersecurity Directive,” Lexology, March 14, 2014.… []
  7. Shooter, S. and Bond, T. “European Cybersecurity Directive moves closer to becoming a reality,” Bird & Bird, February 17, 2014, available at:… []
  8. [9] See also NATO CCD COE Cyber Security Status Watch 2013 Q4 report, available at: []
  9. European Union, European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)  ), 12 March 2014. (… []
  10. European Union, EP legislative resolution ( (COM(2012)0010 – C7-0024/2012 – 2012/0010(COD) ), 12 March 2014.… []
  11. Lovells, H., Bodewits, J. and Cohen, B. “European Parliament overwhelmingly approves Data Protection Regulation,” Lexology, March 14, 2014.… []
  12. European Commission, “Data Protection Day 2014: Vice-President Reding calls for a new data protection compact for Europe,” press release, January 28, 2014. []
  13. M Law Group, “New draft European data protection regime to apply also to all US companies processing data of European residents,” February 2, 2012. []
  14. For more, see European Commission “Progress on EU data protection reform now irreversible following European Parliament vote,” press release, March 12. 2014. []
  15. European Union, Committee on Civil Liberties, Justice and Home Affairs report (2013/2188(INI) ), 21 February 2014, available at:… []
  16. Backed by 544 votes to 78, with 60 abstentions. []
  17. Hunton & Williams, “European Parliament Adopts Draft General Data Protection Regulation; Calls for Suspension of Safe Harbor,” Hunton Privacy (blog), March 12, 2014.… []
  18. European Parliament, “US NSA: stop mass surveillance now or face consequences, MEPs say,” press release, March 12, 2014.… []
  19. See more on the U.S.-EU Safe Harbor Framework:, U.S.-EU Safe Harbor Overview, []
  20. Steinhardt, E. and Tielemans, H. “European Parliament Adopts Report Threatening Disruption to U.S.-EU Data Flows and Upcoming Trade Agreements; However, Legal Impact is Muted,” Inside Privacy, February 12, 2014.… []
  21. Chabrow, E. “U.S., European Union Issue Cyber Accord,” Bank Info Security, March 27, 2014. []