Those of you hoping that this post will announce the conclusion of the General Data Protection Regulation will be disappointed. That stocking remains to be filled. There are, however, various other relevant legislative updates from Brussels worth pointing readers in the direction of.
- As was widely reported last week, the trilogue process has reached an agreed text for the new Directive on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under the new Directive, air carriers will be obliged to provide member states’ authorities with the PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PNR data concerning selected intra-EU flights. The European Council has trumpeted various data privacy safeguards in the new text, and the final approved version is awaited to see exactly how that will work. The draft will be voted on by the Parliament next, but is likely to be finally approved in the course of next year. The UK has expressly opted in to the PNR Directive.
- The EU institutions have now approved a final text of a new cyber-security Directive. The aim of the Directive is to put an end to current fragmentation of 28 cyber-security systems by listing sectors – energy, transport, banking, financial market, health and water supply – in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. Some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. The final text has not yet been published as it awaits formal sign-off, but is likely to be available early in the new year.
- The Commission’s Digital Single Market has also seen a step forward this week with a proposed draft Directive on certain aspects concerning contracts for the supply of digital content, looking to harmonise the law in respect of cross-border trade in digital content. The proposal is part of the wider e-Commerce regulation the EU is engaged in, and the Commission’s proposal expressly notes that it is intended to comply with the Data Protection Directive and the e-Privacy Directive.