European legislation in the field of information technology regulation and data privacy has been at the forefront in recent years. On the one hand, this has created additional headaches for IT and legal departments, but on the other hand, the regulations are designed to protect user data from extensive use and sale to advertising brokers, to put in place the best practices in data management and protection and enhance resilience to cyber threats.

Let's take a look at the main acts and regulations in the field of data and privacy, the existence of which is worth knowing not only for residents of the European Union.

General Data Protection Regulation (GDPR) 

Implemented in May 2018, the GDPR is a comprehensive data protection law that sets out guidelines for the collection, processing, and storage of personal data of individuals within the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside these areas. The GDPR is known for its strict requirements and hefty fines for non-compliance.

It aims to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying data protection regulations within the EU. 

Goals of the GDPR:

• Strengthen the protection of personal data and the privacy rights of individuals within the EU.
• Create a uniform data protection law across all EU member states.
• Give individuals more control over their personal data.
• Require businesses to be transparent about how they collect, use, and manage personal data.
• Encourage stronger data security measures among organisations to prevent data breaches and leaks.

Key points of the GDPR:

• Scope: Applies to all organisations operating in the EU and organisations outside the EU that provide goods or services to, or monitor the behaviour of, EU data subjects.
• Broadens the definition of personal data to include any information related to an identifiable individual.
• Requires organisations to obtain explicit consent to process personal data in certain situations, ensuring that consent is freely given, specific, informed, and unambiguous.
• Rights of individuals: including the right of individuals to access their data, the right to rectification, the right to erasure ("right to be forgotten"), the right to restrict processing, the right to data portability, and the right to object.
• Mandates the appointment of a Data Protection Officer (DPO) for organisations processing personal data on a large scale or handling special categories of data.
• Requires organisations to notify the relevant supervisory authority of data breaches within 72 hours of becoming aware of the breach, if it is likely to result in a risk to the rights and freedoms of individuals.
• Requires organisations to conduct Data Protection Impact Assessments (DPIAs) where data processing is likely to result in a high risk to the rights and freedoms of individuals.
• Introduces significant penalties for non-compliance, including fines of up to €20 million or 4% of the company's global annual turnover, whichever is higher.

The GDPR is considered one of the most stringent privacy and security laws in the world, setting a global standard for privacy rights and data protection.

ePrivacy Directive (Cookie Law)

Officially the Directive on Privacy and Electronic Communications, it complements the GDPR and specifically targets the processing of personal data in electronic communications. It's widely known for its regulations on cookies on websites, unsolicited email marketing, and the confidentiality of electronic communications.

Goals of the ePrivacy Directive:

• Protect the privacy of individuals and ensure the confidentiality of their communications over public electronic communications networks.
• Provide specific rules on the use of cookies and similar tracking technologies, requiring prior informed consent for their use.
• Establish rules on unsolicited communications for marketing purposes, often requiring prior consent from recipients.

Key points of the ePrivacy Directive:

• Applies to all providers of publicly available electronic communications services in the EU, including internet service providers and companies providing online communications services.
• Requires websites to obtain users' consent before using cookies or similar tracking technologies, except for where strictly necessary for the provision of the service.
• Requires that the confidentiality of users' electronic communications be maintained and that any interception or surveillance without consent be prohibited, except under specific conditions set by law.
• Prohibits unsolicited electronic marketing messages (spam) without prior consent, with some exceptions for existing customer relationships under certain conditions.
• Requires service providers to ensure the security of their services and to notify users and national regulatory authorities of significant security breaches affecting personal data.
• Sets out rules for the inclusion of individuals' personal data in public directories, requiring consent and giving individuals the right to determine the scope of their personal data included.

The ePrivacy Directive is currently under review for an update to become the ePrivacy Regulation, which aims to align more closely with the GDPR and address the advancements in electronic communications technologies. The regulation is intended to provide clearer rules and enhance privacy protection in the evolving digital landscape.

Digital Services Act (DSA) and Digital Markets Act (DMA): 

Proposed in December 2020, these acts aim to create a safer digital space where the fundamental rights of users are protected and to establish a level playing field for businesses. The DSA focuses on legal obligations for digital services that act as intermediaries in connecting consumers with goods, services, and content. The DMA aims to ensure that the markets in which digital services operate remain fair and competitive.

The Digital Services Act (DSA) and the Digital Markets Act (DMA) are two separate legislative proposals introduced by the European Commission in December 2020 as part of the European Digital Strategy. Although they are distinct in their focus and objectives, they are often discussed together. While the DSA focuses on the responsibilities of digital services towards users, ensuring safety and accountability, the DMA addresses the economic power of large online platforms to maintain fair competition. Together, they represent a holistic approach to creating a fairer, safer and more competitive digital environment in the EU. Here's a brief overview of each of them:

Digital Services Act (DSA)

Objective: The DSA aims to modernise the legal framework for digital services by establishing clear responsibilities for intermediary service providers, such as social networks, online marketplaces, and other online platforms that host user-generated content. Its primary goal is to protect the fundamental rights of users online, ensure platform accountability, and foster innovation, growth, and competitiveness within the single market.

The DSA applies to intermediary service providers that offer their services to users based in the EU, regardless of where the intermediary service provider is established.

Key points:

• A clear set of obligations for digital services that act as intermediaries in their role of connecting consumers to goods, services, and content.
• Measures to protect users' fundamental rights online, including mechanisms for users to report illegal content and to appeal content moderation decisions.
• Rules for large online platforms to take risk-based actions to prevent abuse of their systems and to ensure the protection of minors and the integrity of their services.
• Transparency requirements for online platforms on their content moderation practices, advertising, and algorithmic processes.
• Legal framework for the provision of digital services across the EU with a coordinated approach to supervision and enforcement.

Digital Markets Act (DMA)

Objective: The DMA aims to ensure fair and open digital markets by setting rules for large online platforms acting as "gatekeepers" in the digital market. Currently, Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft are deemed as such. It focuses on companies that play a pivotal role in intermediating access to digital products and services, aiming to prevent them from imposing unfair conditions on consumers and businesses, thereby ensuring a level playing field for innovative digital services.

Key points:

• A set of criteria to designate certain large online platforms as "gatekeepers" subject to specific regulatory obligations.
• Prohibitions and obligations for gatekeepers to prevent unfair practices such as favouring their own services, imposing unfair conditions on businesses, or limiting interoperability.
• Rules to promote choice, fairness, and innovation, ensuring that users have more options and that smaller businesses can compete on more equal terms with larger companies.
• Enforcement mechanisms, including the possibility of fines and structural remedies for non-compliance.

Network and Information Security Directive (NIS Directive)

Enacted in August 2016, the NIS Directive was the first piece of EU-wide legislation on cybersecurity, introduced to ensure a high common level of network and information system security across the Union. It focused on key sectors that are vital for the economy and society at large, requiring Member States to be prepared and to manage cybersecurity incidents effectively. 

The NIS concerned Digital Service Providers (DSPs) and Operators of Essential Services (OESs). OESs are public or private entities that provide services that are essential for the maintenance of critical societal and/or economic activities. The disruption of such services could have a significant impact on health, safety, security, economic, or societal well-being. OESs are identified by each EU member state based on specific criteria set out in the NIS Directive, including the entity's importance for providing a critical service, the dependence of other sectors on that service, and the impact that disruption of the service could have. DSPs include companies that provide digital services within the EU, specifically covering three main categories: Online Marketplaces, Online Search Engines, Cloud Computing Services. Due to the large scale of DSPs, their regulation is slightly different and less stringent.

The sectors affected by the regulation were Energy, Transport, Banking, Financial Market Infrastructures, Healthcare, Water Supply, Digital Infrastructure.

The NIS2 Directive is a revision of the original Network and Information Security Directive (NIS Directive) that came into force in January 2023, aiming to update and strengthen the EU's cybersecurity capabilities. 

NIS2 replaces the term 'essential services' with 'essential entities' and introduces the concept of 'important entities', which includes entities that are not considered essential but still provide services that are critical to the economy and society.

The NIS2 Directive seeks to address some of the limitations and challenges encountered in the implementation of the original NIS Directive. It proposes to broaden the scope of sectors that are considered essential and therefore subject to stricter cybersecurity requirements. This includes more digital services and sectors, reflecting the changing technological landscape and the increasing reliance on digital infrastructure. The NIS2 Directive also aims to harmonise cybersecurity requirements across the EU, ensuring that all member states apply a consistent level of security measures and incident reporting.

Key aspects of the NIS2 Directive include:

• Expansion of the list of sectors considered critical and requiring enhanced cybersecurity measures. Waste Water and Waste Management, Public Administration, Postal and Courier Services, Manufacturing, Food, Space, Digital Providers, Research were added to the sectors introduced in the NIS Directive.
• Introduction of stricter supervisory measures for national authorities, along with stricter enforcement requirements, including harmonised sanctions across the EU.
• Enhancing the security and incident reporting obligations for companies in critical sectors (an early warning within 24 hours after becoming aware of an incident, a notification within 72 hours, and a final report no later than one month after the notification).
• Improving information sharing between relevant stakeholders and promoting a culture of cybersecurity across sectors.
• The NIS2 Directive represents an important step in the EU's efforts to strengthen its collective cybersecurity resilience and protect its digital economy against emerging threats.

This is not an exhaustive list of regulations, so we will look at more in the second part of this article.

And we remind you that understanding local IT and privacy regulations (in the area where your business operates or your customers reside) will ensure that organisations comply with legal requirements and avoid potential fines, sanctions and litigation. It can help build trust with customers, clients and partners by demonstrating a commitment to protecting personal and sensitive information. Knowledge of these regulations will help organisations implement effective data protection and cybersecurity measures, reducing the risk of data breaches, cyber-attacks and unauthorised access to sensitive information, and protecting the organisation's assets and reputation.

Related links, sources:

GDPR official text

GDPR

ePrivacy Directive

ePrivacy Regulation

DSA

DMA

NIS/NIS2 Directive: 1, 2, 3