EU-wide cybersecurity requirements to protect privacy and personal data
The EDPS published today its Opinion on a proposed Regulation laying down cybersecurity requirements for products with digital elements. Concretely, the proposed Regulation aims to set out EU-wide cybersecurity requirements for a broad range of hardware and software products and their remote data processing solutions. These include, for example, browsers, operating systems, firewalls, network management systems, smart meters or routers.
Wojciech Wiewiórowski, EDPS, said: “The cybersecurity of products with digital elements is of utmost importance to protect effectively individuals’ fundamental rights in the digital age, including their rights to privacy and data protection. Harmonised cybersecurity requirements across the EU should reduce the risks for Europeans of being victims of cyber-attacks and of the vast consequences that these may entail, such as the theft and misuse of their personal data.”
In its Opinion, the EDPS reiterates that under the General Data Protection Regulation (GDPR), an appropriate level of security of the processing of personal data must be ensured by controllers and processors. In addition, data protection principles must be embedded throughout the development of technologies that process personal data, including many products with digital elements. As such, the EDPS welcomes the proposed Regulation’s measures that would make security and data minimisation principles an essential part of the EU-wide cybersecurity requirements. Nevertheless, the EDPS strongly recommends to also include the data protection by design and by default principles as an essential part of these requirements.
Concerning the standardisation and certification on cybersecurity mentioned in the proposed Regulation, the EDPS suggests clarifying the type of synergies envisaged between the relevant bodies and organisations. This includes the European Data Protection Board, which brings together the national data protection authorities of the EU and the EDPS.
The EDPS highlights that the proposed European cybersecurity certificate under the cybersecurity standardisation and certification for certain products with digital elements should not serve as a replacement for the GDPR certification, which already guarantees compliance with the GDPR. It should be made clear in the proposed Regulation that the cybersecurity certificate does not mean that a particular product with digital elements is compliant with the GDPR.
The EDPS suggests clarifying the relationship between the proposed Regulation and EU data protection laws, specifically how these will interact in the area of market surveillance and enforcement. To this end, it is the EDPS’ opinion that the proposed Regulation should not affect, or seek to affect, existing EU laws that are already governing the processing of individuals’ personal data and the tasks and powers of independent data protection authorities.
Background information
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725, which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.