MARKET - Market Analysis - Policy Framework and Legislation - Legislation

Typically, PACs innovators need to consider legislative issues from several commercial contexts, including PACs-specific legislation, legislation in the wider ICT context, specific legislation relating to target industry verticals that impact on the context in which the PACs solution is deployed, legislation relating to intellectual property or technology transfer, issues relating to competition law, and so on. All areas are highly relevant and may impact on the PACs innovator depending on context. Highly regulated industries where PACs requirements are most stringent (e.g. finance, healthcare, utilities etc.) will have their own specific security requirements which are beyond the specific scope of this report. Relevant PACs-specific legislation will also exist at pan-national and national levels this section highlights key PACs-focused legislation issued at government and pan government levels in the EU and US context.

Table 8.4 summarises the key EU legislation initiatives focusing on security and privacy issues at present. This chapter presents key EU and global legislation (bills, acts, and directives) impacting on the PACS domain. There is a degree of synergy between policy and legislation as one will inform the other and vice-versa. Increasing enforcement of such directives is likely and is already occurring [ECON1_14]; recent rulings enforcing user’s “right to be forgotten” around mined search engine content is one example, with Google now receiving almost 30 million data removal requests as of August 2014 [GOO14].


Table 8.4 – Summary of Key EU Regulations in the PACs context

Title Summary

EU Data Protection Directive (existing)

(Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data)

Current reference text, at European level, on protection of personal data, i.e. any information relating to an individual, whether it relates to his or her private, professional or public life. Key personal info in scope include  names, photos, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. Scope of PII is likely to expand further in future legislation.

Directive sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU. Also demanded that each EU Member state set up an independent body responsible for data protection.

Directive applies to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non- automated filing systems (traditional paper files). Directive states that personal data may be processed ‘only if the data subject has unambiguously given his/her consent or where processing is necessary’.  If it comes to a conflict between rights of the data subject and the free movement of information, then the rights of the data subject will take precedence. This includes data transferred across all the EU Member States and any third countries outside the EU. Personal data may only be transferred to third countries if that country provides an adequate level of protection.

To facilitate processing of EU citizen’s data by US-based companies, a  Safe Harbour derogation was agreed. This is a voluntary set of 9 principles (notice, choice, onward transfer, security, data integrity, access, and enforcement) that companies in the US sign up to protect the data privacy of EU customers. Over 3000 companies have signed up to this agreement.

Original directive published in December 1995, with amending regulation entered in November 2003. Set to be repealed by the new General Data Protection Regulation (see below). 95/46/EC was not developed to consider important aspects like globalization and technological developments like social networks and cloud computing sufficiently, hence it was determined that new guidelines for data protection and privacy were required.


New General Data Protection Regulation


Considerable changes in technology, combined with significant differences in how individual member states implemented 1995 directive were key motivating factors for the new regulation, which was officially published in January 2012.

Regulation looks to enforce a single pan-European set of rules, more stringent reporting guidelines, mandatory Data Protection Officers (DPOs) in key organisations, more explicit forms of consent from data providers, and stricter fines for non-compliance.

Negotiations between European Parliament, Council and Commission are still ongoing, with expected adoption from 2014, and enforcement anticipated from 2016/17.


Network and Information Security Directive


Proposed in response to recommendations in the EU Cyber Security Strategy, directive requires  Member States and operators of critical infrastructures, such as energy, transport, and key providers of information society services (e-commerce platforms, social networks, etc), as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.

Also would require that member states would put in place a minimum level of national capabilities by establishing NIS national competent authorities, by setting up well-functioning Computer Emergency Response Teams (CERTs), and by adopting national NIS strategies and national NIS cooperation plans; also such that NIS national competent authorities will have to exchange information and to cooperate so as to counter NIS threats and incidents.

Organisations that will be impacted by the directive are diverse, across both public administrators and market operators. The latter can be defined as organisations operating in sectors related to categories of critical infrastructures (energy, transport, banking, financial market infrastructures and health). It is estimated that around 42,000 market players in addition to public administrations across the EU will be covered by the provisions of the Directive.

Proposed as part of the EU Cyber Security strategy in February 2013, passed my European parliament in March 2014, expected to become law, and is expected to become law in 2015


E-Privacy Directive

(2002/58/EC, Privacy and electronic communications)

Focuses on regulating key issues such as confidentiality of information, treatment of traffic data, spam and cookies. Directive contains provisions that are crucial to ensuring that users can trust the services and technologies they use for communicating electronically.

Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent. This ‘Cookie Law’ introduces the legal requirement for website owners to obtain the consent of users prior to ‘dropping or reading cookies’ on their browsers. Those setting cookies on a website must   (a) tell people that the cookies are there, (b) explain what the cookies are doing, and (c) obtain their consent to store a cookie on their device. The Directive requires all websites to get explicit approval from users before enabling cookies related to the user’s visit. Companies are also required to provide a detailed explanation of all cookies on the site. For any organisation failure to comply with the cookie directive could lead to fines or other penalties levied by the national data protection agency. In the UK for instance, a fine of up to £500,000 for serious breaches of the regulations can be levied.

Proposed amendment 2006/24/EC was also made with respect to data retention practices; however in April 2014, the Court of Justice of the European Union (“CJEU”) declared Directive 2006/24/EC (the “Data Retention Directive”) invalid, in particular deeming that it exceeded the limits of the principle of proportionality in conjunction with some specific fundamental rights protected by the EU Charter.

Source: (2002/58/EC)

Source: (2009/136)


Prominent US Legislation in PACs Context: PACs-related legislation in the US context is also rather fragmented at present, with regulations existing more so at the individual US-state levels rather than the overall federal levels. Also governance is provided more so at the sectoral level, particularly with regards to data privacy and data protection. Key Federal level initiatives however are highlighted in Table 8.5 below. 

Title Summary
Federal Information Security Management Act (FISMA), 2002

Key piece of legislation that governing information security management in the US, FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.


Federal Information Security Amendments Act, 2013

Amendment of the 2002 FISMA Act above to re-establish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information and security policies and practices.

Viewed as a more progressive step away from the checkbox approach to cybersecurity that was espoused by the FISMA Act. This more holistic view of cybersecurity in the US is seen as a necessity given that $65 billion has been spent on public sector cyber security since 2006 and still a number of critical breaches are evident [FED13].

Under the bill, each department secretary and agency director would be held accountable for their organisation's IT security. Although most federal agencies have Chief Information Security Officers (CISOs) to coordinate IT security activities, the new FISMA legislation would require them to have CISOs to develop, implement and oversee agency wide IT security programs.

A related piece is “A risk-based approach to information security is advocated, using automated tools for continuous monitoring of civilian, military and intelligence IT systems”


[ECON1_14] "The right to be forgotten - Drawing the line",

[FED13] [FED13] The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure – pg.4 -

[GOO14] Google Transparency Report,


Getting Started

Which type of company are you? Choose one of the options below and get a head-start.

Framework Overview

Navigate through the different parts of the Framework


Joomla! Debug Console


Profile Information

Memory Usage

Database Queries