One of the biggest challenges faced by data controllers today is the ever-looming risk of cyber attacks. Vulnerabilities in systems and devices can result in not only the loss of vast amounts of personal data and the potential for ransom demands but also the imposition of hefty fines by authorities for neglecting proper technical and organizational security measures. In the case of home devices, vulnerabilities can have alarming consequences, such as hackers exploiting baby monitors to spy on infants.
The European Union is once again at the forefront of cybersecurity with its proposed Cyber Resilience Act, whose text was debated recently in a meeting of the Cyber Working Party on 21 June 2023 and will be discussed further later this month. This act aims to bolster the defenses against cyber threats and, in turn, protect the information stored in electronic devices.
Although the Cyber Resilience Act is intended to protect all kinds of data, and not only those associated with natural persons, this article will focus on the implications in the realm of personal data protection.
The Cyber Resilience Act: A Quick Rundown
The Cyber Resilience Act is a legislative proposal that introduces new security requirements for connected devices within the European Union. The biggest impact of the Act for manufacturers is the establishment of security standards listed in its Annex I, seeking to ensure an appropriate level of cybersecurity based on the specific risks of each device. With the act in force, manufacturers will need to ensure that they develop and produce secure products that adhere to these standards before launching their products in the EU market.
Another novel feature of this Act is the obligation on manufacturers to report cybersecurity incidents and actively exploited vulnerabilities. These are security loopholes that are known to be exploited by hackers but have not been fixed yet, and covers both attempted and successful security breaches. By mandating the timely reporting of vulnerabilities, the Act aims to enhance transparency and public awareness, increase the motivation for manufacturers to maximize the security of their products, and give data subjects the tools to make informed decisions. However, some note that this reporting of vulnerabilities may also be a risk if manufacturers do not fix them fast enough, or if users do not install the updates in a timely manner.
Manufacturers are required to send an early warning within 24 hours of becoming aware of an actively exploited vulnerability, followed by a more detailed report within three days. This report should include information on the vulnerability, its remediation status, and any mitigating measures taken. Additionally, manufacturers are obligated to publicly disclose information on fixed vulnerabilities unless security risks outweigh the benefits. This public disclosure allows any concerned users to take necessary actions to protect their data, such as downloading and installing the relevant patch.
Moreover, the Act recognizes the cross-border nature of cybersecurity and establishes a pathway for the creation of a Pan-European reporting platform. Under this framework, all notifications regarding vulnerabilities are to be submitted to an electronic notification endpoint in the EU country where the manufacturer’s primary establishment is situated. Subsequently, these national endpoints will send the information to a unified reporting platform overseen by the European Union Agency for Cybersecurity (ENISA). This guarantees that pertinent authorities receive timely information about vulnerabilities and can collaboratively address the issue across the EU.
Implications for Personal Data Protection
The Cyber Resilience Act has several positive implications for privacy. Firstly, by enforcing strict standards of cybersecurity in the development and production of new devices, the Act creates an ecosystem where security is ingrained in the product development cycle. Secondly, by creating the reporting obligations, the Act ensures that vulnerabilities are addressed promptly, reducing the risk of personal data breaches and protecting the privacy of individuals. Third, the Act empowers consumers by ensuring they are informed about the vulnerabilities in their devices and the measures they can take to protect their personal data.
From the perspective of data controllers, particularly those who serve as manufacturers of devices regulated by the Act, compliance requirements are raised to an even higher threshold. Adhering to the security requirements listed in Annex I may pose a technical challenge for some companies. Additionally, they will have to comply with reporting obligations regarding vulnerabilities, even those that have already been fixed, regardless of whether personal data was affected or not. Neglecting to fix known vulnerabilities may also result in reputational consequences for data controllers.
While the Cyber Resilience Act holds the promise of enhancing personal data protection across the EU, it is still uncertain when, or if, the Act will come into force. It is currently a proposal under discussion and will need to go through several more steps before becoming law, and its text will probably suffer some changes before entering into force.
It remains to be seen whether this new legislation will inspire other countries to adopt similar rules, as we have seen with the GDPR and other European regulations.