Cyber Trends and Investigations in Europe: A Practitioner’s Perspective

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Cyber requirements under EU law and laws in the United Kingdom

Many organisations in the European Union and the United Kingdom, and those in the rest of the world that offer products or services to individuals in the European Union or the United Kingdom, associate cybersecurity with four letters: GDPR. However, the General Data Protection Regulation and its UK counterpart, the UK GDPR,[2] are only one thread in a patchwork of cybersecurity laws and best practices in the European Union and the United Kingdom that, when viewed together, comprise some of the most comprehensive security requirements faced by businesses in any region of the world. The challenge of complying with these laws is compounded by their extra­territorial effect. For example, a company with a single office in California offering holiday packages to individuals in the European Union or United Kingdom may be subject to the GDPR.[3] Accordingly, the extent to which digital business is now borderless means that the influence and scope of cybersecurity laws in the European Union and United Kingdom is no longer a strictly regional concern.

The development of the cybersecurity framework in the European Union and the United Kingdom has coincided with a wider appreciation of, and anxiety about, the value – monetary and otherwise – of personal information. Of particular alarm to individuals is the regularity with which data is compromised. These concerns are not unwarranted: in January 2023, it was reported that nearly 470,000 personal data breaches had been notified since the introduction of the GDPR in May 2018.[4] Even though cybersecurity is now firmly a board-level issue,[5] many businesses still have insufficient procedures in place to address the loss or disruption caused by cyberthreats. This chapter discusses how important it is that businesses address these gaps, as a matter of priority.

General Data Protection Regulation

The concept of personal data security in the European Union and the United Kingdom does not begin with the GDPR. Indeed, in requiring that data controllers and processors implement ‘appropriate technical and organisational measures’ to ensure a level of security appropriate to the risks of their data processing, the GDPR[6] closely tracks the language of the previous legislation (Directive 95/46/EC, the Data Protection Directive (DPD)), which states:

Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.[7]

The difference in approaches between 1995 and today is largely one of context, particularly given the change and the degree to which we interact with technology now. Cybersecurity did not rank highly on legislative, corporate and public agendas in 1995. By contrast, high-profile hacks and the misuse of personal data are now so commonplace that enforcement actions arising from organisations’ cybersecurity failings have become a key priority for data protection authorities (DPAs), and one that all levels within a business need to engage with. Enforcement by DPAs in the European Union and the United Kingdom indicate that there continues to be a growing appetite to investigate and penalise infringements of the GDPR’s security principles,[8] with fines available under the GDPR of up to €20 million or 4 per cent of global annual turnover, whichever is higher[9] (though fines of such magnitude have not been imposed and all fines must be proportionate to the offence).[10] Practitioners should take a two-pronged approach to these requirements: first, by focusing on the technical and organisational measures that comprise an appropriate (i.e., compliant) security programme; and second (and relatedly), by remaining alive to the nuances that will often be required when advising on the GDPR’s mandatory data breach notification requirements.

Technical and organisational measures

Practitioners are advised to focus their assessment on an organisation’s policies and procedures relating to security, whereas a review of technical requirements or measures will usually be undertaken in conjunction with a third-party security provider. Ultimately, there is no one-size-fits-all approach to GDPR compliance and whether a programme is defensible will be assessed in each case.[11] That being said, certain baseline standards are likely to apply to most organisations, including network perimeter defences, malware protection, password policies and secure configuration.[12]

Mandatory breach notification

One of the changes brought in by the GDPR is the requirement to notify data breaches to the regulator and, in certain circumstances, to the individual.[13] The regulator must be notified without undue delay and within 72 hours of becoming aware of the breach,[14] otherwise the organisation may face liability of up to €10 million or 2 per cent of global annual turnover, whichever is higher.[15] The threshold for mandatory notification to a DPA is where there is ‘a risk to the rights and freedoms’ of individuals;[16] the requirements for notification to affected individuals are higher still.[17] Although certain breaches will be obviously reportable, some organisations appear to be struggling to assess breaches at the lower end of the spectrum that may not be reportable. In such cases, practitioners should consider any guidance issued by the European Data Protection Board (EDPB) (previously the Article 29 Working Party) or public statements made, and the enforcement actions taken, by the DPA to which a report would be required. Indeed, notwithstanding that the GDPR was designed to harmonise Member States’ disparate approaches to implementing the DPD, certain subtle differences in approach among DPAs are already becoming clear in the context of breach reporting.

With that said, most reportable breaches do not result in enforcement. A report by the UK Information Commissioner’s Office (the United Kingdom’s DPA (ICO)) is instructive: of the almost 35,000 data protection complaints the ICO received in 2021–2022, only 0.02 per cent resulted in regulatory action.[18] These figures should not be interpreted as meaning that the vast majority of breaches are not reportable. However, it does illustrate the point that organisations should not be overly cautious in their assessments of personal data breaches. Practitioners should be aware of the potential liability for failing to notify the regulator. However, if an organisation has undertaken a detailed and reasoned approach to investigating and analysing the breach, has carefully considered its impact (if any) and has documented why notification is not required, its assessment will often be shared by the DPA.

Network and Information Security Directive

Unlike the GDPR, which applies only to the processing of personal data, the Directive on Security of Network and Information Systems[19] (NISD) is concerned with network security and the continuity of services and applies both to personal and non-personal data. The NISD is the first EU-wide law on cybersecurity and regulates two types of entities: (1) operators of essential services, being critical organisations in the energy, transport, financial services, health, water supply and digital infrastructure sectors; and (2) providers of digital services, being online marketplaces, online search engines and cloud services providers. The NISD allows Member States to choose the maximum fines that their regulators can impose; in the United Kingdom, breaches of the NISD can result in penalties of up to £17 million. Like the GDPR, the NISD requires covered entities to implement technical and organisational security measures that are appropriate and proportionate to the risks posed[20] and to report all incidents that have a substantial impact on the provision of their services.[21] Both laws require covered organisations to consider ‘the state of the art’[22] measures and the risks posed to individuals in designing their security programmes. Although both regimes require notification to the appropriate authority (within 72 hours of becoming aware of a reportable incident under the GDPR, and ‘without undue delay’ under the NISD),[23] there are a number of key differences in the scope of these obligations. Incident reporting is stricter under the NISD, as any significant disruption of services must be notified. In contrast, although breaches under the GDPR must only be notified if the breach leads to destruction, loss, alteration, unauthorised disclosure of or access to personal data, the notification may require disclosure to a wider audience, namely DPAs and affected individuals.

A breach of one law can result in a breach of the other: for example, an avoidable hack of personal data under the GDPR could be separately enforced under the NISD. In such cases, regulatory guidance[24] suggests that dual notifications will be required. However, it is unclear whether separate but related actions will be brought by the regulators in such cases.[25]

NIS2 Directive

The NISD was replaced on 16 January 2023 by the NIS2 Directive,[26] following the announcement of intended reform to the NISD by the European Commission in December 2020. EU Member States must transpose domestic measures necessary for NIS2 compliance into national law by 17 October 2024, and the NISD is repealed with effect from 18 October 2024. Although the fundamental purpose of the NISD remains unchanged, the updated Directive expands and builds on the provisions of its predecessor. NIS2 expands the scope of the NISD to include a broader range of entities and sectors, the aim of which is to further improve the resilience and incident response capacities of public and private entities and competent authorities within the European Union.

NIS2 replaces the two categories of entity initially caught by the NISD – operators of essential services and operators of digital services – with (1) essential entities, which include those within the energy, transport, banking and health sectors, and (2) important entities,[27] which include postal and courier services, waste management and digital providers.

NIS2 reforms the incident reforming structure of the NISD by way of a phased reporting structure for any incident having a significant effect on the provision of services of the entity. An early warning must be given to the competent authority without undue delay and within 24 hours of becoming aware of the incident, an incident notification within 72 hours, updating and supplementing the information provided in the early warning, and then a full final report within one month.[28]

NIS2 also introduces a framework to strengthen cooperation between competent authorities in each Member State to coordinate the management of significant cross-border cybersecurity incidents and crises by establishing the European Cyber Crises Liaison Organization Network (EU CyCLONe).[29]

Network Information System Regulations

The NISD was implemented in the United Kingdom prior to Brexit through the Network Information System Regulations 2018 (the NIS Regulation),[30] which currently remain in effect. NIS2 is not directly effective and so will not be implemented in the United Kingdom; however, in January 2022, the UK government launched a public consultation on proposed legislative reforms to improve UK cyber resilience. The response to the consultation was published at the end of 2022, suggesting that the UK government would be implementing reforms to the NIS Regulations.[31] The proposed reforms are much more conservative than those implemented by NIS2; for example, the scope is to be expanded to include ‘managed service providers’, but this does not go as far as the expansion of NIS2. The UK government also does not propose shortening the 72-hour incident reporting obligation, as in NIS2.

Cybersecurity Act

On 27 June 2019, the EU Cybersecurity Act[32] came into force promoting an EU framework for cybersecurity certification and creating a permanent mandate for the European Union Agency for Network and Information Security (ENISA) to better support Member States in responding to cyberthreats and attacks. The Act strengthened the coordination and cooperation in cybersecurity across EU Member States and EU institutions. The tailored certification schemes established under the Cybersecurity Act allow companies to certify specific categories of information and communication technologies (ICT) products, processes and services only once and obtain certificates that are valid across the European Union. The EU-wide cybersecurity certification framework enables companies in the ICT sector to demonstrate that their products and services meet one of three security standards (basic, substantial or high). The intention of the new rules is to improve trust for consumers, as they can choose between products (such as internet of things devices) that are cyber-secure. The one-stop-shop cyber­security certification is expected to achieve cost savings and remove potential market barriers for enterprises. It is hoped that this will give companies the incentive to invest in cybersecurity and make this a competitive advantage.

Digital Operational Resilience for the Financial Sector Regulation

On 14 December 2022, the Digital Operational Resilience for the Financial Sector Regulation 2022/2554 (DORA)[33] was introduced. It will be directly effective across Member States as of 17 January 2025. DORA sets out uniform information system and network security requirements for the financial services sector across the European Union. A wide range of entities are in scope, including companies that operate within the financial services sector, such as investment banks and credit funds, and third parties who provide them with information technology (IT) services, such as data analytics. DORA has extraterritorial effects that extend past capturing entities based outside the European Union, such as third-party IT-related service providers contracting with financial entities captured by DORA: if these service providers are designated as ‘critical’, they will be required to establish a subsidiary within the European Union within 12 months of this designation.[34]

DORA imposes obligations on in-scope entities to perform independent digital operational resilience testing to assess their preparedness for handling IT-related incidents,[35] implement and maintain internal governance frameworks and processes for managing, notifying and responding to IT risks, and managing third-party risks, including by conducting diligence and incorporating prescribed conditions into contracts with vendors.

Trends

As technology moves faster than law, so technology crime continues to outpace innovations in security. Cybercriminals tend not to be sentimental – as one patch is rolled out, another vulnerability opens. That being said, we now consider some of the recurring themes in cybersecurity in the European Union and the United Kingdom, as well as highlighting the key trends of which practitioners should be aware.

Targets

Financial services

Given the volume and sensitivity of personal and confidential information that financial institutions process, and the increasing number and sophistication of cyberattacks, information security remains a high priority for the financial services sector.[36] As highlighted in a report on risks and vulnerabilities in the EU financial system by the Joint Committee of the European Supervisory Authorities, there is particular concern about the effects of the invasion of Ukraine by Russia and growing geopolitical volatility. The report highlights the increase in cybersecurity risks brought about by this, and the subsequent need to maintain appropriate technologies and control frameworks to respond to such threats and to ensure business continuity. Cyber insurers are also tightening the covenants in their agreements to protect them against losses under war-exclusion provisions.[37]

Following the outbreak of covid-19, most companies in the financial sectors across the European Union, the United Kingdom and beyond switched to remote working, resulting in an uptick of digital activity. Many businesses have continued, and will continue, to utilise remote working,[38] and this greater use of a virtual environment will continue to put even more confidential data and ICT systems at increased risk of being targeted by hackers and other cybercriminals.[39]

Consumer-facing businesses

It should come as no surprise that consumer organisations are a prime target for cybercriminals, given the volume and range of data they hold and the variety of ways in which security weaknesses can be exploited – from credit card fraud, to identity and intellectual property theft, among others. At the same time, individuals now expect businesses to have robust security measures in place to protect their data and have a better awareness of their data protection rights. Translated quantitatively, a 2022 report concluded that the average cost of a data breach in the United Kingdom was about £4.2 million.[40] The regularity with which consumer-facing companies are suffering large data breaches (T-Mobile,[41] Virgin Media,[42] British Airways,[43] Ticketmaster[44] and Marriott International,[45] among many others) demonstrates just how difficult it has become for these organisations to give their customers peace of mind – and why criminals continue to target them.

Internet of things devices

Internet-connected devices offer criminals a wealth of opportunities to access personal data.[46] That much of this information reveals detailed, and often deeply personal, insights into individuals’ private lives makes it especially attractive to bad actors. Approximately 305 million internet of things units are predicted to be in use in the European Union and the United Kingdom by 2025,[47] including for use in ‘smart’ homes, cars, hospitals, airports and cities. Data about the time we leave and return home, how long we shower, and how much electricity we use can all be used to build profiles that are valuable. The result is that this abundance of new data, being stored in systems with multiple points of entry, is increasingly becoming accessible – and valuable – to cybercriminals. For this reason, the Cybersecurity Act’s certification scheme will have an important role in allowing manufacturers of internet-connected devices to demonstrate to consumers that data security is a fundamental aspect of their products and services.

The proposed EU Cyber Resilience Act (CRA), published by the European Commission on 15 September 2022, outlines baseline cybersecurity requirements for hardware and software products marketed in the European Union, including smart-home products and operating systems. The CRA will be the first legislation of its kind that is focused on the internet of things and proposes mandatory security assessments, information to be provided to consumers and vulnerability-handling procedures. Fines for non-compliance are proposed to be set at €15 million or 2.5 per cent of annual turnover, whichever is higher. The CRA is expected to be implemented by 2026 ahead of the European Union’s goal of digital transformation by 2030.

National infrastructure

Cyber incidents affecting critical information infrastructures can have debilitating effects on the security, economy[48] and health of societies,[49] the protection against which is a key pillar of NIS2. With the exception of state-sponsored actors, incidents involving national infrastructure are often less focused on access to information than the widespread disruption that results. The recent ransomware attacks in the United Kingdom on the National Health Service[50] and Royal Mail[51] are a case in point – in some divisions it took months to get essential services back online. Mirroring the challenges faced by financial services firms, the use of outdated technology in many core infrastructure systems compounds their exposure to even relatively unsophisticated cyberattacks.

Targeted information

Financial and payment data

Hackers most commonly target credit card and debit card details, including ‘skimming’ data from online retailers by introducing hidden codes onto their websites.[52] They do so in spite of the requirements of the revised Payment Services Directive,[53] under which payment providers must implement measures to ensure the security of payment transactions and customer data. Criminals also use social engineering techniques, such as phishing campaigns and scam emails,[54] and sell financial data to third parties in online marketplaces.[55] In 2018, total card frauds in the European Union and the United Kingdom were 13 per cent higher than in the previous year, reaching a value of €1.8 billion from 21.05 million separate incidents, of which 79 per cent were carried out online (a 39 per cent increase over five years).[56] A crime survey for England and Wales stated that 2.3 million bank and card frauds were reported between April 2021 and March 2022.[57]

Traditional personal data

Personal data is any information that relates to an identified or identifiable living individual.[58] Online digital services have helped turn this data into a financially valuable commodity. Typically, it is targeted (1) to extort individuals (i.e., the victim pays to prevent disclosure), (2) to assist other frauds, and (3) to sell via online markets.[59] Of all the different types of data targeted by hackers, personal data is the most frequently obtained.[60]

Non-traditional personal data

Big Data – the use of large data sets produced by a diverse range of sources – is viewed by the European Commission as fundamental to the future knowledge economy.[61] As part of this drive, esoteric information about all aspects of human life is being collected by governments and businesses with the aim of driving innovation and efficiency.[62] This includes data about individuals’ voices, spending habits and gait, among other things, which can potentially constitute personal data.

Unethical data

Hacking is not always driven by financial or malicious intent; occasionally, ‘ethical hackers’ seek to expose unpopular or illegal behaviour. The targets of their activities are not limited to any particular industry or the size of the organisation. For example, in 2021, hackers exposed vulnerabilities in security cameras of hospitals, schools, factories, jails and corporate offices to call attention to the dangers of mass surveillance.[63] In 2015, a Canadian private company was targeted because it was seen to be promoting infidelity.[64] The Panama Papers exposed a multinational industry that facilitated fraud, tax evasion and the avoidance of international sanctions.[65] The most high-profile example is Edward Snowden, who disclosed information about the US National Security Agency and a global citizen surveillance programme.[66] Although less common than traditional hacking, cases of ethical hacking almost always hit newspapers’ front pages and can cause massive reputational harm, as well as potentially legal and regulatory consequences.

Type and nature of actors and actions

Brute force attacks

Brute force attacks involve hacker programs applying trial and error to correctly identify passwords and user names and to find hidden web pages.[67] The techniques for brute force attacks are largely unsophisticated and easy to notice, which results in the vast majority being negated.[68] However, the simplicity of such methods means they are easily deployed and are increasingly popular (an estimated 80 per cent of global data breaches related to hacking in 2020 were the result of brute force attacks or the use of stolen credentials).[69]

Government or state-sponsored entities

It is now widely accepted that governments engage in hostile cyber activities to undermine the information and network security of other countries.[70] The most notorious example is the 2020 SolarWinds hack, in which a major United States information technology firm was subject to a cyberattack that was spread to its many clients and not detected for months.[71] High-profile cases such as the SolarWinds hack and allegations of increases in cyber incidents involving European infrastructure have significantly raised public awareness of government-targeted hacking.[72] The unique structure of the European Union and the United Kingdom creates additional challenges, which is being seen in the increasing number of attacks aimed at its IT systems. For example, in 2022, ENISA reported that public administration and government is the most targeted sector for cyberattacks.[73]

Criminal attackers

It is estimated that the cost of cybercrime will reach US$10.5 trillion by 2025 (up from US$3 trillion in 2015).[74] By some estimates, cybercrime is currently the world’s third-largest economy.[75] The financial rewards, coupled with low risks and low conviction rates, mean that cybercrime is an increasingly attractive prospect. Revenues are generated through online illegal markets, where criminals can buy and sell stolen information, from companies’ intellectual property to personal information. Criminals also make money through extortion, whereby attackers corrupt computer files with ransomware and then exchange the remedy for money.[76] The ill-gotten gains can then be laundered through legitimate online technologies, such as payment systems and cryptocurrencies such as bitcoin.[77] A criminal hacker group (LockBit) claimed responsibility for the Royal Mail ransomware attack in January 2023, after stealing and encrypting the organisation’s data and causing significant disruption.[78]

AI-assisted hacking

Artificial intelligence (AI), such as machine learning, has the potential to create computer programs that can evade even the most sophisticated cyber defence systems. Traditionally, it was assumed that only state-sponsored entities had the resources to hack using AI.[79] However, these assumptions were challenged in 2018 when the American company IBM showcased a hacking program developed with AI at a security conference.[80] As a result, security experts in the European Union and the United Kingdom are increasingly concerned about AI and its potential for use in hacking and cybercrime.[81] In May 2022, the United Kingdom and the United States released a joint statement[82] recognising the importance of a globally unified understanding of AI concepts and regulatory frameworks, and noting the formation of an AI sub-group to develop a joint plan to enhance privacy and to develop trustworthy AI and risk management.

Nuances in investigative practices and regulatory enforcement

Regulatory enforcement

Enforcement of cybersecurity laws in the European Union and the United Kingdom has been growing of late, with the aggregate value of GDPR fines rising 50 per cent in the past year.[83] Whereas past enforcement of security failings produced marginal consequences, more recent GDPR enforcement actions have resulted in significantly higher monetary penalties for businesses.

One of the largest fines under the GDPR (€35 million) was issued in October 2020 by the Hamburg DPA against H&M after the company was found to be keeping ‘excessive’ records regarding employees’ families, religions, illnesses and details of their vacation activities.[84] In February 2020, another large fine (€27.8 million) was issued by the Italian DPA against Telecom Italia for several instances of ‘unlawful processing for marketing purposes’.[85] The largest security-related fine issued to date was from the Irish Data Protection Commission against Meta for €256 million. Regulatory enforcement action has continued to increase; for example, fines issues by the ICO tripled in 2022 compared to the previous year.[86] The ICO now publishes all reprimands on its website, retroactively from January 2022, demonstrating a new approach by the regulator to incentivise businesses to improve compliance to avoid negative publicity.[87]

If there was ever any doubt in the years leading up to GDPR’s rollout, and shortly thereafter, that the legislation was capable of empowering regulators with significant enforcement abilities, those notions have clearly been dispelled. Indeed, the heightened regulatory focus on data security and breach notification, coupled with the substantial monetary penalties that can be issued under the GDPR and NIS2, indicate that eight- and nine-figure fines for cybersecurity failures will continue to become more commonplace.

Guidance

Along with the growing number of reported decisions in this area, practitioners have a growing body of guidance from which to draw when advising clients on how regulators are likely to view the requirements, and potential violations, of cybersecurity laws in the European Union and the United Kingdom. At the national level, numerous DPAs have been updating their security guidance to reflect the changes introduced by the GDPR, particularly around breach notification.[88] At the supranational level, in January 2021, the EDPB issued additional draft guidance on the types of personal data breaches that require notification under the GDPR. Organisations such as ENISA (in relation to the NISD as well as the wider cybersecurity context) and sector-specific regulators will also have an important role in helping organisations to equip themselves for the challenges they face in becoming, and staying, compliant with applicable cyber laws.

EU and UK litigation considerations

Cybersecurity litigation in the European Union and the United Kingdom remains small relative to longer-established areas of regulation. This is to be expected, given that its two main omnibus laws have been in force for less than five years. Nevertheless, practitioners should prepare for a continuing increase in contentious activity in the coming years and beyond, particularly relating to the fallout from personal data breaches and other high-profile security incidents. In addition to the type of follow-on claims that are common in the antitrust sphere, disputes brought directly by data subjects or their representatives are likely to reshape the European Union’s and the United Kingdom’s cybersecurity landscapes in a way that was not contemplated (or, in some cases, possible) under the DPD. The extent to which individuals are now aware of their rights under data privacy and security laws, and the relative ease with which they can be enforced, make it likely that some of the defining aspects of US litigation – large settlement awards and group actions, among others – may become an increasingly common feature of cyber disputes in the European Union and the United Kingdom.

General Data Protection Regulation

The GDPR provides for two forms of private action. Article 79(1) entitles individuals to an effective judicial remedy when their rights are infringed by the processing of personal data by a data controller or processor in violation of the GDPR. Article 79(1) has a wider application than the DPD regime in two important respects.

First, it does not limit liability for compensation to controllers, the result being that if controllers and processors are involved in data processing that infringes the GDPR, each shall be held liable to the data subject for the entire damage.[89] Second, Article 82(1) makes it clear that both material and non-material damage is actionable under the GDPR (i.e, compensation is not limited to when an individual suffers financial harm). Practitioners may be familiar with the decision in Vidal-Hall, in which the Court of Appeal of England and Wales in 2015 interpreted England’s pre-GDPR regime as permitting compensation for non-pecuniary losses.[90] Indeed, the scope for emotional damage caused as a result of cyber­security incidents (e.g., the distress associated with the theft of personal information) means compensation claims for non-pecuniary losses are likely to be a defining feature of the litigation landscape in the European Union and the United Kingdom in the coming years.

Article 80 of the GDPR entitles not-for-profit bodies and other public interest organisations to seek effective judicial remedy on behalf of individuals. The ability to issue group proceedings in respect of cyber incidents is a significant development for the European Union and the United Kingdom, and may come to represent a key tool by which controllers and processors are held to account. However, the extent to which this prospect will be realised depends in part on the Member States, as they are given discretion as to whether, and if so how, the GDPR’s collective redress provisions are implemented in each territory.[91] Indeed, in early 2021, the United Kingdom government announced that it would not allow consumer groups and other not-for-profit bodies to bring actions on individuals’ behalf on an opt-out basis. At the time of writing, these provisions are also not being applied evenly across the European Union and the United Kingdom, with early indications suggesting that Member States are unwilling to grant not-for-profit bodies the ability to bring actions on data subjects’ behalf (i.e., in a manner similar to the opt-out class actions with which US practitioners will be familiar). For example, in 2021, the Court of Appeal of England and Wales ruled that a law firm’s costs of building a group action by soliciting potential claimants (e.g., marketing and other advertising costs) were not recoverable costs, thus likely to affect the profitability of organisations seeking to bring about these kinds of actions.[92]

Differences between EU laws and national laws

A key driver behind the introduction of the GDPR was the lack of harmonisation that had developed as a result of the diverging approaches Member States had taken in implementing the DPD.[93] This fragmentation also exists in respect of Member States’ approach to collective redress and, following Brexit, this divergence is likely to continue apace in the United Kingdom. This is particularly important in the context of cybersecurity, given that (as noted above) some national legislatures may be unwilling to implement the provision in Article 80(2) of the GDPR that permits a form of opt-out class action. A study commissioned by the European Parliament and published in October 2018 revealed the extent to which the landscape remains uneven.[94] Among other things, the Member States surveyed differed – often significantly – in the forms and scope of redress available, the standing to bring actions, and the fees and funding models. For example, contrary to their previously restrictive approach, German courts are increasingly granting significant damages in mass data litigations. To address these considerations, on 25 November 2020, the European Union and the United Kingdom adopted a new directive dealing with representative actions that will allow qualifying organisations to bring about collective actions on behalf of consumers throughout the European Union and the United Kingdom.[95] This was due to be transposed into domestic law by 25 December 2022; the 24 Member States that, to date, have not done so have been issued with formal warnings from the European Commission and an extended deadline of 25 June 2023 to fully transpose the directive.

In addition to these developments, the wider emphasis on consumer protection by governing bodies in the European Union and the United Kingdom makes it probable that in the near future, in addition to the GDPR’s provisions on collective actions, individuals will have a range of tools with which to bring mass claims in relation to cybersecurity and related incidents. The European Commission published a consultation on 24 February 2023 on the proposal for a new regulation to streamline cooperation between national DPAs when enforcing the GDPR in cross-border cases[96] with the adoption of the new regulation following completion of the consultation, expected in the second quarter of 2023.

The UK government released its draft data protection reform of the UK GDPR,[97] the Data Protection and Digital Information (No. 2) Bill, on 8 March 2023. One relevant development under the proposed bill is that network and information systems security is listed as an example of a legitimate interest to process personal data, which offers businesses in the United Kingdom greater certainty in this area. The implementation of this, and other legislation, will probably result in increasing divergence between the United Kingdom and the rest of Europe in the coming years.


Footnotes

[1] Rohan Massey is a partner, Kevin Angle is a counsel and Edward Machin is an associate at Ropes & Gray LLP. The authors would like to recognise the work of Rosemarie Paul, who was a key contributor to previous editions of this chapter.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – the General Data Protection Regulation (GDPR). With respect to the United Kingdom, ‘UK GDPR’ refers to the definition in the Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019). For ease of reading, the GDPR and the UK GDPR are referred to in this chapter as the ‘GDPR’.

[3] The GDPR significantly extends the scope of the previous regime – Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data – which applied only to controllers and processors with an EU presence.

[4] ‘DLA Piper GDPR fines and data breach survey: January 2023’ (DLA Piper, ‘GDPR data breach’) (https://inform.dlapiper.com/9/7964/uploads/dla-piper-gdpr-fines-and-data-breach-survey-2023.pdf?intIaContactId=feDT4snWz%2feDQm%2b4kN3BTA%3d%3d&intExternalSystemId=1 (last accessed 11 April 2023)).

[5] Department for Digital, Culture, Media & Sport, ‘Cyber Security Breaches Survey 2018’ (https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/702074/Cyber_Security_Breaches_Survey_2018_-_Main_Report.pdf (last accessed 3 April 2023)).

[6] GDPR, Article 32(1).

[7] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Article 17(1).

[8] For example, Resolución De Procedimiento Sancionador, Air Europa Lineas Aereas, SA, PS/00179/2020 (15 March 2021) (Spain); Penalty Notice, Marriott International Inc, Case ref: COM0804337 (30 October 2020) (United Kingdom) (https://ico.org.uk/media/action-weve-taken/mpns/2618524/marriott-international-inc-mpn-20201030.pdf (last accessed 3 April 2023)).

[9] GDPR, Article 83(1).

[10] ibid., Article 83(1).

[11] This approach has been recognised by data protection authorities in France and the United Kingdom, among others. See, e.g., Commission Nationale de l’Informatique et des Libertés, ‘Security of Personal Data’ (The CNIL’s Guides, 2018 Edition) (https://www.cnil.fr/sites/default/files/atoms/files/guide_security-personal-data_en.pdf (last accessed 21 May 2023)).

[12] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the ePrivacy Directive), at Article 4(1), similarly requires that providers of publicly available electronic communications services ‘must take appropriate technical and organisational measures’ to safeguard the security of their services, having regard to ‘the state of the art and the cost of implementation’.

[13] In addition, Article 4(2) of the ePrivacy Directive requires providers of publicly available electronic communication services, where there is a risk of a breach to the security of the network, to inform the subscribers of such a risk.

[14] GDPR, Article 33(1).

[15] ibid., Article 83(4).

[16] ibid., Article 33(1).

[17] ibid., Article 34(1): ‘When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without delay.’

[18] Information Commissioner’s Office (ICO), ‘Information Commissioner’s Annual Report and Financial Statements 2021–22’ (July 2022) (information covers the period from 1 April 2021 to 31 March 2022) (https://ico.org.uk/media/about-the-ico/documents/4021039/ico-annual-report-2021-22.pdf (last accessed 11 May 2023)).

[19] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security and information systems across the Union (NISD).

[20] NISD, Articles 14(1) and 16(1).

[21] ibid., Articles 14(3) and 16(3).

[22] GDPR, Article 32 (1); NISD, Articles 14(1) and 16(1).

[23] GDPR, Article 33(1); NISD, Articles 14(3) and 16(3).

[24] ICO, ‘The Guide to NIS: NIS and the UK GDPR’ (https://ico.org.uk/for-organisations/the-guide-to-nis/gdpr-and-nis/ (last accessed 10 May 2023)).

[25] The NISD, at Article 8(6), states that competent authorities must ‘consult and co-operate . . . with national data protection authorities’.

[26] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) (https://digital-strategy.ec.europa.eu/en/policies/nis2-directive (last accessed 11 May 2023)).

[27] NIS2 Directive, Article 3.

[28] ibid., Article 23.

[29] ibid., Article 16

[31] ‘Government response to the call for views on proposals to improve the UK’s cyber resilience’ (30 November 2022) (https://www.gov.uk/government/consultations/proposal-for-legislation-to-improve-the-uks-cyber-resilience/outcome/government-response-to-the-call-for-views-on-proposals-to-improve-the-uks-cyber-resilience (last accessed 11 May 2023).

[32] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No. 526/2013 (Cybersecurity Act).

[33] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (DORA).

[34] DORA, Article 31(12).

[35] ibid., Article 24.

[36] In the banking sector, 42 per cent of respondents to a 2017 European Banking Authority risk assessment questionnaire reported that these were the main drivers for increasing operational risk: European Banking Authority, ‘Risk Assessment Questionnaire – Summary of Results, December 2017’ (https://eba.europa.eu/documents/10180/2085616/Risk+Assessment+Questionnaire+-+December+2017 (last accessed 3 April 2023)).

[37] Joint Committee of the European Supervisory Authorities, ‘Joint Committee Report on risks and vulnerabilities in the EU financial system – Autumn 2022’ (12 September 2022) (https://www.eiopa.europa.eu/document-library/report/joint-committee-report-risks-and-vulnerabilities-eu-financial-system-1_en (last accessed 11 May 2023)).

[38] S Bacher, ‘What’s The Future Of Remote Work In 2023?’, Forbes (10 January 2023) (https://www.forbes.com/sites/theyec/2023/01/10/whats-the-future-of-remote-work-in-2023/?sh=1c514e5b5864 (last accessed 11 May 2023)).

[39] Joint Committee of the European Supervisory Authorities, ‘Joint Committee Report on Risks and Vulnerabilities in the EU Financial System’ (4 September 2020) (https://www.eiopa.europa.eu/system/files/2020-09/2020-67-report-on-risks-and-vulnerabilities.pdf (last accessed 21 May 2023)).

[40] IBM Security, ‘Cost of a Data Breach Report 2022’ (July 2022) (https://www.ibm.com/downloads/cas/3R8N1DZJ (last accessed 11 May 2023)).

[41] ‘T-Mobile data breach exposes about 37 mln accounts’, Reuters (20 January 2023) (https://www.reuters.com/technology/t-mobile-says-investigating-data-breach-affecting-37-mln-accounts-2023-01-19/ (last accessed 11 May 2023)).

[42] ‘Virgin Media data breach affects 900,000 people’, BBC (5 March 2020) (www.bbc.com/news/business-51760510 (last accessed 3 April 2023)).

[43] J Spero, ‘British Airways says customer hack much bigger than it thought’, Financial Times (25 October 2018) (Spero, Financial Times) (www.ft.com/content/f8505c34-d863-11e8-ab8e-6be0dcf18713 (last accessed 3 April 2023)).

[44] Rupert Jones and Patrick Collinson, ‘Identity theft warning after major data breach at Ticketmaster’, The Guardian (27 June 2018) (www.theguardian.com/money/2018/jun/27/identity-theft-warning-after-major-data-breach-at-ticketmaster (last accessed 3 April 2023)).

[45] James Cook, ‘Private data of 500 million Marriott guests exposed in massive breach’, The Telegraph (30 November 2018) (www.telegraph.co.uk/technology/2018/11/30/private-data-500-million-marriott-guests-exposed-massive-breach/ (last accessed 3 April 2023)).

[46] In November 2020, the European Union Agency for Network and Information Security (ENISA) released a report entitled ‘Guidelines for Securing the Internet of Things’ outlining threats to internet of things supply chains and best practices for ensuring their security. ENISA, ‘Guidelines for Securing the Internet of Things’ (9 November 2020) (www.enisa.europa.eu/publications/guidelines-for-securing-the-internet-of-things). In a December 2018 speech, the executive director of ENISA stated that there would be an estimated 20 billion operational devices by 2020. Professor Dr Udo Helmbrecht, ‘Cybersecurity best practices’ (12 December 2018) (www.enisa.europa.eu/publications/ed-speeches/cybersecurity-best-practices). In actuality, this figure was reached much sooner. By the end of 2018, there were an estimated 7.7 million internet of things connected devices in use around the world and forecasts suggest that by 2030 there will be 29.4 million. Statista, ‘Number of Internet of Things (IoT) connected devices worldwide from 2019 to 2030, by vertical’ (https://www.statista.com/statistics/1194682/iot-connected-devices-vertically/ (web pages last accessed 21 May 2023)).

[47] Statista, ‘Number of Internet of Things (IoT) units in the electronics industry in the European Union (EU) in 2017, 2020 and 2025’ (www.statista.com/statistics/691885/iot-electronics-in-the-eu/ (last accessed 3 April 2023)).

[48] The economic effects of this type of cybercrime in certain Member States, e.g., Germany and the Netherlands, can be as much as 1.5 per cent of gross domestic product. ENISA, ‘The cost of incidents affecting CIIs’ (5 August 2016) (https://www.enisa.europa.eu/publications/the-cost-of-incidents-affecting-ciis (last accessed 3 April 2023)).

[49] ENISA, ‘The cost of incidents affecting CIIs’ (op. cit. note 48).

[50] ‘NHS cyber attack hits patient care with records left in “chaos” three months on’, iNews (4 November 2022) (https://inews.co.uk/news/nhs-cyber-attack-lives-risk-mental-health-care-systems-chaos-three-months-1947561 (last accessed 11 May 2023)).

[51] Royal Mail hit by Russia-linked ransomware attack’, BBC News (12 January 2023) (https://www.bbc.co.uk/news/business-64244121 (last accessed 11 May 2023)).

[52] See, e.g., the 2018 British Airways hack – Spero, Financial Times (op. cit. note 43).

[53] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No. 1093/2010, and repealing Directive 2007/64/EC.

[54] See European Central Bank (ECB), ‘Sixth report on card fraud: Executive summary’ (13 August 2020) (ECB: ‘Sixth report on card fraud: Executive summary’) (https://www.ecb.europa.eu/pub/cardfraud/html/ecb.cardfraudreport202008~521edb602b.en.html (last accessed 3 April 2023)).

[55] Dr Michael McGuire, ‘Into the Web of Profit: Understanding the Growth of the Cybercrime Economy’ (April 2018) (McGuire, ‘Into the Web of Profit’) (https://www.bromium.com/wp-content/uploads/2018/05/Into-the-Web-of-Profit_Bromium.pdf (last accessed 3 April 2023)).

[56] See ECB: ‘Sixth report on card fraud: Executive summary’, op. cit. note 54.

[57] Office for National Statistics, ‘Crime in England and Wales: year ending June 2022’ (October 2022) (https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingjune2022#fraud (last accessed 11 May 2023)).

[58] GDPR, Article 4(1).

[59] Europol, ‘Internet Organised Crime Threat Assessment (IOCTA) 2020’ (updated December 2021) (www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2020 (last accessed 10 April 2023)).

[60] Verizon, ‘Data Breach Investigations Report’, 2020 (Verizon Data Breach Investigations Report) (https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf (last accessed 3 April 2023)).

[61] European Commission, ‘Industrial applications of artificial intelligence and big data’ (https://ec.europa.eu/growth/industry/policy/advanced-technologies/industrial-applications-artificial-intelligence-and-big-data_en (last accessed 3 April 2023)).

[62] ENISA, ‘The Value of Personal Online Data’, 2018 (https://www.enisa.europa.eu/publications/info-notes/the-value-of-personal-online-data (last accessed 3 April 2023)).

[63] M O’Brien and F Bajak, ‘Security camera hack exposes hospitals, workplaces, schools’, Associated Press (11 March 2021) (https://apnews.com/article/hacking-california-e7b942f436f11b9feb7dc704d4eb3a6b (last accessed 3 April 2023)).

[64] A Hern and S Gibbs, ‘Ashley Madison hackers release vast database of 33m accounts’, The Guardian (19 August 2015) (www.theguardian.com/technology/2015/aug/19/ashley-madison-hackers-release-10gb-database-of-33m-infidelity-site-accounts (last accessed 3 April 2023)).

[65] International Consortium of Investigative Journalists, ‘Giant Leak of Offshore Financial Records Exposes Global Array of Crime and Corruption’ (3 April 2016) (www.icij.org/investigations/panama-papers/20160403-panama-papers-global-overview/ (last accessed 3 April 2023)).

[66] ‘Edward Snowden: Leak that exposed US spy programme’, BBC (17 January 2014) (www.bbc.co.uk/news/world-us-canada-23123964 (last accessed 3 April 2023)).

[67] Kaspersky Lab, ‘Brute Force Attack: Definition and Examples – What’s a Brute Force Attack?’ (www.kaspersky.com/resource-center/definitions/brute-force-attack (last accessed 3 April 2023)).

[68] See eSentire, ‘Annual Threat Intelligence Report: 2019 Perspectives and 2020 Predictions’ (2019) (https://esentire-dot-com-assets.s3.ca-central-1.amazonaws.com/assets/resourcefiles/eSentire_Annual-Threat-Intelligence-Report_2019.pdf (last accessed 21 May 2023)).

[69] Verizon Data Breach Investigations Report, op. cit. note 60.

[70] ENISA, ‘Securing the Cyber Space in the Light of State Sponsored Activities’ (May 2017) (www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/securing-the-cyber-space-in-the-light-of-state-sponsored-activities (last accessed 3 April 2023)).

[71] I Jibilian and Katie Canales, ‘The US is readying sanctions against Russia over the SolarWinds cyber attack. Here’s a simple explanation of how the massive hack happened and why it’s such a big deal’, Business Insider (25 February 2021) (www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12 (last accessed 3 April 2023)).

[72] Associated Press, ‘EU unveils revamp of cybersecurity rules days after hack’, ABC News (16 December 2020) (https://abcnews4.com/news/nation-world/eu-unveils-revamp-of-cybersecurity-rules-days-after-hack (last accessed 3 April 2023)).

[73] ‘ENISA Threat Landscape 2022’ (July 2021 to July 2022) (3 November 2022) (https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022 (last accessed 11 May 2023).

[74] See Cybersecurity Ventures, sponsored by eSentire, ‘2022 Official Cybercrime Report’ (https://s3.ca-central-1.amazonaws.com/esentire-dot-com-assets/assets/resourcefiles/2022-Official-Cybercrime-Report.pdf (last accessed 22 May 2023).

[75] Edi Rama, Prime Minister of Albania, quoted in ‘Cybersecurity in this era of polycrisis’, The World Economic Forum (24 February 2023) (https://www.weforum.org/agenda/2023/02/cybersecurity-in-an-era-of-polycrisis/ (last accessed 11 May 2023).

[76] Check Point and Europol, ‘Ransomware: What you need to know’ (updated December 2021) (www.europol.europa.eu/publications-documents/ransomware-what-you-need-to-know (last accessed 3 April 2023)).

[77] McGuire, ‘Into the Web of Profit’ (op. cit. note 55).

[78] ‘Royal Mail hit by ransomware attack by prolific hacker gang’, Financial Times (23 January 2023) (https://www.ft.com/content/2ab26050-6b17-4b10-96d1-faeb664f4501 (last accessed 11 May 2023).

[79] See, e.g., the Stuxnet programme allegedly developed by the United States, which shut down Iran’s uranium enrichment facilities between 2005 and 2010.

[80] J Menn, ‘New genre of artificial intelligence programs take computer hacking to another level’, Reuters (8 August 2018) (www.reuters.com/article/us-cyber-conference-ai/new-genre-of-artificial-intelligence-programs-take-computer-hacking-to-another-level-idUSKBN1KT120 (last accessed 3 April 2023)).

[81] See, e.g., ‘ENISA Threat Landscape 2022’ (October2021) (https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022 (last accessed 22 May 2023).

[82] EU-U.S. Joint Statement of the Trade and Technology Council (16 May 2022) (https://www.consilium.europa.eu/media/56726/eu-u-s-joint-statement-of-the-trade-and-technology-council.pdf (last accessed 11 May 2023)).

[83] DLA Piper, ‘GDPR data breach’, op. cit. note 4.

[84] European Data Protection Board (EDPB), ‘Hamburg Commissioner Fines H&M 35.3 Million Euro for Data Protection Violations in Service Centre’ (2 October 2020) (https://edpb.europa.eu/news/national-news/2020/hamburg-commissioner-fines-hm-353-million-euro-data-protection-violations_en (last accessed 3 April 2023)). See also ‘H&M fined for breaking GDPR over employee surveillance’, BBC (5 October 2020) (www.bbc.com/news/technology-54418936 (last accessed 3 April 2023)).

[85] EDPB, ‘Marketing: The Italian SA Fines TIM EUR 27.8 Million’ (1 February 2020) (https://edpb.europa.eu/news/national-news/2020/marketing-italian-sa-fines-tim-eur-278-million_en (last accessed 3 April 2023)). See, also, ‘Italian DPA issues 27.8M euros for GDPR violation’, IAPP (3 February 2020) (https://iapp.org/news/a/italian-dpa-fines-spa-27-8m-euros-for-gdpr-violations/#:~:text=The%20Italian%20data%20protection%20authority,promotional%20phone%20calls%20without%20consent (last accessed 3 April 2023)).

[86] ‘UK Privacy Regulator Names and Shames Breached Firms’, infosecurity magazine (20 December 2022) (https://www.infosecurity-magazine.com/news/uk-privacy-regulator-names-and/ (last accessed 11 May 2023)).

[87] ICO, ‘Providing certainty on how we enforce the laws we regulate’ (6 December 2022) (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/12/blog-providing-certainty-on-how-we-enforce-the-laws-we-regulate/ (last accessed 11 May 2023)).

[88] See, in particular, detailed guidance issued by data protection authorities in Ireland and Spain.

[89] GDPR, Article 82(5): ‘Where a controller or processor has . . . paid full compensation for the damage suffered, [it] shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage.’

[90] Google Inc v. Vidal-Hall & Ors [2015] EWCA Civ 311.

[91] GDPR, Article 80(1) provides that Member States (1) must permit an individual to mandate a third-party organisation to lodge a complaint against a data protection authority and/or seek judicial remedies against a controller or processor, but (2) have discretion as to whether that organisation can receive compensation on behalf of the individual. GDPR, Article 80(2) provides that Member States have discretion as to whether the organisation can, independently of the data subject’s mandate, lodge a complaint against a data protection authority or seek judicial remedies against a controller or processor.

[92] Weaver & Ors v. British Airways Plc [2021] EWCA 217 (QB). See also C-319/20 (judgment of the Court of Justic of the European Union (Third Chamber) of 28 April 2022, in which it was held that the GDPR did not preclude national legislation being implemented in Member States).

[93] Whereas Member States have a significant degree of discretion in transposing the requirements of an EU Directive into national law, an EU Regulation has general application and is directly applicable and binding in its entirety.

[94] Policy Department for Citizens’ Rights and Constitutional Affairs, Study, ‘Collective redress in the Member States of the European Union’ (October 2018) (www.europarl.europa.eu/RegData/etudes/STUD/2018/608829/IPOL_STU(2018)608829_EN.pdf (last accessed 3 April 2023)).

[95] Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC.

[96] European Commission, ‘Further specifying procedural rules relating to the enforcement of the General Data Protection Regulation’ (feedback period: 24 February 2023 to 24 March 2023) (https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13745-Further-specifying-procedural-rules-relating-to-the-enforcement-of-the-General-Data-Protection-Regulation_en (last accessed 11 May 2023)).

[97] Data Protection and Digital Information (No. 2) Bill (https://bills.parliament.uk/bills/3430 (last accessed 11 May 2023)).

Unlock unlimited access to all Global Investigations Review content