EU-wide cybersecurity requirements to protect privacy and personal data
/The EDPS published this week its Opinion on a proposed Regulation laying down cybersecurity requirements for products with digital elements. Concretely, the proposed Regulation aims to set out EU-wide cybersecurity requirements for a broad range of hardware and software products and their remote data processing solutions. These include, for example, browsers, operating systems, firewalls, network management systems, smart meters or routers.
Wojciech Wiewiórowski, EDPS, said: “The cybersecurity of products with digital elements is of utmost importance to protect effectively individuals’ fundamental rights in the digital age, including their rights to privacy and data protection. Harmonised cybersecurity requirements across the EU should reduce the risks for Europeans of being victims of cyber-attacks and of the vast consequences that these may entail, such as the theft and misuse of their personal data.”
In its Opinion, the EDPS reiterates that under the General Data Protection Regulation (GDPR), an appropriate level of security of the processing of personal data must be ensured by controllers and processors. In addition, data protection principles must be embedded throughout the development of technologies that process personal data, including many products with digital elements. As such, the EDPS welcomes the proposed Regulation’s measures that would make security and data minimisation principles an essential part of the EU-wide cybersecurity requirements. Nevertheless, the EDPS strongly recommends to also include the data protection by design and by default principles as an essential part of these requirements.
Concerning the standardisation and certification on cybersecurity mentioned in the proposed Regulation, the EDPS suggests clarifying the type of synergies envisaged between the relevant bodies and organisations. This includes the European Data Protection Board, which brings together the national data protection authorities of the EU and the EDPS.
The EDPS highlights that the proposed European cybersecurity certificate under the cybersecurity standardisation and certification for certain products with digital elements should not serve as a replacement for the GDPR certification, which already guarantees compliance with the GDPR. It should be made clear in the proposed Regulation that the cybersecurity certificate does not mean that a particular product with digital elements is compliant with the GDPR.
The EDPS suggests clarifying the relationship between the proposed Regulation and EU data protection laws, specifically how these will interact in the area of market surveillance and enforcement. To this end, it is the EDPS’ opinion that the proposed Regulation should not affect, or seek to affect, existing EU laws that are already governing the processing of individuals’ personal data and the tasks and powers of independent data protection authorities.