EU Cybersecurity Act and Japan Adequacy decision

LawBytes #36 deals this week with the new Cybersecurity Act adopted by the EU Parliament and the Japan Adequacy decision

Cybersecurity Act – EU Parliament adopts the final text

As recently posted on the official EU website, on Tuesday 12/03/2019, the EU Parliament adopted the EU Cybersecurity Act with 586 votes to 44 and 36 abstentions. This establishes the first EU wide cybersecurity certification scheme to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards.

Indeed, the EU Cybersecurity Act underlines the importance of certifying critical infrastructure, including energy grids, water, energy supplies and banking systems in addition to products, processes and services. By 2023, the EU Commission shall assess whether any of the new voluntary schemes should be made mandatory.

The EU Council now has to formally approve the Cybersecurity Act. The regulation will enter into force 20 days after it is published.

From the Member States’ perspective, the current objective would result in identifying their national supervisory authorities and appointing the conformity assessment bodies that will be entrusted to issue the certificates. ENISA’s next focus is expected to be the recruitment of relevant staff and the roll-out of the working methodology.

If you are interested in this topic don’t miss our previous posts: “ENISA IoT security guidelines” and “NIS Directive applicable, is your cybersecurity plan compliant?“.

Privacy – Japan adequacy decision adopted by the EU Commission  

On 19 March 2019, the long awaited Japan Adequacy decision with European privacy law standard under article 45 of the GDPR has been published in the Official Journal of the EU.

The decision was adopted last January by the EU Commission after the efforts made together with the Japanese authorities to ensure that Japan provides an adequate level of protection by filling the gaps – identified by the European Data Protection Board – between the GDPR and the Japanese Data Protection framework through the adoption of the Supplementary Rules: additional rules applicable only to personal data transferred from the EU to Japan.

This deal makes the transmission of personal data between the EU and Japan much easier. It will apply to law enforcement data, but most importantly to commercial data flows, empowering the Big Data industry to benefit from uninhibited flow of data with this key commercial partner, as well as from privileged access to the 127 million Japanese consumers.

This will create the world’s largest area of safe and free data transfer based on a high level of protection.

Even though the EU already has unilateral adequacy decisions with several other countries, this is the first time the EU and a third country agreed on a mutual recognition of the adequate level of data protection.

If you are interested in this topic don’t miss our previous posts: “Japan Blockchain voting system” and “EU-Japan data deal, prize promotions FAQs and YouTube copyright Match tool“.