Novel EU Legal Requirements in Big Data Security
Novel EU Legal Requirements
in Big Data Security
Big Data – Big Security Headaches?
by Jasmien César and Julien Debussche, the authors are associates at the law firm Bird & Bird LLP, Brussels,
© 2017 Jasmien César and Julien Debussche
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.
Recommended citation: Jasmi en César and Julien Debussche, Novel EU Legal Requirements in Big Dat a Security: Big Data –
Big Security Headach es?, 8 (2017) JIPITEC 79 para 1.
tinence for big data service providers. In addition, it
lays down practical recommendations for the imple-
mentation of those requirements into the internal
security strategies of big data service providers.
Abstract: This paper aims to provide an over-
view of the new legal requirements related to secu-
rity and breach notification imposed on businesses
in the European Union and to demonstrate their per-
As highlighted by the European Commission in its
Communication “Towards a thriving data-driven
economy”, we currently observe a new industrial
revolution driven by digital data, computation and
Human activities, industrial processes,
and research all engender the collection and
processing of data in unprecedented proportions,
triggering new products and services as well as new
business processes and scientic methodologies.2
The resulting datasets, or “big data”, are prone
to security risks and incidents. In recent times,
instruments have emerged to prevent or adequately
respond to such risks, thereby imposing obligations
on different actors in the data value cycle.
1 Communication from the Commission to the European
Parliament, the Council, the European Economic and Social
Committee and the Committee of the Regions, “Towards a
thriving data-driven economy”, 2 July 2014, COM(2014) 442
3 Such obligations not only derive from the General
Data Protection Regulation (the GDPR), but also from
other legislative instruments at both the European
Union (EU) and national level. The advent of the
(minimal harmonisation) Network Information
Security Directive (the NIS Directive, also known
as the Cyber-security Directive) has multiplied the
requirements relating to security and cyber-security.
I. Requirements under the General
Data Protection Regulation
For most big data analytics, it cannot be excluded
that a processing of personal data will take place.
In such case, the requirements relating to security
under the GDPR will apply.
The obligations under the GDPR in relation to
security are closely linked to those under the NIS
Directive examined below, and are in line with best
practices applicable to information society systems
that require adequate protection of assets.
Keywords: Big data; security; breach notification; legal obligations