The development of a CIS will be subject to several cross-cutting legal instruments that regulate different liability aspects. The first corpus of rules that should be taken into account concerns the European Product Liability Directive since the software and hardware being created in the context of a CIS are considered to be products that fall within its scope. This directive, that has been transposed into national laws, imposes a strict liability regime on producers. They will be held liable for damage caused by the malfunctioning of the product without the proof of a fault. Secondly, the Electronic Commerce Directive might be of relevance when assessing the liability of the central actor who would be providing the CIS-architecture to interested first responder agencies who would like to interconnect. If some kind of illegal content would be communicated between the different parties, the host of the general CIS-infrastructure could benefit from certain liability exemptions laid down in this instrument. Thirdly, data protection legislation and failure to comply with the security requirements General Data Protection Regulation (GDPR), could also trigger liability. The interaction of these three distinctive sets of rules is a complex exercise. In this respect, it is recommended to distinguish between potential liability of connected entities (first responder agencies using the CIS, the entity providing and hosting the CIS-infrastructure (CIS-host) and the entity that developed the CIS software and/or hardware). The ways to address these issues will very much depend on the chosen exploitation model of the CIS.
Who develops and who hosts the CIS?
Are there Memoranda of Understanding?
Is there a central entity provisioning the CIS-infrastructure and could it benefit from certain liability exemptions?
Have you identified which actors should comply with the security requirements laid down in the GDPR?
In the context of data protection compliance all of the participants should ensure the secure processing of personal information at every single stage of the processing chain. First of all, this implies that the servers on which each single national agency (the connected entity) stores this information for their own purposes are safe. Secondly, this requires that the transmission via the CIS takes place in a secure way. This can be either a shared responsibility or a responsibility born by a single organisation that hosts the CIS-infrastructure (CIS host). Therefore, the CIS itself should be designed to accommodate different kinds of security policies and allow for the implementation of a number of precautionary measures, such as the encryption of the information during the communication process.
This table provides an overview of the security requirements (art. 32 GDPR) in order to comply with the GDPR. It also identifies which actor is responsible for the implementation of each requirement. Each actor can be held liable in case of non-compliance with that specific requirement:
|Requirement Description||Implementation Example||Responsible Actor|
|Encryption of personal data||Data sent to the CIS should be encrypted in order to secure the transmission of personal data.||Shared responsibility|
|Measures for pseudonymisation of personal data||Replace direct identifiers by a proxy.||Connected entity|
|Confidentiality||Confidentiality can be guaranteed by introducing virtual communication groups in which only certified trusted parties can participate.||
Integrity, availability and resilience of processing systems and service
|Distributed CIS structure, hosted at the participants’ servers, and peer-to-peer message distribution with a synchronisation design. This architecture allows the CIS to continue working even if the connectivity is partly down, and to resume the full information after re-connection.||Shared responsibility|
|Testing of technical and organisational measures for ensuring the security||Testing can take place within the context of a disaster exercise.||Shared responsibility|
|Ensure that any natural person who has access to personal data does not process them except on instructions from the controller.||A CIS is a communication system. Personal credentials of users have to be checked by the owners of the connected tools.||Connected entity|
Council Directive 85/374/EEC on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products (Product Liability Directive) [Link]
Council Directive 2000/31/EC of the European Parliament and the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on Electronic Commerce) [Link]
Kuczerawy A. and Ausloos J. (2015) NOC online intermediaries case studies series: European Union and Google Spain. NOC Report on Internet Intermediaries Liability, February 2015. [Link]
GDPR Overview of the General Data Protection Regulation (2017). Information Commissioner's Office [Link]
Related Key Terms