Google, Facebook at Center of EU Clash Over Cyber-Attack Law

Google Inc.'s London Campus, in London, U.K.

Google Inc.'s London Campus, in London, U.K.

Photographer: Jason Alden/Bloomberg

Google Inc. and Facebook Inc. are caught in the middle of a clash between European Union lawmakers on whether the U.S. technology giants should be covered by rules forcing companies to report cyber attacks to government agencies in the 28-nation bloc.

While the European Commission wants search engines and social networks included in a revamped law on network and information security, some lawmakers favor a more streamlined approach focusing on critical infrastructure such as banks and power stations.

“We have an opportunity to have a common European framework here,” Antanas Guoga, a Lithuanian member of European Parliament, said at Liberal group event he chaired at the assembly in Brussels on Thursday. “We need to move really fast.” Members of the parliament don’t want search engines and social networks to be included, said Guoga, a former professional poker player.

The proposed rules, under discussion since 2013, would impose some of the world’s toughest reporting requirements on companies considered vital to European markets, including banks, utilities and health and transport providers.

The commission, which drafted the measures, is pushing for so-called Internet enablers, firms that provide important online services, to be covered -- including Google and Facebook.

Popular online firms “being disrupted would have a major impact on economic and social life,” Paul Timmers, a commission official, said at the parliament event.

Charlotte Ens, a spokeswoman for Facebook, declined to comment. Google didn’t respond to an e-mail seeking comment.

Lights ‘On’

Andrew Moir, a London-based cyber security lawyer at Herbert Smith Freehills, said extending the scope of the rules too far would dilute the original purpose.

“I would be far more concerned should there be a major cyber attack that the lights stayed on, rather than whether or not I could update my status on Facebook,” he said by e-mail.

Any companies covered by the law would be required to notify local government agencies in the event of a cyber incident that had an impact on their core services.

Liga Rozentale, a representative of Latvia, which holds the EU’s rotating presidency and is in charge of trying to broker deals on proposed legislation, said it would be “foolish” to predict when the rules might be agreed and adopted. Lawmakers are working to ensure “that it will not harm innovation, growth and security,” she said.

Internet enablers were indeed included in the commission proposals because “they have become entry points for several important aspects of the modern economy,” Nathalie Vandystadt, a spokeswoman for the EU’s executive arm, said by e-mail.

“Cloud computing is also considered a key component of this category given the increasing reliance of large and small businesses on the services offered by cloud providers,” she said.

For more, read this QuickTake: Cybersecurity