LONDON/WASHINGTON — Ship owners and insurers say it may be impossible for the maritime industry to fully comply with the Trump administration’s new guidelines on how to avoid sanctions penalties related to Iran, North Korea and Syria, raising the risk of disruptions in a sector already struggling with the fallout of the coronavirus outbreak.

The advisory issued this month marked the first U.S. sanctions guidance for the global maritime sector, and will test Washington’s ability to clamp down on violations without disrupting an industry that handles 90% of the world’s trade.

The final version of the U.S. guidance, written after feedback from maritime professionals, asks for enhanced data-sharing between the shipping industry and U.S. authorities, constant location tracking of vessels, and industry-led investigations into suspicious activity.

A U.S. State Department official told Reuters the advisory contained “recommended best practices,” not hard requirements.

A second State Department official said the administration hopes the guidance improves the industry’s self-monitoring to help the industry avoid violating sanctions.

“There are parts in there that we can’t do,” said Mike Salthouse, chairman of the sanctions sub-committee with the International Group association, which represents companies that insure about 90 percent of the world’s commercial shipping.

He said that, while the industry welcomed the opportunity to consult on the guidance, the advisory’s data-sharing suggestions, for example, will bump up against European privacy laws: “We can’t share information about members we have ceased to insure on the basis of a suspicion of breaking sanctions because that contravenes competition law.”

“We are also constrained in relation to sharing personal data by the GDPR,” Salthouse added, referring to the European Union’s General Data Protection Regulation.

U.S. guidelines seeking constant location monitoring of ships, and investigations by insurers of gaps in that tracking, may also prove difficult, industry officials said. The advisory notes that weather often interferes with AIS transponders, and ship captains should have the discretion to go dark to avoid pirates or militants on the high seas.

“Importantly, a signal not received is not the same as a signal not sent,” said Neil Roberts, head of marine underwriting at the Lloyd’s Market Association, which represents the interests of all underwriting businesses in London’s Lloyd’s insurance market.

He added that it was “not commercially practical for insurers to track ships 24/7.”

Michele White, general counsel with oil tanker association INTERTANKO, said the U.S. advisory’s recommendations would be used as the new expected standard.

“This is asking private marine sector entitles effectively to do the enforcers’ job, whilst at the same time opening itself up to potential sanctions breach,” she said.

Since the election of President Donald Trump, the United States has ratcheted up its pressure on adversaries like OPEC-members Iran and Venezuela by imposing tighter U.S. sanctions meant to choke off their economic lifelines, and it has promised stricter enforcement.

In one example of increasing U.S. attempts to micro-manage the sanctions, Brian Hook, the State Department’s top official on Iran, last year sent emails to the captain of an Iranian tanker that was suspected to be en route to Syria, asking him to steer the tanker to a country that would impound it on behalf of Washington.

The uncertainty around the maritime guidance heaps pressure on shipping companies that are already dealing with global restrictions due to the coronavirus. Some crews have been stuck at sea for weeks and companies are facing financial trouble, as demand to transport non-essential items has slowed.   

(Editing by Richard Valdmanis and Marguerita Choy)


WASHINGTONMay 29, 2020 /PRNewswire/ — Today Jennifer Carpenter, President & CEO of the American Waterways Operators, testified before the House Transportation and Infrastructure Subcommittee on Coast Guard and Maritime Transportation on the status of the U.S. maritime supply chain during the COVID-19 pandemic.

In written testimony submitted to the Subcommittee, Mrs. Carpenter framed her analysis in terms of three overarching messages:  1) the U.S. domestic maritime supply chain is resilient; 2) business continuity does not – and cannot – mean business as usual, especially where health and safety are concerned; and, 3) Congress has a vital role to play in ensuring the stability of the public policy pillars that create the foundation for the supply chain’s resilience and the nation’s recovery.

On supply chain resilience, Mrs. Carpenter emphasized that the American tugboat, towboat and barge industry is playing a key role in keeping the nation’s economy afloat, continuing to transport vital commodities and guiding ships safely into port. Mrs. Carpenter stated: “While cargo volumes in many sectors have declined due to depressed demand, mariners have continued to report to work, vessels have continued to operate, and the industry has adapted to maintain operational continuity and readiness.”

Mrs. Carpenter also observed that a critical component of maintaining operational continuity during the pandemic has been the early prioritization of crewmember health and safety: “The industry’s extensive experience with contingency planning, safety management systems and incident command structures has served it well in managing the health, safety and operational challenges posed by the pandemic. A tow on the river or an articulated tug-barge unit at sea for two to four weeks at a time is effectively a self-quarantined environment, and companies quickly put in place – and have continued to refine – procedures aimed at keeping the virus off their vessels.”

When discussing Congress’s role in supporting the maritime supply chain, Mrs. Carpenter noted there are: “…four pillars that enable the tugboat, towboat and barge industry to do the essential work it does for American shippers and the American economy. Those pillars – the Jones Act; modern, well-maintained ports and waterways infrastructure; a nationally consistent system of laws and regulations governing vessels in interstate commerce; and maritime safety – are more important than ever amid the circumstances of the COVID-19 pandemic.”

Mrs. Carpenter concluded: “The U.S. domestic maritime supply chain is resilient, and the tugboat, towboat and barge industry is well equipped to continue to serve our nation as we begin the long road to recovery from the economic disruption caused by this global public health crisis.”

Mrs. Carpenter’s full written testimony to the House Transportation and Infrastructure Subcommittee on Coast Guard and Maritime Transportation is available here.

About the American Waterways Operators

The American Waterways Operators is the national trade association representing the tugboat, towboat and barge industry, which operates on the rivers, the Great Lakes, and along the coasts and in the harbors of the United States. Barge transportation serves the nation as the safest, most environmentally friendly and most economical mode of freight transportation.

SOURCE American Waterways Operators


On the 23rd May 2020, the Ports and Yachting Directorate within the Authority for Transport in Malta (the Maltese Port Authorities) published Port Notice 09/2020 entitled COVID-19 Temporary Precautionary Measures – Framework of Protocol for Conducting Maritime Support Services. This Notice is further to Port Notice 06/2020, which was previously issued by the Authorities on the 26th March 2020.

Port Notice 09/2020 was issued by the Maltese Port Authorities following consultation with the Port Health Office. It creates a framework of protocols that must be respected when maritime services providers in Malta are engaged to conduct various maritime support services.

Ships, yachts and all other vessels intending to obtain services in Maltese waters or within ports and harbours must seek prior port clearance. If cleared, vessels will be required to follow the protocols established in the said Port Notice.

Interestingly, the previous blanket ban on all yachts from entering Malta has been lifted. Yachts requesting permission to enter Maltese waters for services and ships requesting to enter Malta to carry out maintenance will be considered on a case-by-case basis. If and when approved, protocols and other conditions that must be followed by the vessels will then be communicated to the local agents by the Port Health Office.

The Notice also provides for an exemption to the otherwise applicable travel ban in cases of crew repatriation and likewise in cases of “ship operations”.  Requests will be referred to the Superintendent of Public Health for consideration and will be dealt with on a case-by-case basis. If approved, protocols and other conditions that must be followed will be communicated by the Port Health Office.

For further information kindly contact Dr Jotham Scerri-Diacono and Dr Jan Rossi.

Originally published 25 May 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Since the EU General Data Protection Regulation became effective May 25, 2018, most American companies have been inundated with contract addenda from vendors, customers and just about everyone else with whom they do business, intended to respond to the privacy requirements of the GDPR. Many proposed addenda include requirements to include standard contractual clauses or similarly purposed documents, such as binding corporate rules. Should American companies without significant EU-based assets sign these addenda?

The answer may well be “no.” The reason is the Uniform Foreign Country Money Judgments Recognition Act.

Liability exposures under GDPR

Most discussion of financial remedies for “infringement” of the GDPR highlights the attention-getting maximum of “administrative fines” provided in Article 83. These fines, when levied, are issued by an EU supervisory authority, as established by each member state.

Less discussed is the potential for claims by data subjects themselves as set out in Articles 79, 80 and 82. These articles contemplate proceedings in whichever nation the data subject resides, as well as potentially allowing for collective actions, bundling of groups of similar individual claims. And while the administrative fines established in Article 83 are capped (even though that cap is massively high), there is no cap on damages for data subjects.

So, faced with such exposures, should an American company with no EU-based assets nevertheless hire an EU attorney in the forum state to defend against a complaint filed by either a supervisory authority or data subject?


If either an administrative fine or a damages judgment is entered by an EU tribunal against an American company with no assets based in the EU, the complainant would have to seek recognition of the EU judgment in a U.S. court and then enforcement of that judgment against the U.S.-based assets of the American company.

The U.S. is not a party to any international treaty on the subject of recognition of foreign country judgments. Congress has, to date, enacted no federal statute on this subject. The only applicable body of U.S. law is that applied by U.S. states.

The Uniform Law Commission proposed a comprehensive scheme in 2005, the UFCMJRA, including specific provisions for recognition of foreign country judgments. Per the ULC’s website, 24 states plus the District of Columbia, have enacted the 2005 version, and it is pending in three additional state legislatures as of this writing. As to those states that have not enacted the 2005 version, the common law is likely to vary but will generally follow the principles set out in the UFCMJRA.

The UFCMJRA provides that the act does not apply at all to, among other things, “a fine or other penalty.”  Thus, a strong argument can be made that EU-entered administrative fines will not be recognized — and therefore cannot be enforced — in the U.S.

Section 4 sets out exceptions in which a court “may not” recognize a judgment and where a court “need not” do so — the first being mandatory and the second being discretionary.

In the “may not” category are lack of due process of law, lack of personal jurisdiction over the defendant and lack of jurisdiction over the subject matter. Most disputes will most likely arise under dealing with personal jurisdiction.

The “need not” provisions include eight categories. Most important for present purposes is “in the case of jurisdiction based solely on personal service, the foreign court was a seriously inconvenient forum for the trial of the action.” It is difficult to imagine a more “seriously inconvenient forum” for an American company than a forum separated by an ocean.

Unless a representative of an American company happens to be in the member state and served with process while there, the American company is likely not subject to personal jurisdiction of the EU tribunal — and therefore a foreign money judgment against that company would likely not be recognizable by a U.S. court under the UFCMJRA — unless it has performed specific other actions specified in Section 5. And this is where the intersection with SCCs and BCRs occurs.

While the UFCMJRA describes actions that submit to personal jurisdiction similar to those applied by U.S. courts for general or specific jurisdiction, more relevant to the current discussion are Sections 5(a)(2) (defendant voluntarily appeared other than to protect seized property or to contest jurisdiction) and 5(a)(3) (defendant agreed to submit to jurisdiction before commencement of the proceeding).

Section 5(a)(2) presents a partial answer to the question of whether an American company without EU-based assets should hire an EU attorney and contest the merits of a GDPR claim. There may be good reasons to do so under certain circumstances, but companies should only do so in recognition that by voluntarily appearing, they have likely waived some important potential defenses to the recognition of any judgment rendered by the EU tribunal by U.S. courts.

Section 5(a)(3), however, is more insidious. Unsuspecting companies may waive jurisdictional defenses to U.S. recognition of EU judgments without even realizing it until it is too late.

Potential impact of SCCs on UFCMJRA defenses

The purpose of SCCs, BCRs and other similar GDPR-contemplated documents is to comply with the GDPR requirements for cross-border transfers of personal data, for countries (like the U.S.) that have not been certified by the EU as “adequate jurisdictions.”

As the name implies, SCCs are “standard” — not subject to negotiation and must be accepted as is. The same is true for BCRs.

Both SCCs and BCRs include provisions that expressly allow data subjects to enforce GDPR against data exporters. They include provisions by which the data exporter agrees that persons who suffer damages are “entitled to receive compensation from the data exporter” and agree to the jurisdiction of a tribunal of the member state where the data exporter “is established,” governed by the laws of the member state.

Thus, an American company that is not otherwise subject to EU personal jurisdiction and therefore has potential grounds for contesting recognition of an EU judgment by a U.S. court risks losing that defense under Section 5(a)(3) of the UFCMJRA if it agrees to SCCs or BCRs, thereby agreeing to jurisdiction of the EU tribunal.

Many small- to mid-sized American businesses sell only within the U.S. but nonetheless communicate with (and thereby collect personal information about) foreign individuals in a myriad of contexts. Websites know no borders, and many U.S.-based companies interact with EU counterparts even as they have no EU-based assets.

And even if an American company does not itself have any contacts with EU individuals, many of the companies with which it does business may themselves have EU connections.

It is in this context that digital privacy addenda and similarly named contract documents are being received daily by most companies from vendors, customers and others whose own inside or outside counsel have devised contract forms designed to meet GDPR (and now, California Consumer Privacy Act) requirements. Wisdom suggests, however, that companies should think twice before agreeing to these contract provisions.

Photo by Leon Seibert on Unsplash0


Digitalisation and modern technologies have rapidly changed the maritime sector in recent years. That is why European maritime professionals, both at sea and ashore, need more digital and soft skills to stay ahead of the industry. This was concluded from research by SkillSea.

The research report, written by experts from the Norwegian University of Science & Technology (NTNU) and Liverpool John Moores University in the UK, and with the assistance of other SkillSea partners, examined the main trends in the shipping sector: education, technological developments, such as autonomous vessels and clean energy, collaboration between clusters and digitisation.

The report shows that more training should be given in sustainability, greening and digitisation. Future seafarers also need to develop soft skills in leadership and management. In addition, there is a need for transition programmes that make the shift from working at sea to working on shore easier.

Finally, the researchers recommend that the STCW training (the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers) be extended to include maritime law, corporate finance, autonomous shipping and other new technology-based skills.

This research was conducted before the Covid-19 crisis and its lockdowns hit Europe. The crisis however, does not affect the conclusions of this report, yet according to SkillSea the Covid-19 situation makes the conclusions of the report even more relevant.

The full report can be found on the SkillSea website.


On the 4th of May 2020, the European Data Protection Board (EDPB) issued fresh guidelines on ‘consent’ titled Guidelines 05/2020 on consent under Regulation 2016/679 (Guidelines). These new Guidelines have replaced the original guidelines which were previously adopted by what was formerly known as the Article 29 Working Party and which were last revised on the 10th of April 2018.

Under the General Data Protection Regulation 2016/679 (GDPR) there are 6 legal bases for processing personal data, these being: consent, contract, legal obligation, vital interests of the data subject or of another natural person, public interest and legitimate interest.

Consent, which according to Article 4(11) of the GDPR must be freely given, specific, informed and unambiguous for it to be legally valid, has been at the forefront of several controversies. The Guidelines address two issues relating to consent; firstly, the EDPB goes on to clarify the concept of ‘freely given consent’ by assessing the notion of conditionality in relation to third parties and in relation to the validity of consent provided by the data subject when interacting with so-called ’cookie walls’.

Secondly, the EDPB goes on to clarify the issue of ‘unambiguous consent’, as provided for in recital 32 of the GDPR, especially when it comes to ‘scrolling and swiping’.

Freely Given Consent

  • In relation to Third Parties

These Guidelines expand on the notion of ‘conditionality’, which is one feature that may affect the validity of a data subject’s consent from being freely granted. The GDPR states that “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.

Therefore, as a basic rule, a data subject should not be placed in a situation whereby the rendering of a contract or service is made conditional to the ’consent’ of that data subject. In this regard, the EDPB goes on to clarify that ‘consent’ cannot be considered as freely given if a service provider ties the rendering of a service on the condition that the data subject consents to the processing of their personal data, one might say by force. In such an instance the judgment of the data subject is conditioned and therefore there does not exist the so called ‘freedom of choice’ and independence that is required by the spirit of the GDPR.

  • Cookie Walls

Another interesting clarification made by the EDPB was in relation to what is referred to as a ‘cookie walls’. By virtue of these newly revised Guidelines, the EDPB confirmed that the use of cookie walls is unlawful in terms of the GDPR and is therefore strictly prohibited.

What are cookies?

A cookie is a text file that is automatically stored in someone’s device and may or may not be deleted upon the closure of a session. A cookie can have different purposes, for instance, a cookie may be necessary to run a website, or it can be necessary to identify what a user is doing. Cookies are also used for instance to remember your password. Cookies may either be first party cookies of third-party cookies, the former are stored on one’s device directly by the website you are visiting while the latter are stored by a third party like an advertiser or an analytic system.

What is a cookie wall?

A cookie wall is a way for service providers (whatever their nature of business) to deny users access to their websites if they don’t consent to cookies present on that same service provider’s website being used. Therefore, a cookie wall usually works as a self-made border against users who do not consent to cookies, barring them from the service.

Is it legal? If not, why so?

The status of legality of cookie walls was never certain, however the Guidelines have clarified that cookie walls are in no way or form permissible since they do not afford the data subject the ability to make a free and independent choice when giving consent for the processing of their own personal data.

What is a good alternative to a cookie wall?

Technically speaking there is no good alternative to a cookie wall because as effectively the data subject’s consent is being conditioned. However, a suitable alternative would be for a service provider to:

  • still set up a cookie banner or request without prohibiting access to the main content of the website and
  • provide information in relation to which cookies are being recorded and for what purpose the data will be processed. This is in fact a legal requirement whenever cookies involving personal data are involved.

Unambiguous Consent

The second issue that the Guidelines sought to clarify was in relation to the importance of clarity when giving consent for the processing of personal data, more specifically in relation to the act of ‘scrolling’ and ‘swiping’ as a means of valid consent. Under the GDPR, Recital 32 sets out that consent must be a ‘clear affirmative act’ which ensures an unambiguous, clear and affirmative indication of the data subject’s agreement to the processing of personal data.

The new revised Guidelines have clarified that the specific actions of ‘scrolling’ or ‘swiping’ through a webpage or any similar activity for that matter, will not under any circumstance satisfy the requirement of a clear and affirmative action as depicted under the GDPR.

The EDPB went on to also reaffirm its position that the withdrawal of one’s consent shall be as easy as to give consent.

News item written by Senior Associate Dr. Terence Cassar and Associates Dr. Bernice Saliba and Dr. Sean Xerri de Caro.



In Decree No. 179/2020 issued on 4 May, the Hungarian government has restricted the protection and rights of data subjects concerning anti-pandemic measures as stipulated by the EU’s General Data Protection Regulation (GDPR) and the Hungarian Act on Freedom of information and data protection (Info Act).

Furthermore, the decree restricts the right for claiming public information granted by the Hungarian Info Act related to COVID-19 measures.

The Hungarian government issued a state of emergency on 11 March for a 15-day period, which was extended for an indefinite period on 31 March. During the current state of emergency, the government has the authority to govern through the issuance of government decrees.

No law enforcement and data protection rights during the state of emergency

The government decree stipulates that data controllers’ measures under articles 15 to 22 of the GDPR as pertaining to personal data processed for the purpose of preventing, recognising and investigating the COVID-19 disease and stopping its spread are suspended until the termination of the state of emergency.

The 30-day GDPR deadline for answering COVID-19 – related data subject requests will start only on the first day after the termination of the state of emergency. This means that if a data subject submits a request for access to, erasure, rectification, and restriction of the processing of his personal data related to COVID-19, or lodges an objection against the processing of his personal data related to COVID-19, the data controller (i.e. hospitals, government bodies, emergency management offices) is not required to take any steps to erase, rectify the data or restrict the processing until the end of the COVID-19 state of emergency that is now in place for an indefinite period of time.

Furthermore, the new legislation does not define the exact categories of personal data and the type of data controllers that fall under the new law. As a result, any data controller taking part in the fight against COVID-19 or processing COVID-19 – related personal data can interpret the new legal provisions widely and broaden its restrictions as it applies to personal data as much as possible.

In addition, the decree contains other clauses restricting the rights of data subjects: data controllers falling under the new law now do not need to provide data subjects with personalised information as listed in articles 13 and 14 of the GDPR, such as the type of data processed, the purpose and legal basis of the data processing, and name of the data controller, notification of data transfers to third parties and to third countries, the guaranties of these data transfers, their retention periods, and all information about data protection rights and remedies for data subjects.

Instead, the data controller is required only to issue a privacy notice that contains the purpose and legal basis of the data processing and to publish this notice electronically so that it is available to the data subject. Consequently, a data subject’s access rights are restricted since he cannot request personalised information on the processing of his personal data related to the COVID-19 situation during the state of emergency.

Furthermore, the decree restricts the rights of data subjects to lodge complaints with the data protection authority (DPA) and the right to an effective judicial remedy against the DPA and the data controller or processor by stipulating that the court and DPA are only entitled to start proceedings on the first day after the termination of the COVID-19 state of emergency even for complaints submitted now. It must be emphasised that it is currently not known how long the government will maintain the state of emergency.

Restrictions and delays regarding public-information requests

Until the termination of the COVID-19 state of emergency, requests for public information based on the Info Act must take into account the following differences:

  • Request for public information cannot be submitted personally or orally to any organisation with public-service functions.
  • The organisation with a public-service function must comply with an eligible request for public information within 45 days instead of 15 days, a deadline that can be prolonged for one time only by 45 days.

All provisions of the new government decree apply not only for future requests and procedures, but for requests and procedures that are currently on-going.

For more information on this decree and the provisions of the Hungarian state of emergency, contact your regular CMS advisor or local CMS experts:



shipping companies under GDPR – The UK Chamber of Shipping, in conjunction with shipping lawyers Hill Dickinson LLP, has released guidance to shipping companies on implementing the general data protection regulation (GDPR).

The arrival of GDPR is part of a raft of cyber related initiatives heading shipping’s way.

The publication summarises the key requirements of the GDPR, which entered into force in May 2018, and the actions companies should take to implement data protection policies.

It focuses specifically on the maritime sector and covers key areas such as crewing issues and seafarer payments, defines GDPR terminology and lists the types and sources of personal data and how these should be processed.

It also describes the role and responsibilities of the data controller and the company data protection officer.

Guidance is also provided on the strict provisions relating to transferring personal data outside of the EU. This is particularly relevant to the offshore industry, where crew are transferred from one site to another and to and from a multitude of jurisdictions where their personal data will follow.

UK Chamber of Shipping chief executive Bob Sanguinetti commented “It is our mission to deliver for our members trusted specialist expertise at all times and The GDPR Guidance to Shipping Companies offers just that. The publication not only details the best practices but also sets out an ‘Action Plan for Companies’, describing suggested stages for a company to implement GDPR and verify compliance.”


SHIP IP LTD is specialized with GDPR ( General Data Protection EU
Regulation) implementation for Maritime Companies ONLY .
We have make the whole process very simple – No need to be something
complicated as Maritime Companies core business is not handling personal
data but transportation .
Our process is very easy – in contact with your key personnel i.e. Human
Resource , Crew and Accounting department – we record forms you have
related with personal data , we are auditing your IT department or in we
ask them some simple questions so we can prepare the procedures required
and we are delivering the GDPR Manual , Gap Analysis and DPIA if required.


GDPR TMSA Cyber Security


Tanker owners should be prepared for new EU and IMO cyber security regulations as they must already comply with maritime security requirements under OCIMF’s TMSA 3, writes Martyn Wingrove

There are increasing amounts of cyber security-related regulations that shipping companies will have to comply with, but tanker owners are already ahead of the game. Ship operators will need to include cyber in ship safety and security management under the ISM Code from 1 January 2021.

Before that, they need to be aware of cyber and data security regulations, including the EU general data protection regulation (GDPR) and the EU directive on the security of networks and information systems (NIS).

Much of the requirements under these forthcoming or new regulations are already within Oil Companies International Marine Forum (OCIMF)’s third edition of the Tanker Management and Self Assessment (TMSA) best practice guidelines. This came into force on 1 January this year, with a new element on maritime security and additional requirements of key performance indicators and risk assessments.

Regulation changes were outlined at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, which was held in London on 15 June. The event was held in association with Norton Rose Fulbright, whose head of operations and cyber security Steven Hadwin explained that “data protection and cyber security needs to be taken seriously from a legal point of view.”

Data, such as information on cargo and charterers, could “become a considerable liability”. If data is lost “then GDPR could be in play” said Mr Hadwin. Regulators “could impose a fine of up to 4% of that organisation’s global annual turnover.”

PwC UK cyber security director Niko Kalfigkopoulos explained the legislation and reasoning behind the NIS Directive, which went into full effect in May this year.  “These regulations have teeth” he said because of the potential size of fines and damage to a company’s reputation from being a victim of a cyber attack. This is one of the reasons why boardroom executives should be aware and understand what is required for compliance.

Class support

During the summit, class societies provided cyber security guidance as they collectively attempted to define cyber secure ship notations. Lloyd’s Register cyber security product manager Elisa Cassi said shipping companies should have a third party monitor their IT network and the operational technology (OT) and employ staff to “stop people sharing data or compromising procedures”.

Tanker owners “need to identify any compromise before an attacker tries to penetrate”, Ms Cassi explained, noting that shipping companies need to “investigate the vulnerabilities through analytics and machine learning”, understand the behaviour of potential threats and use predictive analysis.

ABS advanced solutions business development manager Pantelis Skinitis said shipowners need to change passwords on operational technology, such as ECDIS and radar, as some remain unchanged since they were originally commissioned on the ship. He also advised owners to verify vendors and service engineers and that their USB sticks are clean of malware.

ABS has created cyber safety guidance for ship OT, particularly for ships coming into US ports and terminals. In its development, ABS identified the risks, vulnerabilities and threats to OT. “Managing connection points and human resource deals with the biggest threat to OT systems on board,” said Mr Skinitis.

DNV GL has developed new class notations covering cyber security of newbuildings. It has also produced an online video for instructing shipping companies to become more aware of cyber threats. During the summit, DNV GL maritime cyber security service manager Patrick Rossi said ship operators should set up multiple barriers to prevent hackers.

These should include firewalls, updated antivirus, patch management, threat intelligence, intrusion detection, emergency recovery and awareness testing. OT should be segregated from open networks, only official ENC-provider USBs and update disks should be used and cleaned of malware before being inserted into ECDIS and these systems should be segregated from the internet.

Cyber regulations and guidance for shipping

EU General Data Protection regulation (GDPR) came into effect from 25 May 2018

IMO – Resolution MSC.428(98) – from January 2021 cyber security will be included in the ISM Code

TMSA 3 – cyber security was added to tanker management and assessment in January 2018; EU directive on the security of networks and information systems (NIS Directive) from May 2018

EU privacy rule (PECR) of individuals traffic and location data

Rightship added cyber security to inspection checklist

BIMCO – guidelines based on International Association of Classification Societies




GDPR IN THE SHIPPING SECTOR – European Community Shipowners Association have published a document intended to provide guidance to the shipping sector on the application of the EU General Data Protection Regulation (“GDPR”).

This document was prepared in consultation with our members.

It is intended for general information purposes only and does not constitute legal advice.  To receive legal advice, the reader should consult legal counsel. For definitions of the terms used in these guidelines, please see Appendix 2 to the guidelines.

  1. Application of the GDPR


  1. Does the GDPR apply when a ship has a non-EEA flag and non-EEA crew members?

The GDPR has a broad reach. It applies to organisations established in the EEA, when they process personal data in the context of the activities of these EEA establishments, regardless of whether the processing takes place in the EEA or not. The GDPR further applies to organisations outside the EEA who process personal data, if they offer goods and services to individuals in the EEA or monitor their behaviour. This particularly affects organisations with internet-based business models, offering goods or services to consumers in the EEA.



– The GDPR applies to a ship owner, ship operator or crewing agent who processes personal data and who is established in the EEA, regardless of the flag of the ship and the nationality of the crew.


– The GDPR applies to a cruise operator established outside the EEA, when it offers cruises to passengers residing in the EEA.


– The GDPR applies to an EEA establishment of a ship owner who processes personal data of non-EEA crew members that it receives from a non-EEA crewing agency.


– The GDPR applies to a non-EEA crewing agency that provides services to individuals in the EEA.



  1. What type of data processing activities are covered by the GDPR?

The GDPR applies to:

(i) any type of operation that is performed on personal data by automated (i.e., computerized) means, and

(ii) non-automated processing of data that (are intended to) form part of a filing system (i.e., keeping hard copy documents in a structured manner so that they are searchable according to specific criteria such as name, ID number, phone number, etc.).


The following are examples of operations that may be performed on personal data and that are covered by the GDPR: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


The GDPR applies to any information relating to an identified or identifiable individual, whether or not the information as obtained in a private or professional context.



– A filing cabinet containing HR records arranged in alphabetical order of employee names would be covered by the GDPR. An unstructured box of hard copy files would not be a relevant filing system and would fall outside the scope of the GDPR.


– Activities that are covered by the GDPR include for example storing employment details of crew members, recording crew members on a ship using audio and video equipment to ensure workplace security, managing contact details of a charter’s port agents, transferring (sensitive) personal data outside the EEA.


– Any information relating to individuals of any capacity associated with a shipping company falls within the scope of the GDPR.



  1. Does the GDPR apply only to sensitive types of information?

No. The GDPR applies to any information that relates to an identified or identifiable individual (e.g., crew members, passengers, staff at customers/partners). This includes, for example, names, email addresses, phone numbers, online identifiers, location data, and information relating to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity. In addition, the GDPR imposes specific requirements when sensitive data are processed (i.e., any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of unique identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation). Such sensitive data are referred to as “special categories of personal data” in the GDPR.



– Categories of data that are covered by the GDPR include e.g., contact details, bank information (including cash flows), medical certificates, passport information, video and audio recording.


– Information regarding a crew member’s health (like the aforementioned medical certificates)   or trade union membership is considered sensitive data.


  1. Who is the data controller? Who is the data processor?

An entity that decides on the ‘why’ and the ‘how’ of data processing is considered a “controller”. If a controller engages a third party (e.g., service provider) to process personal data on the controller’s behalf, that third party will qualify as a processor. There can be several controllers and processors that are involved in the same data processing activity.



– When a ship owner installs video cameras on a ship to ensure workplace safety, the ship owner will be considered a controller for the collection of video recordings.


– The ship owner and charterers are controllers for the disclosure of crew members’ personal data to port authorities, in order to fulfil their respective legal obligations vis-à-vis port authorities. In principle, a ship manager is a controller when it manages such data transmission to the authorities, unless its role is limited to acting solely on behalf and under the instructions of the ship owner or charterer (in which case the ship manager is a processor).


­­- When an external payroll agency processes salaries of crew members, the agency acts as a processor.


– When a ship owner uses a cloud-based customer relationship management program, the cloud service provider acts as a processor.




  1. GDPR has many obligations. Does the shipping industry need to comply with all of them?

In principle: yes. The GDPR requirements apply to all organisations that process personal data, across all industries and sectors. However, some of the GDPR requirements apply only to high-risk data processing activities, which may not be relevant for all organisations in the shipping sector. Each organisation needs to assess which of the GDPR requirements apply to its specific activities.



The GDPR requires that a data controller carries out a ‘data protection impacts assessment’ (‘DPIA’) when it engages in data processing activities that will likely result in a high risk to the rights and freedoms of individuals. This requirement may apply e.g., to an organisation that monitors on-board drug and alcohol use. However, it will not apply to an organisation that only carries out standard HR data processing activities, unless these activities involve large scale processing of sensitive data or criminal data (e.g., in the context of seafarers’ screening).



  1. Does a non-EEA manning agent need to appoint a representative in the EEA? Does it need to be registered with a supervisory authority?

If a non-EEA manning agent provides services to crew members residing in the EEA, or monitors the behaviour of crew members in the EEA, it is subject to the GDPR and needs to appoint a representative in the EEA. The appointment must be in writing, but it does not need to be registered with a supervisory authority. This requirement also applies to manning agents that are established in “adequate” third countries (see section III on international data transfers below).



A manning agent established in New Zealand must appoint a representative in one of the EEA countries where the crew members’ reside whose personal data are processed or whose behaviour are monitored.




@AnyawbSales - 7 months


@AnyawbSales - 1 year

SQEXpress maritime electronic sms forms platform just released

Photo Gallery