the looming privacy rights debacle how eu data protection law will shape future incident response...
TRANSCRIPT
The Looming Privacy Rights Debacle
How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World
Thomas Daemen
FIRST Conference 2005
2
I. The EU Data Protection Regime
II. EU Data Protection Law and Security Investigations
III. Ramifications of EU Regulatory Control
IV. Conclusions
OverviewOverview
3
OverviewOverview
I. The EU Data Protection Regime
II. EU Data Protection Law and Security Investigations
III. Ramifications of EU Regulatory Control
IV. Conclusions
4
EU Data Protection Regime: Data Protection DirectiveEU Data Protection Regime: Data Protection Directive
• Framework Directive adopted in 1995– Established overall groundwork
– Transposed into national laws
– Supplemented by numerous additional law and administrative rules
• Primary functions– Impose basic obligations on those controlling data
• E.g., obligations of fair and lawful processing, purpose, relevance, accuracy, retention, security
– Vest rights in data subjects• E.g., rights of access and modification
5
EU Data Protection Regime: JurisdictionEU Data Protection Regime: Jurisdiction
• Threshold question: does the regulation apply to the activity at issue?
• Framework Directive provides two possible answers– Article 4.1 (a): the laws applies “in the context of
activities… on the territory”– Article 4.1 (c): the law applies if someone “make[s] use of
equipment … on the territory”
• Case study: Hewlett-Packard ruling
6
EU Data Protection Regime: EnforcementEU Data Protection Regime: Enforcement
• EU US national/sub-national• National Data Protection Authorities (DPAs) can:
– Investigate– Intervene– Sanction
• Private right of action– Rarely exercised; seemingly limited to celebrity claimants– Must demonstrate actual harm/damage
7
OverviewOverview
I. The EU Data Protection Regime
II. EU Data Protection Law and Security Investigations
III. Ramifications of EU Regulatory Control
IV. Conclusions
8
Law and Investigations Overview: The Emerging DebateLaw and Investigations Overview: The Emerging Debate
• Public sector arguments in favor of regulatory oversight– Response team processing of personal data– Response team processing of "judicial data"
• The private sector response– IP addresses are impersonal in nature– Overly broad interpretations of "judicial data" are
incorrect
9
Public Sector Arguments: Processing of Personal DataPublic Sector Arguments: Processing of Personal Data
• Framework Directive language, Article 2– “[Personal data are] any information relating to an identified or
identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number”
• Broad definition, broader interpretation• Article 29 Working Party
– Represents all 25 EU Member State DPAs– Opines on new technologies and developments
10
Public Sector Arguments: Processing of Personal DataPublic Sector Arguments: Processing of Personal Data
• Nov. 2000 Working Document on Privacy on the Internet– IP addresses may constitute personal data
• May 2002 Opinion on IPv6– “IP addresses attributed to internet users are personal
data and are protected by EU [privacy law]”
• Note: IP addresses qualify as personal data even if not immediately linked to specific individuals
11
Public Sector Arguments: Processing of "Judicial Data"Public Sector Arguments: Processing of "Judicial Data"
• Framework Directive language, Article 8.5– “Processing of data relating to offenses, criminal
convictions or security measures may be carried out only under the control of official authority”
• Subject to considerable debate• Article 29 Working Party and national
authorities uncertain about meaning/impact
12
Public Sector Arguments: Processing of "Judicial Data"Public Sector Arguments: Processing of "Judicial Data"
• Example 1: Belgian DPA IFPI ruling (2001)– IFPI
• Collected IP addresses, notified police, advised ISPs and sought letter notification
• Note: IFPI did not identify individuals behind IP addresses
– Activities rejected under Belgian data protection/telecom law• IP address are personal data even without identification• Processing of IP addresses for potential legal claims = judicial
processing limited to police authorities• Can only process pseudonyms and download date/hour
13
Public Sector Arguments: Processing of "Judicial Data"Public Sector Arguments: Processing of "Judicial Data"
• Example 2: Article 29 Working Party Working Paper on On-Line Enforcement (2005)– Article 8 requires “special” protections for “judicial
data”– Monitoring on-line activity/IP addresses for
misconduct “falls within the competence of judicial authorities”
14
Private Sector Response: IP Addresses are ImpersonalPrivate Sector Response: IP Addresses are Impersonal
• Industry calls for fundamental reassessment of concept that IP addresses constitute protected personal data
• No legal, public policy or technical rationale– Directive is silent– Limiting response teams = bad public policy– IP addresses are technologically neutral
15
Private Sector Response: Overly Broad Interpretations are IncorrectPrivate Sector Response: Overly Broad Interpretations are Incorrect
• Art. 8.5 refers only to criminal records• Text and legislative history are very specific: no basis for
expansive interpretations• DPA interpretations inconsistent: Consider Article 29 Working
Party Guidelines for Terminated Merchants Databases (2005)– Conditions for merchants' cross-border databases– Working Party: not “judicial data”/objective facts– How to reconcile with enforcement paper?
• Safeguards are adequate
16
OverviewOverview
I. The EU Data Protection Regime
II. EU Data Protection Law and Security Investigations
III. Ramifications of EU Regulatory Control
IV. Conclusions
17
Data Processing LimitationsData Processing Limitations
• Directive includes broad processing limitations• Limitations depend on nature of data and
jurisdiction• General obligations
– Notify national privacy regulators
– Obtain processing approval
– Inform data subjects
18
Data Transfer LimitationsData Transfer Limitations
• Article 25 limits transfers to countries with “adequate” protections
• EU regularly conducts adequacy determinations– Adequate: Switzerland, Argentina– Not adequate: United States
• Possible solutions– EU/US Safe Harbor Agreement– Data subject “unanimous consent”– Data transfer agreement
19
OverviewOverview
I. The EU Data Protection Regime
II. EU Data Protection Law and Security Investigations
III. Ramifications of EU Regulatory Control
IV. Conclusions
20
1) Incident response teams do not operate in a regulatory or political vacuum
2) Policymakers have heeded the public’s call for privacy – more, not less, regulatory intervention is expected
3) Response teams must do the same or face increased scrutiny
4) These are not academic debates– Real and far-reaching consequences– Reallocate valuable time and resources
5) This is the time to be heard
Summary and Call to ActionSummary and Call to Action
21
Thank you