Last week the General Data Protection Regulation (GDPR) came in to force. We previously shared the view that while the GDPR is not quite right for the United States, there are important aspects that should be incorporated into the ongoing discussion about privacy legislation. This post addresses other aspects of GDPR, which have created some uncertainty around ongoing efforts to improve cybersecurity and support public safety. Two such efforts are cybersecurity information sharing and access to WHOIS data.
More specifically, GDPR Article 32 requires organizations subject to its jurisdiction to protect personal data and secure it from unauthorized access. (We think all organizations should do so, regardless of specific legal obligation and helped draft best practices to guide sharing between private entities.) In addition, Recital 49 identifies the processing of personal data for the purposes of ensuring network and information security as legitimate, to the extent the processing is strictly necessary and proportionate for network security purposes. Internet protocol addresses are one type of information that is particularly useful in cybersecurity; under European law however, in some cases these addresses are considered personal data, and therefore subject to the GDPR’s limitations on collection, processing, and transfer. This is but one example of jeopardy that has been created because neither the Regulation’s recitals nor its text plainly contemplate the disclosure or transfer of such cybersecurity information to another entity that is not a third country or international organization.
Another example is the status of the longstanding Internet Corporation for Assigned Names and Numbers (ICANN) requirement for global Top Level Domain (gTLD) registries and registrars to collect administrative and technical contact information, often called WHOIS data. The day GDPR went into effect ICANN filed injunction proceedings in Germany, requesting that a German court interpret how GDPR requirements apply to this type of data collection. ICANN asserts that maintaining this information is part of its public interest role, and that in the absence of further clarification from the European Commission or interpretation by a court of competent jurisdiction, “those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.” Absent either of these developments, ICANN advises that the decentralized WHOIS will cease to be a global information resource.
We learn almost daily about the compromise of personal data entrusted to “connected” organizations. Cybersecurity information sharing plays an important role in reducing the risk of such incidents; indeed, the Cybersecurity Information Sharing Act authorizes such sharing and offers limited liability protection for sharing consistent with the Act’s minimization and purpose requirements. Similarly, identifying points of contact behind malicious websites is often critical in investigating a range of crimes committed through the use of the internet, including botnets and ransomware, and to overall consumer protection. Removing uncertainty around sharing information for network security purposes and maintaining contact information for domain registration directory services, critical tools in ensuring an open and interoperable internet, should be a first order priority for the European Commission.