Last updated: 
3 weeks 3 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Article 29 Working Party support security and incident response

Wednesday, April 19, 2017 - 09:36

Having had my own concerns that the European Commission's draft e-Privacy Regulation might prevent some activities that are needed by security and incident response teams, it's very reassuring to see the Article 29 Working Party recommending an explicit broadening of the scope of permitted Network and Information Security (NIS) activities. Strikingly, this comes in an Opinion that otherwise expresses "grave concern" that too much processing of communications content and metadata is being allowed. It's clear that the European Data Protection Regulators have understood that NIS and the data processing it involves are an essential part of protecting communications privacy.

Paragraph 18 of the Working Party's Opinion supports the Commission's proposal to permit processing of electronic communications data that is "necessary to maintain or restore the security of electronic communications networks and services" (Article 6(1)(b)). However the Opinion adds that "certain spam detection/filtering and botnet mitigation techniques" should explicitly be permitted. The Working Party thus recognises that users and their devices, not only networks, need protection and help.

Paragraph 26 (page 20) also recommends that installing security updates should be an explicit exception to the normal rule that "interference with equipment" requires the user's prior consent. Instead the Working Party favour automatic installation of patches without consent – to "ensur[e] that the security of these devices remains up-to-date" – so long as users are informed in advance and have the possibility to turn off automatic installation. Paragraph 41b suggests that an employer could even override an employee's choice when updating or re-configuring company-issued equipment.

Finally, in paragraph 35 the Working Party "welcomes" the requirement on service providers to inform users about security risks: "if a service provider detects that a user's device is infected with malware and has become part of a bot-net, this provision seems to put a direct obligation on the provider to inform the user about the resulting risks". In the past I've been told of other countries' regulators prohibiting ISPs from informing their customers when we passed on botnet warnings, so this positive encouragement of this practice is good news for all of us.

Whether or not these proposals are reflected in the final legislation, security and incident response teams now have a clear endorsement of their activities from privacy and data protection regulators.