Last updated: 
4 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

ECJ rules in favour of security and incident response

Wednesday, April 19, 2017 - 09:46

The recent European Court case of Breyer v Germany provides welcome support for those who wish to protect the security of on-line services. The case concerned two questions – whether a website's logfiles (typically containing time, client IP address, URL requested and result) constituted personal data and, if so, whether data protection law allowed the site operator to retain that personal data after the request had been completed.

The Court's first conclusion – that logfiles indexed by IP address do constitute personal data – agrees with the view long expressed by the Article 29 Working Party, that service providers should treat IP addresses as personal data unless they know they are not. However the Court rejected two of the widest theories: that IP addresses are personal data merely because they allow an (unknown) individual's activity to be collated, and that they are personal data merely because some third party can link them to the responsible individual. Instead the Court's argument relied on the website operator’s ability to use a legal process (some equivalent of the UK's Norwich Pharmacal order) to obtain the name of the user from their Internet Access Provider if required.

Having decided that logfiles were personal data the Court then concluded, nonetheless, that the website operator "may also have a legitimate interest in ensuring, in addition to the specific use of their publicly accessible websites, the continued functioning of those websites", which could justify the continued retention of the files. Although the new General Data Protection Regulation (GDPR), to come into effect in May 2018, does recognise that "the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security" (Rec.49) is a legitimate interest of a wide range of parties, current EU law is silent on whether anyone other than a network operator may process personal data to protect the security of their systems and services, while current German law explicitly prohibits it.

Declaring that protecting services is a legitimate interest does not give unconditional permission to process personal data – organisations still need to ensure that their actions are necessary, proportionate and not overridden by the rights of individuals – but these conditions are very similar to the precautions that incident response teams already take to ensure their activities protect, rather than harming, security. The Breyer judgment therefore provides a welcome "back-dating" of the GDPR's re-assurance to security and incident response teams.