Last updated: 
3 weeks 22 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

ePrivacy Regulation: better news for online security

Thursday, October 4, 2018 - 13:20

Some good news from the draft ePrivacy Regulation. More than a year after I pointed out that the Regulation could inadvertently prohibit websites and other Internet-connected services from using logfiles to secure their services, the Council of Ministers' latest (20th September 2018) draft explicitly recognises the problem. Recital 8 now includes the positive statement that:

It is also important that end-users, including legal entities, have the possibility to take the necessary measures to secure their services, networks, employees and customers from security threats or incidents. Information security services may play an important role in ensuring the security of end-users' digital environment. For example, an end-user as an information society service provider may process its electronic communications data, or may request a third party, such as a provider of security technologies and services, to process that end-user's electronic communications data on its behalf, for purposes such as ensuring network and information security, including the prevention, monitoring and termination of fraud, unauthorised access and Distributed Denial of Service attacks, or facilitating efficient delivery of website content. Such processing of their electronic communications data by the end-users concerned, or by a third party requested by the end-users concerned to process their electronic communications data on their behalf, should not be covered by this Regulation.

That's not a complete solution, because it still leaves security logs collected by network providers (explicitly permitted by Article 6(1)(b)) on a different basis from security logs collected by connected organisations (ruled out of scope by Recital 8). That could cause problems when sharing information about security incidents among different types of organisations – notably Article 6 may remove processing by network operators from the requirements of a GDPR "legitimate interest", whereas Recital 8 leaves processing by websites and others within that regime. It also relies on a statement in a Recital over-riding the statement in Article 2(1)(a) that all processing of communications metadata "in connection with the provision and the use of electronic communications services" is within scope. Also, this is only a draft text, which still has to be agreed both within the Council and with the European Parliament.

But it should, at least, act as a sign to Regulators to take care when applying a Regulation whose purpose is, after all, to improve the security of online information.