Last updated: 
3 weeks 2 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

ePrivacy Regulation: a risk for website security?

Wednesday, April 19, 2017 - 09:42

Last October the European Court of Justice confirmed that websites do have a legitimate interest in security that may justify the processing of personal data. That case (Breyer) overruled a German law that said websites could only process personal data for the purpose of delivering the pages requested by users. As far as I know, everywhere else in Europe the use of logs to secure websites is accepted as lawful. However the European Commission’s proposed e-Privacy Regulation seems to risk reversing that: I hope by an accident of drafting.

The presumption of the draft Regulation, stated in Article 5, is that communications content and metadata "shall be confidential". Any interference with such data, other than as permitted by the Regulation, shall be prohibited.

The draft Regulation does permit "providers of electronic communications networks and services" to process both content and metadata where this is "necessary to maintain or restore the security of electronic communications networks and services" (Art.6(1)(b)). However the definitions of "electronic communications networks and services" (themselves dependent on another draft Regulation) won't cover all websites, etc. So, if those are covered by the draft Regulation, then collecting and using logs for security may become legally questionable, this time across the whole EU, not just Germany.

That, in turn, depends on interpreting the scope of the draft Regulation. According to Article 2(1) it applies to "processing of electronic communications data carried out in connection with the provision and the use of electronic communications services". So if web logs (which undoubtedly involve "processing of electronic communications data") were found to be "in connection with the provision and use of electronic communications services", even though the website operator is not itself a provider of such services, then website security would fall back into the gap between those two definitions: prohibited by Article 2(1) but not then permitted by Article 6(1).

As a continuing sequence of security breaches demonstrates, website security is one of the most important ways to protect online privacy. A draft "e-Privacy Regulation" that could make it harder for websites to prevent, detect and deal with those breaches, needs to be sorted out before it becomes law.