the looming privacy rights debacle how eu data protection law will shape future incident response...
TRANSCRIPT
![Page 1: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/1.jpg)
The Looming Privacy Rights Debacle
How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World
Thomas Daemen
FIRST Conference 2005
![Page 2: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/2.jpg)
2
I. The EU Data Protection Regime
II. EU Data Protection Law and Security Investigations
III. Ramifications of EU Regulatory Control
IV. Conclusions
OverviewOverview
![Page 3: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/3.jpg)
3
OverviewOverview
I. The EU Data Protection Regime
II. EU Data Protection Law and Security Investigations
III. Ramifications of EU Regulatory Control
IV. Conclusions
![Page 4: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/4.jpg)
4
EU Data Protection Regime: Data Protection DirectiveEU Data Protection Regime: Data Protection Directive
• Framework Directive adopted in 1995– Established overall groundwork
– Transposed into national laws
– Supplemented by numerous additional law and administrative rules
• Primary functions– Impose basic obligations on those controlling data
• E.g., obligations of fair and lawful processing, purpose, relevance, accuracy, retention, security
– Vest rights in data subjects• E.g., rights of access and modification
![Page 5: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/5.jpg)
5
EU Data Protection Regime: JurisdictionEU Data Protection Regime: Jurisdiction
• Threshold question: does the regulation apply to the activity at issue?
• Framework Directive provides two possible answers– Article 4.1 (a): the laws applies “in the context of
activities… on the territory”– Article 4.1 (c): the law applies if someone “make[s] use of
equipment … on the territory”
• Case study: Hewlett-Packard ruling
![Page 6: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/6.jpg)
6
EU Data Protection Regime: EnforcementEU Data Protection Regime: Enforcement
• EU US national/sub-national• National Data Protection Authorities (DPAs) can:
– Investigate– Intervene– Sanction
• Private right of action– Rarely exercised; seemingly limited to celebrity claimants– Must demonstrate actual harm/damage
![Page 7: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/7.jpg)
7
OverviewOverview
I. The EU Data Protection Regime
II. EU Data Protection Law and Security Investigations
III. Ramifications of EU Regulatory Control
IV. Conclusions
![Page 8: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/8.jpg)
8
Law and Investigations Overview: The Emerging DebateLaw and Investigations Overview: The Emerging Debate
• Public sector arguments in favor of regulatory oversight– Response team processing of personal data– Response team processing of "judicial data"
• The private sector response– IP addresses are impersonal in nature– Overly broad interpretations of "judicial data" are
incorrect
![Page 9: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/9.jpg)
9
Public Sector Arguments: Processing of Personal DataPublic Sector Arguments: Processing of Personal Data
• Framework Directive language, Article 2– “[Personal data are] any information relating to an identified or
identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number”
• Broad definition, broader interpretation• Article 29 Working Party
– Represents all 25 EU Member State DPAs– Opines on new technologies and developments
![Page 10: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/10.jpg)
10
Public Sector Arguments: Processing of Personal DataPublic Sector Arguments: Processing of Personal Data
• Nov. 2000 Working Document on Privacy on the Internet– IP addresses may constitute personal data
• May 2002 Opinion on IPv6– “IP addresses attributed to internet users are personal
data and are protected by EU [privacy law]”
• Note: IP addresses qualify as personal data even if not immediately linked to specific individuals
![Page 11: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/11.jpg)
11
Public Sector Arguments: Processing of "Judicial Data"Public Sector Arguments: Processing of "Judicial Data"
• Framework Directive language, Article 8.5– “Processing of data relating to offenses, criminal
convictions or security measures may be carried out only under the control of official authority”
• Subject to considerable debate• Article 29 Working Party and national
authorities uncertain about meaning/impact
![Page 12: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/12.jpg)
12
Public Sector Arguments: Processing of "Judicial Data"Public Sector Arguments: Processing of "Judicial Data"
• Example 1: Belgian DPA IFPI ruling (2001)– IFPI
• Collected IP addresses, notified police, advised ISPs and sought letter notification
• Note: IFPI did not identify individuals behind IP addresses
– Activities rejected under Belgian data protection/telecom law• IP address are personal data even without identification• Processing of IP addresses for potential legal claims = judicial
processing limited to police authorities• Can only process pseudonyms and download date/hour
![Page 13: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/13.jpg)
13
Public Sector Arguments: Processing of "Judicial Data"Public Sector Arguments: Processing of "Judicial Data"
• Example 2: Article 29 Working Party Working Paper on On-Line Enforcement (2005)– Article 8 requires “special” protections for “judicial
data”– Monitoring on-line activity/IP addresses for
misconduct “falls within the competence of judicial authorities”
![Page 14: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/14.jpg)
14
Private Sector Response: IP Addresses are ImpersonalPrivate Sector Response: IP Addresses are Impersonal
• Industry calls for fundamental reassessment of concept that IP addresses constitute protected personal data
• No legal, public policy or technical rationale– Directive is silent– Limiting response teams = bad public policy– IP addresses are technologically neutral
![Page 15: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/15.jpg)
15
Private Sector Response: Overly Broad Interpretations are IncorrectPrivate Sector Response: Overly Broad Interpretations are Incorrect
• Art. 8.5 refers only to criminal records• Text and legislative history are very specific: no basis for
expansive interpretations• DPA interpretations inconsistent: Consider Article 29 Working
Party Guidelines for Terminated Merchants Databases (2005)– Conditions for merchants' cross-border databases– Working Party: not “judicial data”/objective facts– How to reconcile with enforcement paper?
• Safeguards are adequate
![Page 16: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/16.jpg)
16
OverviewOverview
I. The EU Data Protection Regime
II. EU Data Protection Law and Security Investigations
III. Ramifications of EU Regulatory Control
IV. Conclusions
![Page 17: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/17.jpg)
17
Data Processing LimitationsData Processing Limitations
• Directive includes broad processing limitations• Limitations depend on nature of data and
jurisdiction• General obligations
– Notify national privacy regulators
– Obtain processing approval
– Inform data subjects
![Page 18: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/18.jpg)
18
Data Transfer LimitationsData Transfer Limitations
• Article 25 limits transfers to countries with “adequate” protections
• EU regularly conducts adequacy determinations– Adequate: Switzerland, Argentina– Not adequate: United States
• Possible solutions– EU/US Safe Harbor Agreement– Data subject “unanimous consent”– Data transfer agreement
![Page 19: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/19.jpg)
19
OverviewOverview
I. The EU Data Protection Regime
II. EU Data Protection Law and Security Investigations
III. Ramifications of EU Regulatory Control
IV. Conclusions
![Page 20: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/20.jpg)
20
1) Incident response teams do not operate in a regulatory or political vacuum
2) Policymakers have heeded the public’s call for privacy – more, not less, regulatory intervention is expected
3) Response teams must do the same or face increased scrutiny
4) These are not academic debates– Real and far-reaching consequences– Reallocate valuable time and resources
5) This is the time to be heard
Summary and Call to ActionSummary and Call to Action
![Page 21: The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST](https://reader035.vdocuments.us/reader035/viewer/2022081602/5519278755034638428b4c95/html5/thumbnails/21.jpg)
21
Thank you