Threat Prevention and Detection (within Critical Infrastructures) under EU Data Protection Legislation– Purpose Specification and Limitation.

Laurens Naudts – Legal Researcher KU Leuven Centre for IT & IP Law

With the financial support of FP7 – Seventh Framework ProgrammeFP7 – Seventh Framework Programme Grant agreement no: 607093Grant agreement no: 607093

I. ContextPreemption within Critical Infrastructures

PreemptionSecurity practices that aim to act on threats that are unknown and recognized to be unknowable, yet deemed potentially catastrophic, requiring security intervention at the earliest possible stage (Aradau and Van Munster, 2007, 2011)

o Critical infrastructures: An asset, system or part of a system essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people (e.g. electricity infrastructures, gas production companies, etc.), the disruption or destruction of which would have a significant impact on the State.

• Crossroads: public/private interest

Preemption Three Key Features of Preemptive Data Processing (Mitsilegas, 2014)

1.Purpose of collection: data is not collected for specific, identified risks, but to predict risk and preempt future activity.

2.Nature of data: data is generated by ‘little security nothings’ (Huysmans, 2011)

3.Actors of surveillance: privatization of surveillance.

Source: Preemptive

Security:

Data on ‘security anomalies’ (threat detection and prevention)

However:

“to implement better prevention techniques, cyber security utilities require vast amounts of data from the consumers: defensive measures could be used

as intrusive and offensive as well.” Thus privacy and data protection issues are present:

Aggregated (anonymous) group profiles

Individual Profiles

• Consumer Profiles (e.g. smart meter detection)• Employee Profiles (e.g. video surveillance infrastructures)

“Data sets that enable anonomaly detection may also function as an immediate source for the profiling or surveillance of individual end-users or parts of the

population”

II. Purpose LimitationThe first bulwark against privacy intrusion

Purpose Specification - LimitationArt. 6(1) b. 95/46/EC and Art. 5 GDPR: personal information may only be collected for specified, explicit and legitimate purposes  and not further processed in a way incompatible with those purposes.

A. Purpose specification: the requirement to specify at the moment of collection the purpose of data processing activities.

B. Purpose Limitation: the requirement for collected data not to be processed in a way incompatible with the initially specified purposes.

Function CreepThe use of a technology or system is expanded or changed beyond the purpose for which it was originally intended, often leading to an invasion of privacy.

• Data gathered for security purposes (+ visualisation) can be used to infer privacy intrusive information concerning the end-user.

• As a national security tool: surveillance• As a commercial tool: commercial profiling, targeted advertising.

SpecificationSpecification: Sufficiently defined to enable the implementation of data processing safeguards and to delimit the scope of the processing operation (e.g. ‘IT security’ vs. ‘network security anomaly detection’)

•Data must be necessary, adequate or relevant

•Each seperate purpose should be specified in enough detail to assess whether collection of personal data for this purpose complies with the law, and to establish data protection safeguards.

Data collected for one purpose may not always be relevant or necessary for other specified purposes.

Purpose Limitation – CompatibilityLimitation: compatible v. incompatible further processing (case by case)

1.The distance between purposes.

2.Context of collection and reasonable expectations data subjects.

3.Nature of the data and impact further processing.

4.Safeguards applied by controller.

• When incompatible, derogation is possible for national security, but only when there is a specific legislative instrument (art. 13 95/46/EC)

European Programme for Critical Infrastructure Protection• Critical Infrastructure Information can be shared among stakeholders:

o Stakeholders (market operators, critical infrastructure operators, Member States) will take appropriate measures to protect information concerning the security of critical infrastructures and protected systems, interdependency studies and CI related vulnerability, threat and risks assessments.

o Such information will not be used other than for the purpose of protecting the critical infrastructure

The European Data Protection Regulation – Privacy by Default and Design• Art. 23 General Data Protection Regulation:

1. Data controllers should ensure by default that only those personal data are processed which are necessary for each specific purpose.

2. Data should not be retained or collected beyond the minimum necessary for the defined purposes.

3. Personal data should not be made accessible to an indefinite number of individuals (e.g. access control).

III. Privacy By DesignA. MinimiseB. HideC. SeparateD. AggregateE. InformF. ControlG. EnforceH. Demonstrate

Enisa (European Union Agency for Network and Information Security)

I. Segregation – Seperation

1. Functional Separation

2. Separation by Design

3. Organisational PbD

4. Access Control

II. Data Minimisation

A. Data Minimization

B. Data Minimummization (Van der Sloot, 2013)

o Minimizing data as such may lead to a loss of value and contextuality.o A minimum set of data is gathered, stored and clustered. o The context of the data in the form of metadata is collected along with the

original data.

Contact: Laurens.Naudts@law.kuleuven.be

KU Leuven Centre for IT & IP Law - iMindsSint-Michielsstraat 6, box 3443BE-3000 Leuven, Belgium

http://www.law.kuleuven.be/citip

Thank you for your attention!

With the financial support of FP7 – Seventh Framework ProgrammeFP7 – Seventh Framework Programme Grant agreement no: 607093Grant agreement no: 607093