Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

ePrivacy Regulation: more support for information sharing

The latest text in the long-running saga of the draft ePrivacy Regulation contains further reassuring indicators for incident response teams that want to share data to help others.

Article 6(1)(b) allows network providers to process electronic communications data (a term that includes both metadata and content) where this is necessary “necessary to maintain or restore the security of electronic communications networks and services”. Note that this is not limited to protecting the provider’s own network. Where information sharing (which is a type of processing) is necessary to protect the security of another network, this Article permits it.

Article 6(1)(c) uses the same phrasing for processing that is “necessary to detect or prevent security risks or attacks on end-users’ terminal equipment”. Again, this is not limited to the network’s own customers so, again, information sharing that is necessary for this purpose is permitted. Note that “end-users” includes both individuals and organisations (see Art.2(14) of the Directive Establishing the Electronic Communications Code).

In each case, “necessary” should be read in the GDPR sense of “objective cannot be achieved in a less intrusive way”, in particular, as is made explicit by Article 6(2), “if the specified purpose or purposes cannot be fulfilled by processing information that is made anonymous”.

This permission to share is even clearer by contrast with Article 6b(1)(e), which, according to Recital 17b, covers the processing of communications metadata for “detecting or stopping fraudulent or abusive use of, or subscription to, electronic communications services”. Here, Article 6b(2) imposes an explicit restriction that information can only be shared once it has been anonymised. Network operators that wish to offer fraud and abuse protection services to their users should probably do so by way of a service offering, where Article 6a(1)(a) appears to permit “necessary” processing of content, potentially including sharing of threat information.

Article 6b(1)(e) and Recital 17b, in particular, seem likely to be further modified before they become law, as they are part of the reintroduction into ePrivacy law of “Legitimate Interests” as a basis for processing, which has been controversial among the Council of Ministers and is likely to be strongly resisted by the European Parliament. The Article 6(1)(b) and 6(1)(c) security provisions should, however, be widely welcomed.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *