ePrivacy Regulation: a risk for website security?

Last October the European Court of Justice confirmed that websites do have a legitimate interest in security that may justify the processing of personal data. That case (Breyer) overruled a German law that said websites could only process personal data for the purpose of delivering the pages requested by users. As far as I know, everywhere else in Europe the use of logs to secure websites is accepted as lawful. However the European Commission’s proposed e-Privacy Regulation seems to risk reversing that: I hope by an accident of drafting.

The presumption of the draft Regulation, stated in Article 5, is that communications content and metadata “shall be confidential”. Any interference with such data, other than as permitted by the Regulation, shall be prohibited.

The draft Regulation does permit “providers of electronic communications networks and services” to process both content and metadata where this is “necessary to maintain or restore the security of electronic communications networks and services” (Art.6(1)(b)). However the definitions of “electronic communications networks and services” (themselves dependent on another draft Regulation) won’t cover all websites, etc. So, if those are covered by the draft Regulation, then collecting and using logs for security may become legally questionable, this time across the whole EU, not just Germany.

That, in turn, depends on interpreting the scope of the draft Regulation. According to Article 2(1) it applies to “processing of electronic communications data carried out in connection with the provision and the use of electronic communications services”. So if web logs (which undoubtedly involve “processing of electronic communications data”) were found to be “in connection with the provision and use of electronic communications services”, even though the website operator is not itself a provider of such services, then website security would fall back into the gap between those two definitions: prohibited by Article 2(1) but not then permitted by Article 6(1).

As a continuing sequence of security breaches demonstrates, website security is one of the most important ways to protect online privacy. A draft “e-Privacy Regulation” that could make it harder for websites to prevent, detect and deal with those breaches, needs to be sorted out before it becomes law.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *