Having had my own concerns that the European Commission’s draft e-Privacy Regulation might prevent some activities that are needed by security and incident response teams, it’s very reassuring to see the Article 29 Working Party recommending an explicit broadening of the scope of permitted Network and Information Security (NIS) activities. Strikingly, this comes in an Opinion that otherwise expresses “grave concern” that too much processing of communications content and metadata is being allowed. It’s clear that the European Data Protection Regulators have understood that NIS and the data processing it involves are an essential part of protecting communications privacy.
Paragraph 18 of the Working Party’s Opinion supports the Commission’s proposal to permit processing of electronic communications data that is “necessary to maintain or restore the security of electronic communications networks and services” (Article 6(1)(b)). However the Opinion adds that “certain spam detection/filtering and botnet mitigation techniques” should explicitly be permitted. The Working Party thus recognises that users and their devices, not only networks, need protection and help.
Paragraph 26 (page 20) also recommends that installing security updates should be an explicit exception to the normal rule that “interference with equipment” requires the user’s prior consent. Instead the Working Party favour automatic installation of patches without consent – to “ensur[e] that the security of these devices remains up-to-date” – so long as users are informed in advance and have the possibility to turn off automatic installation. Paragraph 41b suggests that an employer could even override an employee’s choice when updating or re-configuring company-issued equipment.
Finally, in paragraph 35 the Working Party “welcomes” the requirement on service providers to inform users about security risks: “if a service provider detects that a user’s device is infected with malware and has become part of a bot-net, this provision seems to put a direct obligation on the provider to inform the user about the resulting risks”. In the past I’ve been told of other countries’ regulators prohibiting ISPs from informing their customers when we passed on botnet warnings, so this positive encouragement of this practice is good news for all of us.
Whether or not these proposals are reflected in the final legislation, security and incident response teams now have a clear endorsement of their activities from privacy and data protection regulators.