Some good news from the draft ePrivacy Regulation. More than a year after I pointed out that the Regulation could inadvertently prohibit websites and other Internet-connected services from using logfiles to secure their services, the Council of Ministers’ latest (20th September 2018) draft explicitly recognises the problem. Recital 8 now includes the positive statement that:
It is also important that end-users, including legal entities, have the possibility to take the necessary measures to secure their services, networks, employees and customers from security threats or incidents. Information security services may play an important role in ensuring the security of end-users’ digital environment. For example, an end-user as an information society service provider may process its electronic communications data, or may request a third party, such as a provider of security technologies and services, to process that end-user’s electronic communications data on its behalf, for purposes such as ensuring network and information security, including the prevention, monitoring and termination of fraud, unauthorised access and Distributed Denial of Service attacks, or facilitating efficient delivery of website content. Such processing of their electronic communications data by the end-users concerned, or by a third party requested by the end-users concerned to process their electronic communications data on their behalf, should not be covered by this Regulation.
That’s not a complete solution, because it still leaves security logs collected by network providers (explicitly permitted by Article 6(1)(b)) on a different basis from security logs collected by connected organisations (ruled out of scope by Recital 8). That could cause problems when sharing information about security incidents among different types of organisations – notably Article 6 may remove processing by network operators from the requirements of a GDPR “legitimate interest”, whereas Recital 8 leaves processing by websites and others within that regime. It also relies on a statement in a Recital over-riding the statement in Article 2(1)(a) that all processing of communications metadata “in connection with the provision and the use of electronic communications services” is within scope. Also, this is only a draft text, which still has to be agreed both within the Council and with the European Parliament.
But it should, at least, act as a sign to Regulators to take care when applying a Regulation whose purpose is, after all, to improve the security of online information.