In data protection circles, the phrase “Safe Harbour” doesn’t have a great reputation. Wikipedia describes those as setting hard boundaries around an area where “a vaguer, overall standard” applies. Famously, in 2015, the European Court of Justice struck down the data protection Safe Harbor arrangement negotiated between the European Commission and the US Government. So I was surprised recently to hear someone describing GDPR Recital 49 as a “safe harbour” for actions to protect network and information security. Looking at the other ways that the drafters could have recognised the importance of protecting security reassured me that Recital 49 is, indeed, significantly more than that.
One option would have been to use the approach used in GDPR Article 5(1)(b) for archiving, research and historical purposes: to declare that processing for network and information security is “not incompatible” with the purpose for which the data were originally collected. This would limit the processing to the designated purpose – network and information security – but, at least according to the GDPR, there are few other limits. This feels like a “safe harbour” in the Wikipedia sense. The UK Data Protection Act 2018 does add a requirement that, to qualify for the research purpose, processing must be done in ways that are not likely to “cause substantial damage or substantial distress to individuals”, and the results must not be used for “measures or decisions with respect to a particular data subject”.
Alternatively, maintaining the security of networks and systems could have been treated as just part of the provision of those services. This, arguably, is how network security is treated under Article 6 of the draft ePrivacy Regulation. This links the security activities tightly to service provision, but provides little restriction or guidance on they should be conducted.
Instead Recital 49 declares maintaining network and information security (NIS) to be a separate purpose, subject to the requirements of the Legitimate Interests basis in Article 6(1)(f). This makes it subject to both types of restrictions, in each case more tightly defined than by the research or Privacy approaches. The NIS purpose is much more narrowly defined than “research” and, rather than simply avoiding risks of “substantial damage”, organisations must consider whether any “rights and freedoms of the individual” might override the benefits of the security processing. Fortunately, those data protection requirements are very closely aligned to the requirements of security and incident response: taking care of logfiles and other data is essential to avoid helping those who wish to attack our systems, as well as to protect the privacy and other rights of our users.
So, not so much a safe harbour as a snugly fitting dock.