A few years ago I wrote a post on how the GDPR copes with situations when there was a conflict between the obligation to prevent, detect and investigate incidents and the obligation to inform all those whose personal data you process. Do you, for example, need to inform someone who is attacking your systems that their hostile activity has been detected?
GDPR Article 14(5) provides a general tool for resolving that conflict: you don’t need to inform if doing so “is likely to render impossible or seriously impair the achievement of the objectives of that processing”. Telling an attacker what attacks you can detect would clearly “seriously impair” our ability to protect systems and data.
A new Commission Decision provides a longer (but still not exhaustive) list of situations when such conflicts might arise: when complying with the exercise of individual data protection rights “would undermine the purpose of providing IT security operations and services, inter alia, by revealing the Commission’s investigative tools, vulnerabilities and methods, or would adversely affect the rights and freedoms and the security of other data subjects”:
- communicate alerts and warnings relating to IT security events and incidents;
- respond to and contain IT security events and incidents;
- facilitate tools and operations through security audits, security assessments and vulnerability management;
- increase the awareness … in the field of cybersecurity;
- monitor, detect and prevent the occurrence of IT security events and incidents;
- review privileged user accounts (Article 2(2)).
Formally, this Decision and its list only apply to the security and incident response activities of the European Commission itself. But it’s still a helpful indication to other CSIRTs – and to regulators – that the importance of these activities for protecting personal data may make it necessary to apply the more general exemptions (such as Article 14(5)) provided in the GDPR.