Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Prevention and Detection (within Critical Infrastructures) under EU Data Protection Legislation– Purpose Specification and Limitation. Laurens Naudts.

Published byShavonne Harrington Modified over 9 years ago

Similar presentations

Presentation on theme: "Threat Prevention and Detection (within Critical Infrastructures) under EU Data Protection Legislation– Purpose Specification and Limitation. Laurens Naudts."— Presentation transcript:

1 Threat Prevention and Detection (within Critical Infrastructures) under EU Data Protection Legislation– Purpose Specification and Limitation. Laurens Naudts – Legal Researcher KU Leuven Centre for IT & IP Law With the financial support of FP7 – Seventh Framework Programme Grant agreement no: 607093 Grant agreement no: 607093

2 I. Context Preemption within Critical Infrastructures

3 Preemption Security practices that aim to act on threats that are unknown and recognized to be unknowable, yet deemed potentially catastrophic, requiring security intervention at the earliest possible stage (Aradau and Van Munster, 2007, 2011) o Critical infrastructures: An asset, system or part of a system essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people (e.g. electricity infrastructures, gas production companies, etc.), the disruption or destruction of which would have a significant impact on the State. Crossroads: public/private interest

4 Preemption Three Key Features of Preemptive Data Processing (Mitsilegas, 2014) 1. Purpose of collection: data is not collected for specific, identified risks, but to predict risk and preempt future activity. 2. Nature of data: data is generated by ‘little security nothings’ (Huysmans, 2011) 3. Actors of surveillance: privatization of surveillance.

5 Source: Preemptive

6 Security:  Data on ‘security anomalies’ (threat detection and prevention) However: “to implement better prevention techniques, cyber security utilities require vast amounts of data from the consumers: defensive measures could be used as intrusive and offensive as well.” Thus privacy and data protection issues are present:  Aggregated (anonymous) group profiles  Individual Profiles Consumer Profiles (e.g. smart meter detection) Employee Profiles (e.g. video surveillance infrastructures) “Data sets that enable anonomaly detection may also function as an immediate source for the profiling or surveillance of individual end-users or parts of the population”

7 II. Purpose Limitation The first bulwark against privacy intrusion

8 Purpose Specification - Limitation Art. 6(1) b. 95/46/EC and Art. 5 GDPR: personal information may only be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. A. Purpose specification: the requirement to specify at the moment of collection the purpose of data processing activities. B. Purpose Limitation: the requirement for collected data not to be processed in a way incompatible with the initially specified purposes.

9 Function Creep The use of a technology or system is expanded or changed beyond the purpose for which it was originally intended, often leading to an invasion of privacy. Data gathered for security purposes (+ visualisation) can be used to infer privacy intrusive information concerning the end-user. As a national security tool: surveillance As a commercial tool: commercial profiling, targeted advertising.

10 Specification Specification: Sufficiently defined to enable the implementation of data processing safeguards and to delimit the scope of the processing operation ( e.g. ‘IT security’ vs. ‘network security anomaly detection’) Data must be necessary, adequate or relevant Each seperate purpose should be specified in enough detail to assess whether collection of personal data for this purpose complies with the law, and to establish data protection safeguards. Data collected for one purpose may not always be relevant or necessary for other specified purposes.

11 Purpose Limitation – Compatibility Limitation: compatible v. incompatible further processing (case by case) 1. The distance between purposes. 2. Context of collection and reasonable expectations data subjects. 3. Nature of the data and impact further processing. 4. Safeguards applied by controller. When incompatible, derogation is possible for national security, but only when there is a specific legislative instrument (art. 13 95/46/EC)

12 European Programme for Critical Infrastructure Protection Critical Infrastructure Information can be shared among stakeholders: o Stakeholders (market operators, critical infrastructure operators, Member States) will take appropriate measures to protect information concerning the security of critical infrastructures and protected systems, interdependency studies and CI related vulnerability, threat and risks assessments. o Such information will not be used other than for the purpose of protecting the critical infrastructure

13 The European Data Protection Regulation – Privacy by Default and Design Art. 23 General Data Protection Regulation: 1. Data controllers should ensure by default that only those personal data are processed which are necessary for each specific purpose. 2. Data should not be retained or collected beyond the minimum necessary for the defined purposes. 3. Personal data should not be made accessible to an indefinite number of individuals (e.g. access control).

14 III. Privacy By Design A. Minimise B. Hide C. Separate D. Aggregate E. Inform F. Control G. Enforce H. Demonstrate Enisa ( European Union Agency for Network and Information Security)

15 I. Segregation – Seperation 1. Functional Separation 2. Separation by Design 3. Organisational PbD 4. Access Control

16 II. Data Minimisation A. Data Minimization B. Data Minimummization (Van der Sloot, 2013) o Minimizing data as such may lead to a loss of value and contextuality. o A minimum set of data is gathered, stored and clustered. o The context of the data in the form of metadata is collected along with the original data.

17 Contact: Laurens.Naudts@law.kuleuven.be KU Leuven Centre for IT & IP Law - iMinds Sint-Michielsstraat 6, box 3443 BE-3000 Leuven, Belgium http://www.law.kuleuven.be/citip Thank you for your attention! With the financial support of FP7 – Seventh Framework Programme Grant agreement no: 607093 Grant agreement no: 607093

Download ppt "Threat Prevention and Detection (within Critical Infrastructures) under EU Data Protection Legislation– Purpose Specification and Limitation. Laurens Naudts."

Similar presentations

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.

Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
BIOMETRICS, CCTV & DATA PROTECTION By Drudeisha Madhub Data Protection Commissioner Date: 09.07.14.

BIOMETRICS, CCTV & DATA PROTECTION By Drudeisha Madhub Data Protection Commissioner Date:
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Marine Strategy Framework Directive: Goals and Challenges

Marine Strategy Framework Directive: Goals and Challenges
Transposition of Consumer Rights ERGEG Monitoring Report Christina Veigl-Guthann, ERGEG Task Force Chair.

Transposition of Consumer Rights ERGEG Monitoring Report Christina Veigl-Guthann, ERGEG Task Force Chair.
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
SMART GRID: Privacy Awareness and Training – A Starting Point for Utilities October 2011 SGIP-CSWG Privacy Group 1.

SMART GRID: Privacy Awareness and Training – A Starting Point for Utilities October 2011 SGIP-CSWG Privacy Group 1.
Consumer Protection Working Party Meeting Sponsor.

Consumer Protection Working Party Meeting Sponsor.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
MASH Understanding Multi-Agency Safeguarding Hubs 1.

MASH Understanding Multi-Agency Safeguarding Hubs 1.
 Road Safety the European Union Policy Carla Hess European Commission, Directorate General for Mobility & Transport Road.

 Road Safety the European Union Policy Carla Hess European Commission, Directorate General for Mobility & Transport Road.
Space Systems as Critical Infrastructure Iulia-Elena Jivanescu 1st Space Retreat, Tenerife, Spain, 8-22 January, 2013.

Space Systems as Critical Infrastructure Iulia-Elena Jivanescu 1st Space Retreat, Tenerife, Spain, 8-22 January, 2013.
A project implemented by the HTSPE consortium This project is funded by the European Union GLOBAL EUROPE INSTRUMENT FOR STABILITY 2014-2020.

A project implemented by the HTSPE consortium This project is funded by the European Union GLOBAL EUROPE INSTRUMENT FOR STABILITY
|Date 13-05-2011 faculty of law groningen centre of energy law 1 Security of Supply – EU Perspective and Legal Framework First EU-Russia Energy Law Conference,30.

|Date faculty of law groningen centre of energy law 1 Security of Supply – EU Perspective and Legal Framework First EU-Russia Energy Law Conference,30.
Isdefe ISXXXX-090000-1XX 5.10.2010 Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

Similar presentations

Ads by Google