Greater Legal Certainty for Cybersecurity Research

26.02.2024. Cybersecurity researchers are frequently unable to comply with data protection statutes as they cannot know in advance whether they will process personal data, in what way or how much data they will process within their research activity. Three data protection experts from the National Research Center for Applied Cybersecurity ATHENE have therefore formulated a proposed amendment to the GDPR. Their objective is the legally binding introduction of the so called “data protection preventive assessment” that takes unplanned data access into account. The position paper in which they explain their approach can be downloaded free of charge on https://www.athene-center.de/en/news/news/datenschutz-vorsorge.

Cybersecurity researchers make the world a more secure place. They develop security software for members of the public and companies, they check existing IT systems and report any vulnerabilities found to those responsible, thereby eliminating security loopholes. Cybersecurity research thus contributes significantly to ensuring a secure digital society. However, this research is associated with a major data protection challenge: the European data protection legislation only provides for predictable, and therefore plannable, personal data processing. Yet in practice, cybersecurity researchers often come across personal data by chance in the course of their research, e.g. on the dark web, or they gain access to such data unintentionally and unplanned by other means. Therefore, they cannot predict whether they will come across data, in what way or how much data they will come across during their work and thus find themselves in a data protection dilemma when accessing personal data unintentionally and unplanned. The implementation of data protection law after gaining access to data is neither provided for in European data protection law nor does it seem sensible for the protection of the rights and freedoms of data subjects. As a result, the critical work of cybersecurity researchers is being impeded due to the fear of facing penalties.

New legal instrument “data protection preventive assessment”

To address this dilemma, often faced by scientists at universities, colleges, research institutes and companies, ATHENE data protection experts Annika Selzer, Sarah Stummer, and Alina Boll have drawn up a proposal to amend the GDPR, in which a new instrument of data protection law is proposed: the data protection preventive assessment. The idea behind the new instrument is to make assumptions prior to a cybersecurity research project as to what kind of personal data processing is probable during the planned research work (e.g. due to the technology used in the research work or other restrictive circumstances). Based on these assumptions, core aspects of data protection law could be implemented appropriately in advance. Improbable data processing, on the other hand, could be disregarded without violating applicable data protection law.

If this instrument were to become part of the current European data protection legislation, as proposed in the position paper, cybersecurity research would emerge from the gray area of data protection law without unduly restricting the rights and freedoms of data subjects.

"Only by rethinking data protection law […] it can ultimately be ensured that (relevant) scientific research is conducted in a legally secure manner and that our society can benefit from the advantages of this research in the long term", Annika Selzer and her colleagues state in their position paper.  . 

About the authors

Dr. Annika Selzer, Sarah Stummer, LL.M., and Dipl. jur. Alina Boll compiled the proposed amendment to the GDPR in light of the second evaluation of the General Data Protection Regulation and published it in a position paper on https://www.athene-center.de/en/news/news/datenschutz-vorsorge.

Annika Selzer is head of the research department "IT Law and Interdisciplinary Privacy Research" at the Fraunhofer-Institute for Secure Information Technology SIT. Sarah Stummer and Alina Boll work in the same department as legal scholars. Annika Selzer is co-coordinator of the research area "Legal Aspects of Privacy and IT-Security" at the National Research Center for Applied Cyber Security ATHENE. The National Research Center for Applied Cyber Security ATHENE is the largest research center for cybersecurity and privacy in Europe. ATHENE is a research center of the Fraunhofer-Gesellschaft with its two institutes SIT and IGD and with the involvement of the universities TU Darmstadt, Goethe University Frankfurt and Darmstadt University of Applied Sciences. 

.