Restoring the balance between data protection and data security
By Drew Bagley, VP & Counsel, Privacy & Cyber Policy at CrowdStrike
Data protection and data security are mutually dependent. At least, this is suggested by long-established basic principles of data protection. Nevertheless, both are often considered in isolation and even set in opposition. This article on the occasion of Data Protection Day shows why this is neither appropriate nor expedient.
Drew Bagley, VP & Counsel, Privacy & Cyber Policy at CrowdStrike
Not only since the introduction of the EU General Data Protection Regulation (GDPR), data security is essential for the adequate protection of personal data, i.e. data protection. Already in the 70s, the US Federal Trade Commission (FTC) with the establishment of its Fair Information Practice Principles (FIPPs ) and later in the 80s the Organization for Economic Cooperation and Development (OECD) with its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data stated that personal data must be protected with appropriate security measures against risks of loss, unauthorized access, destruction, unauthorized use, alteration and disclosure.
Nevertheless, data protection and data security are often assessed separately from each other and put into competition with each other. This is due in particular to the fact that the GDPR, on the one hand, requires data security, for example in Art. 5 and Art. 32, but on the other hand, it does not have sufficient privileges by law. This means that data processing for the purpose of data security is on an equal footing with all other purposes, for example with regard to the legality of the processing and the transfer to a third country. As a result, data processing for the purpose of data security is partially prohibited by law, because there is no justification according to Art. 6 para. 1 GDPR exists. The declaration by the legislator that data processing for the purposes of information and network security is a legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR by recital 49 of the GDPR is not far-reaching enough in this regard.
This situation has been exacerbated by the case law of the European Court of Justice (ECJ) in the Schrems II case. Through them, the ECJ has placed the transfer of data to non-EU countries under special conditions. Based on them, the European Data Protection Board, the association of the national data protection supervisory authorities of the EU Member States, has built up new hurdles through its Recommendations 1/2020, which in turn do not differentiate between data transfers for the purpose of data security and other purposes and pose additional challenges.
In times of massively increasing and increasingly sophisticated cyber threats (see CrowdStrike 2021 Global Threat Report ), which make SecOps in the form of “24 ×7 follow the sun” indispensable, this partially prevents the design of data security according to the state of the art, as recommended by the European Union Agency for Cybersecurity (ENISA) in its State of the Art guide.
In order to restore the balance between data protection and data security and to promote the cooperation of data protection and data security officers, CrowdStrike will therefore formulate an improvement in the possibility of data processing for data security purposes as a goal to be achieved on the day of data protection. Guided by the Privacy by Design basic principle of Full Functionality ‒ Positive Sum, Not Zero Sum by Ann Cavoukian, may it pave the way for holistic data protection in accordance with the GDPR to be promoted at calculable risk, without restricting data security according to the state of the art, and data protection and data security can be effectively achieved side by side.