Who can protect Network and Information Security? Fixing the Draft ePrivacy Regulation
Over the past decade, European law has increasingly recognised the vital role of network and information security in protecting personal data. Most recently the Article 29 Working Party recommended that all data controllers and processors should have processes to detect security breaches. Where personal data are held on networked computers such processes will depend on monitoring logfiles and network traffic. Unfortunately, the European Commission's draft ePrivacy Regulation assumed that this activity is only performed by network operators, raising the possibility that a vital data protection tool will become unlawful for all other organisations. This paper discusses the draft Regulation and amendments proposed by the European Parliament and Council, and suggests how these should be interpreted to still allow online systems and data to be protected.