The latest text in the long-running saga of the draft ePrivacy Regulation contains further reassuring indicators for incident response teams that want to share data to help others.
Some good news from the draft ePrivacy Regulation.
Alongside the 1995 Data Protection Directive (DPD) sat the 2002 ePrivacy Directive (ePD), explaining how the DPD should be applied in the specific context of electronic communications.
Most universities maintain databases of alumni, for purposes including keeping them informed about the organisation, offering services and seeking donations. These activities have a lot in common with other charities, so the Information Commissioner's guidance is relevant.
Last October the European Court of Justice confirmed that websites do have a legitimate interest in security that may justify the processing of personal data. That case (Breyer) overruled a German law that said websites could only process personal data for the purpose of delivering the pages requested by users. As far as I know, everywhere else in Europe the use of logs to secure websites is accepted as lawful.
Having had my own concerns that the European Commission's draft e-Privacy Regulation might prevent some activities that are needed by security and incident response teams, it's very reassuring to see the Article 29 Working Party recommending an explicit broadening of the scope of permitted Network and Information Security (NIS) activities.
