Searching for the appropriate legal basis for personal data processing for cybersecurity purposes under the NIS 2 Directive: Legal obligation and/or legitimate interest?

IF 3.3 3区社会学 Q1 LAW

Computer Law & Security Review Pub Date : 2024-12-19 DOI:10.1016/j.clsr.2024.106098

Eyup Kun

{"title":"Searching for the appropriate legal basis for personal data processing for cybersecurity purposes under the NIS 2 Directive: Legal obligation and/or legitimate interest?","authors":"Eyup Kun","doi":"10.1016/j.clsr.2024.106098","DOIUrl":null,"url":null,"abstract":"<div><div>This paper provides a thorough examination of the most appropriate legal basis under the General Data Protection Regulation (GDPR) for personal data processing by essential and important entities while taking cybersecurity risk management measures as stipulated by the NIS 2 Directive such as using insider-threat detection technologies.</div><div>It examines the feasibility of consent, legal obligation, public interest, and legitimate interest under Article 6 of the GDPR as possible legal grounds for data processing. It argues that consent under Article 6(1)(a) of and public interest under Article 6(1)(e) of the GDPR are not the most appropriate ones. Given the limits of consent and public interest as possible legal grounds, the focus of the analysis turns to legal obligation and legitimate interest as more appropriate legal grounds for processing personal data for cybersecurity risk management measures by essential and important entities. It assesses the appropriateness of those two bases for the processing of non-special categories of personal data, special categories of personal data and solely automated decision-making respectively.</div><div>It argues that legal obligation under Article 6(1)(c) of the GDPR as a legal basis for cybersecurity is a missed opportunity under the NIS 2 Directive. The NIS 2 Directive does not meet the standards for establishing a legal obligation as a legal basis for personal data processing although it acknowledges the necessity of such processing. This argument is based on that it fails to clearly define the scope of personal data processing. This failure not only challenges the implementation of the Directive but also poses risks to private and family life (Article 7) and the right to data protection (Article 8) of the Charter of Fundamental Rights of the European Union.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106098"},"PeriodicalIF":3.3000,"publicationDate":"2024-12-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0267364924001638","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}

引用次数: 0

Abstract

This paper provides a thorough examination of the most appropriate legal basis under the General Data Protection Regulation (GDPR) for personal data processing by essential and important entities while taking cybersecurity risk management measures as stipulated by the NIS 2 Directive such as using insider-threat detection technologies.

It examines the feasibility of consent, legal obligation, public interest, and legitimate interest under Article 6 of the GDPR as possible legal grounds for data processing. It argues that consent under Article 6(1)(a) of and public interest under Article 6(1)(e) of the GDPR are not the most appropriate ones. Given the limits of consent and public interest as possible legal grounds, the focus of the analysis turns to legal obligation and legitimate interest as more appropriate legal grounds for processing personal data for cybersecurity risk management measures by essential and important entities. It assesses the appropriateness of those two bases for the processing of non-special categories of personal data, special categories of personal data and solely automated decision-making respectively.

It argues that legal obligation under Article 6(1)(c) of the GDPR as a legal basis for cybersecurity is a missed opportunity under the NIS 2 Directive. The NIS 2 Directive does not meet the standards for establishing a legal obligation as a legal basis for personal data processing although it acknowledges the necessity of such processing. This argument is based on that it fails to clearly define the scope of personal data processing. This failure not only challenges the implementation of the Directive but also poses risks to private and family life (Article 7) and the right to data protection (Article 8) of the Charter of Fundamental Rights of the European Union.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Law & Security Review LAW-

CiteScore

5.60

自引率

10.30%

发文量

审稿时长

67 days

期刊介绍： CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.