IP Subject to Personal Data Regulation
The management of cross-border cyber incidents and conflicts requires extensive and detailed information sharing among governmental agencies and the entities responsible for the often privately owned information infrastructure. The data of interest for the investigation and management of cyber incidents comprises of not only details about the course of action and background of the incidents but also real-time reporting on targets and, most importantly, details of the server logs, which make it possible to differentiate the good traffic from the bad, block hostile IP addresses, and trace the origin of the attacks.
The Eu legal framework on data privacy is claimed to create obstacles to processing cyber incident data for the purpose of cooperative cyber defence management. This article examines the applicability of the Data Protection Directive to the processing of IP addresses as part of traffic data and offers ways to overcome legal obstacles in exchanging data regarding cyber incidents.
The article concludes that the current interpretation of the Directive by the European union data protection stakeholders (Article 29 Working Party and Data Protection Superviser) is contradictory and creates confusion on the national implementation level. The article suggests that more clear understanding of the purposes and nature of processing IP addresses is needed in order to reach meaningful argumentation as to whether such processing is subject to the Directive or not.