Information sharing 2.0: Privacy and cybersecurity

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

In the context of the global Internet, there is a need for increased dialogue between technologists, computer emergency response teams (CERTs), policymakers, and lawyers on the matter of sharing information and its importance in privacy and cybersecurity issues. The aim of the session was to share best practices and ideas on legal frameworks developed to build proper interaction between sharing personal information, cybersecurity matters, and individuals rights on regional and domestic levels. 

On one hand, Mr Andrew Cormack (Chief regulatory adviser, Jisc Technologies), pointed out that it is relevant to have a legal framework built from the perspective of privacy, not security. The legislation regarding this topic needs to be clear, and should contain a criteria to justify each case of exemption to personal data protection. The framework should take into account the needs of the incident response teams to acquire information in case of attacks. 

How to help network defenders through proper legislation and to obtain a balance between privacy and other issues? Mr Amit Ashkenazi (Legal Advisor, Israel National Cyber Directorate) highlighted the need for having principles that guide the balance between protecting individuals’ privacy, and the free movement of data. The Recital 49 of the General Data Protection Regulation (GDPR) provides some relevant criteria such as legitimacy, necessity, and proportionality for the purposes of ensuring network and information security.

On the other hand, the discussion addressed the fact that the categories of privacy and security are attributed by cultural contexts and each society’s own values. In this sense, the strategies to evaluate the risk for privacy and intended technical operation needs to be done in co-operation between technologists and legal advisors. The domestic and cross-border legal platforms may be more useful if they provide dynamic principles instead of rigid laws. They should operate by high-level principles and pragmatic solutions to strengthen cybersecurity and mitigate risks. Moreover, making legal standards more accessible contributes to more accountable processes where the technical teams can have a proper understanding on what is legal and what is not.

Lastly, the panel emphasised the importance of building an educational framework to create international co-operation and cross-border confidence and trust for sharing information. Domestic rules should aim to follow a common language and good practices to develop bridges between technical communities and local governments. Diverse interests of actors overlap on the debate about sharing information and data protection. Therefore, the question remains who would be the proper institution at a global level to exercise a case-by-case analysis if a company or a State share personal data of their clients or citizens?

By Paula Szewach