European GDPR laws could harm the US from protecting itself from cyberattacks, says Department of Homeland Security

US Department of Homeland Security Secretary Kirstjen Nielsen warned on 18 April that a European data privacy law taking effect next month may have “unintended consequences” that harm the United States’ ability to protect itself from cyberattacks. [caption id=“attachment_3970271” align=“alignleft” width=“380”]  Representational image.[/caption] The European Union law, called the General Data Protection Regulation (GDPR), is the biggest overhaul of online privacy since the birth of the internet, giving Europeans the right to know what data is stored on them and the right to have it deleted. Online data privacy is important and contextual across borders and different cultures, Nielsen said during a keynote appearance at the RSA cybersecurity conference in San Francisco. But “what we don’t want are the unintended consequences of preventing the research community to be able to give us a heads up on (cyber) threats that are coming our way,” she said. “In other words, through trying to protect a citizen’s privacy we eliminate the ability of many of the vendors and researchers who otherwise have access to data to see the trends in attacks,” Nielsen said. While some US officials have in recent months raised concerns publicly about the European law, Nielsen is the most senior Trump administration official yet to do so. Her remarks suggest that any attempts by the US Congress to legislate comprehensive privacy protections would face hurdles from the Trump administration. Calls for new digital privacy rights in American law have increased after disclosures that the political consultancy Cambridge Analytica obtained data on more than 87 million Facebook users from quizzes that were supposed to be for academic research. Among the Trump administration’s concerns are limitations the law seeks to impose on accessing data about website registrations that can often offer clues for investigators pursuing cybercriminals. The strong limits on what can be done with data on users are a source of concern for security professionals in government, internet companies and outside forensics and investigations providers. As things stand, many European users and others who sign on to online services housed within the region would not be giving companies explicit permission to use their data in probes of fraud or other criminal activity, security experts told Reuters this week. Unless the GDPR is amended, companies and outside investigators will lose access to material that many users have not realized they were giving up. The experts said that they were working on ways to recover access to some of that material, which they declined to detail. The most straightforward would be an explicit declaration when users join what data could be used as evidence against people that harm them or against the users themselves. On 16 April, White House cyber coordinator Rob Joyce on Twitter said that GDPR would “undercut a key tool for identifying malicious domains on the internet.” He added: “Cybercriminals are celebrating GDPR.” Joyce said at a conference last month that US officials were trying to persuade European regulators to allow a carve-out in the law for security researchers to continue collecting data pertinent to data breaches or other cybercrime investigations.