Peter Swire was the guest on one of the Studio 471 cybersecurity interview series to discuss with Jeremy Kirk (Executive Editor, Cyber Threat Intelligence, Intel471) the impact of new data localization laws on cybersecurity.
Episode Highlights:
[00:57] – The rationale behind new data localization laws
[02:00] – The impact of EU data protection law restrictions on cybersecurity
[04:15] – Cybersecurity as a legitimate reason to process personal data under EU law
[05:10] – The impact of data localization rules on the MITRE attack framework: threat hunting, escalation prevention, and pen testing
[10:10] – The impact of data localization rules on the use of machine learning or AI-powered systems to detect cybersecurity threats
[12:30] – The proliferation of new data localization laws around the world
[14:37] – What cybersecurity companies should do in view of the legal uncertainty surrounding data localization
[16:33] – On the increasing complexity of data localization laws
[18:56] – On the limits of personal data processing for cybersecurity purposes
Quotes:
“Countries are trying to write laws that help their local providers keep the data inside the country. France has some laws that try to say that only local cloud providers can do things, and partly that’s to help promote the local cloud providers and fight against the big international hyper scalers.”
“This is not just a Europe thing: Pakistan has its own data localization; dozens of countries have taken data localization. Even the U.S. has started to put limits on some data going to China, and China has very strict limits on cybersecurity information going from China to other places.”
“If you stop the cybersecurity defender from using the data, that is likely to undermine cybersecurity, and if it’s done in the name of privacy and data protection, you should be especially worried to make sure those rules are not getting in the way of protecting the data.”
“Countries are coming up with a lot of reasons to limit data flows.”
“Cutting access to the best cybersecurity services weakens the whole system, and that’s something to be concerned about.”
“You shouldn’t use cybersecurity for other purposes (such as advertising or surveillance) – you should only use it where it’s necessary and proportionate.”
In this episode, Swire gives useful insights on what drives lawmakers to impose new data localization restrictions and how these new rules could end up harming cybersecurity programs designed to secure data in the first place. Swire reports that important data localization rules are being proposed in Europe (e.g., in France), where a strict privacy and data protection framework already exists (the GDPR). He sheds light on how EU data protection law regulates the processing of individuals’ personal data (such as IP addresses) and under which conditions personal data can be transferred abroad (e.g., to the U.S.). While cybersecurity reasons can, in some cases, justify the processing of personal data under EU law, Swire explains that these may not always allow for personal data transfers outside the EU, which require different security safeguards to be implemented to make sure data transferred abroad can still benefit from an appropriate level of protection. Swire highlights that transfer restrictions under EU law can already limit the range of essential cybersecurity measures implemented by companies (such as threat hunting or pen testing) and that new data localization rules could make cybersecurity even more complicated (e.g., in the context of spear phishing that escalates across borders).
Kirk also questions Swire on the impact of new data localization restrictions on the use of machine learning and other types of AI-powered systems to detect global cybersecurity threats. Swire confirms that these new rules could also limit the scope of research of malicious actors.
In the last part of the episode, Swire underlines the importance of the role played by regulators in balancing the interests at stake regarding data localization. Swire illustrates this with an example from Portugal where a privacy and data protection regulator prohibited the sharing of IP addresses by a company hired to provide cybersecurity services, with its headquarters in the U.S. Kirk wraps up the interview by questioning Swire on whether cybersecurity companies should avoid sharing data abroad in view of the legal uncertainty surrounding data localization. Swire concludes that while it is difficult to comment on what cybersecurity companies should do, it is worth noting that expertise sometimes lies abroad and that data localization restrictions could prevent companies from having access to the best support they need.
* * *
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.
