OSINT and GDPR

How is OSINT affected by GDPR?

What is GDPR?

GDPR is short for General Data Protection Regulation. It’s an EU regulation to enhance individuals' control and rights over their personal data. It was also created to simplify the regulatory environment for international business.

GDPR regulates the way in which organizations can use, process, and store personal data (information about an identifiable, living person). It applies to all enterprises within the EU, including those supplying goods or services to the EU or monitoring EU citizens. GDPR also deals with the transfer of personal data outside the EU and EEA areas. For law enforcement, there are different rules.

The GDPR might be an EU regulation, but it is part of a worldwide trend: many other countries have adopted similar law across the world (UK, Japan, Brazil, Turkey, and others).

GDPR and OSINT

If your OSINT investigation involves personal data of an EU citizen, you’ll probably have to take the GDPR into account. As the GDPR is pretty extensive, we will only discuss the parts that you’ll deal with as an OSINT investigator.

The key GDPR principles relevant to businesses using OSINT are:

  • You must understand when you are the data controller or data processor
  • You must have a legal basis for processing personal data
  • You must apply certain principles in the processing of personal data
  • You must understand and respect specific privacy and data protection rights held by data subjects

My research is on EU based people. Am I affected by GDPR?

Yes, you probably are. The GDPR applies to any enterprise that is processing the personal information of individuals inside the EEA. The location of the enterprise and your subjects' citizenship or residence do not matter.

My research is on US based people. Am I affected by GDPR?

It depends. Instead of an all-encompassing data protection law like the GDPR, the US has a myriad of federal and state laws and regulations. Federal data protection laws address specific industries and sectors, like financial services and healthcare, or focus on particular types of data. Lately, a more and more have started developing and enacting privacy bills.. This includes California, New York, Nevada, Oregon, Texas, and Washington. So depending on the state you are located in, there’s a chance you’ll have to deal with regulations similar to the GDPR.

How does GDPR affect OSINT research on individuals?

It depends. If you are researching personal data for household use and/or performing OSINT for journalistic purposes, you are for the most part exempted under the GDPR.

If you perform targeted OSINT investigations aimed at individuals, and you not a journalist, you will need a persons' consent. This consent must be freely given, clear, specific, unambiguous, and indicated by a positive affirmative action. For example, for a personal risk assessment investigation (“what can be found about my client on the internet”), the client can sign a standard form that states he gives consent to the investigation.

Your allowed to collect personal data for only specified, explicit, and legitimate purposes. Under GDPR, you must never never handle more data than you need to answer your investigative question. The data you handle must be processed lawfully and fairly, and be collected only for relevant purposes.

Personal data of the subject must be stored for no longer than is necessary. You must also protect the personal data from unauthorized or unlawful processing, and against accidental loss or destruction. Make sure you implement the technical and organizational measures to protect access to your research data. Simple measures like disk encryption, anti virus software and complex passwords can be helpful here.

Rights of individuals under the GDPR

Under GDPR, the subject of your investigation has rights:

  • Right to be informed of how your data is being processed
  • Right to access this data
  • Right to rectify incorrect data
  • Right to erase data
  • Right to restrict processing of personal data
  • Right to data portability – this means that as a researcher you must have in place a system that allows you to quickly and easily compile all the personal data you hold on an individual and make it securely accessible to them
  • Right to object to your data being processed
  • Rights relating to automated decision making, including processing

Data protection

Businesses must conduct a Data Protection Impact Assessment (DPIA) if a processing activity is likely to result in a high risk to individuals. This is intended to identify and minimize risk to individuals' personal data. The risk assessment considers both the likelihood and severity of impact of the risk.

Businesses must report data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy.

Are you a data controller?

GDPR defines the data controller as someone who determines the purposes and means of the processing of the personal data. The data ‘processor’ is someone processes personal data on behalf of a controller.

So, if your client exercises full control over the investigation and the resulting information, you are the data processor.

If you have any control over the investigation, or the resulting information, you are a data controller.

If you are have an employment contract with you client, you are neither a data controller nor a data processor.

Social Media and GDPR

Social Media intelligence uses both public and private information, which means it is often subject to stricter rules and regulation. On social media, data is only considered to be publicly available (OSINT) where it is accessible not only to a person’s contacts but to everyone without logging in to the platform, or where a person is logged in but is not a contact of the data subject (for example, not their ‘friend’ on Facebook). Attempts to access private social media intelligence must comply with the privacy law principles of legality, necessity and proportionality, otherwise, they may be in breach of the rights of the data subject.

Conclusion

Summarizing the GDPR, the aspects relevant for OSINT work are:

  • The GDPR only applies to subjects in the EU or researchers processing data in the EU. But similar laws apply in other parts of the world.
  • You need a legal basis for processing personal data.
  • You need to apply GDPR principles in the processing of personal data. For example, have a process in place for deleting personal data after an investigation is over.
  • The data subject of whom you process personal data has specific rights you need to understand, anticipate and honor.
  • Understand if you are the data controller or the data processor.