How is OSINT affected by GDPR?
GDPR is short for General Data Protection Regulation. It’s an EU regulation to enhance individuals' control and rights over their personal data. It was also created to simplify the regulatory environment for international business.
GDPR regulates the way in which organizations can use, process, and store personal data (information about an identifiable, living person). It applies to all enterprises within the EU, including those supplying goods or services to the EU or monitoring EU citizens. GDPR also deals with the transfer of personal data outside the EU and EEA areas. For law enforcement, there are different rules.
The GDPR might be an EU regulation, but it is part of a worldwide trend: many other countries have adopted similar law across the world (UK, Japan, Brazil, Turkey, and others).
If your OSINT investigation involves personal data of an EU citizen, you’ll probably have to take the GDPR into account. As the GDPR is pretty extensive, we will only discuss the parts that you’ll deal with as an OSINT investigator.
The key GDPR principles relevant to businesses using OSINT are:
Yes, you probably are. The GDPR applies to any enterprise that is processing the personal information of individuals inside the EEA. The location of the enterprise and your subjects' citizenship or residence do not matter.
It depends. Instead of an all-encompassing data protection law like the GDPR, the US has a myriad of federal and state laws and regulations. Federal data protection laws address specific industries and sectors, like financial services and healthcare, or focus on particular types of data. Lately, a more and more have started developing and enacting privacy bills.. This includes California, New York, Nevada, Oregon, Texas, and Washington. So depending on the state you are located in, there’s a chance you’ll have to deal with regulations similar to the GDPR.
It depends. If you are researching personal data for household use and/or performing OSINT for journalistic purposes, you are for the most part exempted under the GDPR.
If you perform targeted OSINT investigations aimed at individuals, and you not a journalist, you will need a persons' consent. This consent must be freely given, clear, specific, unambiguous, and indicated by a positive affirmative action. For example, for a personal risk assessment investigation (“what can be found about my client on the internet”), the client can sign a standard form that states he gives consent to the investigation.
Your allowed to collect personal data for only specified, explicit, and legitimate purposes. Under GDPR, you must never never handle more data than you need to answer your investigative question. The data you handle must be processed lawfully and fairly, and be collected only for relevant purposes.
Personal data of the subject must be stored for no longer than is necessary. You must also protect the personal data from unauthorized or unlawful processing, and against accidental loss or destruction. Make sure you implement the technical and organizational measures to protect access to your research data. Simple measures like disk encryption, anti virus software and complex passwords can be helpful here.
Under GDPR, the subject of your investigation has rights:
Businesses must conduct a Data Protection Impact Assessment (DPIA) if a processing activity is likely to result in a high risk to individuals. This is intended to identify and minimize risk to individuals' personal data. The risk assessment considers both the likelihood and severity of impact of the risk.
Businesses must report data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy.
GDPR defines the data controller as someone who determines the purposes and means of the processing of the personal data. The data ‘processor’ is someone processes personal data on behalf of a controller.
So, if your client exercises full control over the investigation and the resulting information, you are the data processor.
If you have any control over the investigation, or the resulting information, you are a data controller.
If you are have an employment contract with you client, you are neither a data controller nor a data processor.
Social Media intelligence uses both public and private information, which means it is often subject to stricter rules and regulation. On social media, data is only considered to be publicly available (OSINT) where it is accessible not only to a person’s contacts but to everyone without logging in to the platform, or where a person is logged in but is not a contact of the data subject (for example, not their ‘friend’ on Facebook). Attempts to access private social media intelligence must comply with the privacy law principles of legality, necessity and proportionality, otherwise, they may be in breach of the rights of the data subject.
Summarizing the GDPR, the aspects relevant for OSINT work are: