•  
  •  
 

Abstract

This Paper focuses on certain legal responsibilities under European Union (“EU”) law for companies that provide cybersecurity services, by examining the intersection of data protection (privacy), cybersecurity, and artificial intelligence (“AI”). This Paper explores these issues in the context of a hypothetical cybersecurity company known as “ACME Cyber Sentinel” providing services to a hypothetical client named “TechGuard.” In four scenarios, this Paper explores ACME Cyber Sentinel: (1) providing cybersecurity service to TechGuard; (2) gathering and processing data from multiple clients to analyze potential cybersecurity threats; (3) training, evaluating, and deploying AI cybersecurity tools; and (4) using these AI cybersecurity tools to provide the cybersecurity services to TechGuard. Each of these scenarios includes two variations. The first variation examines when the two companies are both based in the EU, with no processing taking place outside the EU; the second variation envisions that ACME Cyber Sentinel is based outside of the EU, so that data flows to a different jurisdiction. This Paper also analyzes legal principles from the EU General Data Protection Regulation (“GDPR”) and EU regulation establishing harmonized rules on AI (“EU AI Act”) in the context of the main purposes for which cybersecurity companies use personal data—to provide cybersecurity services to protect the personal data of the client company and to maintain state-of-the-art cybersecurity services and tools (such as identifying new cybersecurity threats or training the algorithms used in these cybersecurity tools). This Paper concludes with the finding that EU-based businesses can enter into contracts with cybersecurity companies to protect EU data with state-of-the-art cybersecurity services and tools, but it is more difficult to locate a lawful basis for using EU data to identify new cybersecurity threats or to train new machine learning, AI and other cybersecurity tools. To conclude, it is clear that further clarification from EU decisionmakers would help define whether and how access to personal data will be lawful for cybersecurity purposes.

Download

Included in

Law Commons

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.