IEEE Technology and Society Magazine - December 2020 - 68

whether the transfer can be made subject to " appropriate safeguards " listed in the GDPR.
Another point to consider is if a third party or cloud
provider performs any part of the scanning/analysis. If
yes, then irrespective of wherever this is done, a written legal agreement must be concluded (according to
Article 28).
It is crucial to remember that according to GDPR Recital 26, data that is masked sufficiently enough to make
the identification of the user impossible will not be subject to data protection mandates. Theoretically speaking,
security solutions permitting the anonymization of personal data should be enough. However, e.g., SIEMs and
forensic tools require being able to pinpoint users every
now and then. In particular, this concerns IP addresses
and user credentials. Those types of data are almost
always essential and serve as " primary keys " on which to
base security analyses. The security administrators must
check whether there is the possibility of masking user
data at a high level for external analysis while leaving
details encrypted locally, so that they can be then
unmasked by authorized security analysts during investigations. Tolbert [24] comments that many security vendors are not able yet to rise to this tough technical
challenge. At any time however, one must remember that
even local processing of data elements like an IP address
is enough to fall under the jurisdiction of GDPR [24].
Over the years, several technical solutions and methods have been introduced that were aimed at mitigating
the harms from processing personal data and the consequences to individual privacy. Some of the most distinguished among these solutions include k-anonymity,
l-diversity, t-loseness, differential privacy, data aggregation, and data obfuscation. However, the GDPR, being
mostly a legal document, provides little if any technical
guidance to the entities that are obliged to implement it.
The lack of specific guidelines results from the EU having made an intentional choice, in order to avoid binding the GDPR to explicit technologies that in turn would
favor particular platforms and solutions. Lawmakers
undoubtedly face a great challenge - they have to
account for future technological progress that may
enable achieving compliance with certain provisions
without the need to re-issue legal frameworks with every
technological advance. In the GDPR, in order to address
this issue, the phrase " with due regard to the state of
art " has been used (Articles 23 and 32) [21].
So instead of proposing specific solutions, the GDPR
encourages the " privacy by design " approach. Its principles favor the concepts of data minimization, purpose
limitation, transparency, and control. Data minimization
and purpose limitation equal limiting the collection of
personal data to the minimum extent that is enough to
obtain their legitimate goals. In addition to this, data

that is no longer used for the purposes for which it was
collected is to be promptly deleted.
In other words, although organizations are given a
broad mandate to make sure the state of the art for
data protection is considered in selection or designing
processes of any services, applications, and products
that may process personal data, GDPR mentions some
specific technological approaches in its text itself, such
as encryption or (the newly-coined legal term) pseudonymization of data. The latter is used to describe data
that, by the use of additional information, could be
attributed to a natural person. Thus, the additional information has to be kept separately, as well as be subject
to technical and organizational measures, in order to
guarantee non-attribution [25]. As [26] has commented
on the choice of suggested technologies: " all suspicious
processes/activities should be blocked automatically.
(...) Virus databases were only capable of detecting
known viruses, but they were unable to detect and fight
against new zero-day malware. [Malware] presented an
enormous threat to personal data.
Therefore, today most of the software solutions
incorporate behavioral characteristics together with keystroke encryption into their technology. (...) GDPR goes
a step further and promotes the encryption of pseudonymizing data. These solutions provide prevention and
protection in two directions: making the data unreadable too the unauthorized use or masking the data to
remove its ability to identify an individual " [26].
Definitely the fact that Internet users have become
increasingly vigilant with their personal data and with
whom they share it has resulted from increased concern
for personal and corporate cybersecurity. Consequently,
online platforms were forced to intensify their efforts to
safeguard the information of their users by providing
secure, private browsing. Global Internet Phenomena
Report claims that according to the research, over 50%
of the Internet traffic nowadays is already encrypted [27].
And as more and more platforms have been turning to
end-to-end encryption, in order to ensure their communications are private, the trend is on the rise. Several factors have contributed to the growth of encrypted traffic.
While the enormous concern that users and companies
have shown seems to be the main factor, legal regulations, GDPR included, have also had great influence. In
fact, GDPR encourages even more encryption of the traffic: it requires it in two cases. First, when it considers that
the data is at high risk of being breached. Second, when
an organization uses personal data for a purpose that differs from that expressed to the users when their data was
requested. Therefore, a lack of encryption can mean that
the company is infringing the GDPR and may face all the
subsequent sanctions. Furthermore, encryption may also
prove useful to companies, because if their data is

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

∕

DECEMBER 2020

IEEE Technology and Society Magazine - December 2020

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - December 2020