Searching for the appropriate legal basis for personal data processing for cybersecurity purposes under the NIS 2 Directive: Legal obligation and/or legitimate interest?

Abstract

This paper provides a thorough examination of the most appropriate legal basis under the General Data Protection Regulation (GDPR) for personal data processing by essential and important entities while taking cybersecurity risk management measures as stipulated by the NIS 2 Directive such as using insider-threat detection technologies. It examines the feasibility of consent, legal obligation, public interest, and legitimate interest under Article 6 of the GDPR as possible legal grounds for data processing. It argues that consent under Article 6(1)(a) of and public interest under Article 6(1)(e) of the GDPR are not the most appropriate ones. Given the limits of consent and public interest as possible legal grounds, the focus of the analysis turns to legal obligation and legitimate interest as more appropriate legal grounds for processing personal data for cybersecurity risk management measures by essential and important entities. It assesses the appropriateness of those two bases for the processing of nonspecial categories of personal data, special categories of personal data and solely automated decision-making respectively. It argues that legal obligation under Article 6(1)(c) of the GDPR as a legal basis for cybersecurity is a missed opportunity under the NIS 2 Directive. The NIS 2 Directive does not meet the standards for establishing a legal obligation as a legal basis for personal data processing although it acknowledges the necessity of such processing. This argument is based on that it fails to clearly define the scope of personal data processing. This failure not only challenges the implementation of the Directive but also poses risks to private and family life (Article 7) and the right to data protection (Article 8) of the Charter of Fundamental Rights of the European Union.