Commercial Open-Source Intelligence in the Age of Data Privacy
The use of publicly available information (PAI) has become indispensable for companies navigating global markets and mitigating risks. This article explores the data protection landscape and offers guidance on using open-source data compliantly, given the ethical and legal challenges involved in making open-source intelligence (OSINT) products for decision makers.
Data Collection in the Digital Realm
The digital environment facilitates data collection from diverse sources, including online publications, blogs, forums, social media, darknets, digitalized public records, professional and academic publications, traditional media, and grey literature. This plethora supports various applications such as risk management, market research, investigative reporting, and crisis response. The challenge lies in swiftly leveraging data without compromising ethical standards or organizational reputation.
Navigating Legal Complexities
As the reliance on PAI grows, so does the impact of legislation on data collection. The complex legal landscape at both national and international levels necessitates a compliant approach to creating OSINT products, guided by regulations like the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Organizations must navigate these evolving legal requirements concerning data collection, retention, and processing of personal data.
Data Protection Principles
The EU/UK GDPR harmonizes data protection across the EU and UK, enhancing individuals' rights and control over their personal data. It applies globally to entities processing data in the EU or monitoring EU citizens’ behavior. The GDPR compliance requires adherence to seven principles related to the processing of personal data.
Many of the principles are not entirely new and are also not uniquely European and compliance with these principles acts as a solid foundation for OSINT practitioners both inside Europe and across the globe.
Personal data must be always processed lawfully, fairly and in a transparent manner in relation to the individuals. Ensuring lawfulness of all processing activities should always be a starting point for any operations on personal data. It can either come directly from the GDPR provisions or be based on other specific laws (e.g. regulations related to banking activities or know your customer compliance requirements).
Fairness, being a relatively broadly defined principle, requires that any processing activity on personal data must be fair towards the individuals concerned. Beyond compliance with the fairness principle, ethical considerations must guide OSINT practices, addressing potential misuse and ensuring transparency, especially towards social media users. Despite protective measures by platforms, enhancing transparency remains essential.
Finally, the particularly important transparency principle. Providing individuals with relevant and adequate information about the processing of their personal data should always be done in a concise, easily accessible and understandable matter.
Clear definition of data collection purposes is crucial. This includes conducting data protection risk assessments to balance individual privacy rights against data usage purposes, particularly for sensitive data like an individual’s race or religion. One should not forget that further processing can be only allowed within the original purpose for which personal data were collected and in line with individuals’ reasonable expectations.
The principle of minimization, complementary to the principles of purpose limitation, requires that only personal data that is adequate, relevant and limited to what is necessary for the purpose for which they are processed is allowed. Collected data should be limited to the minimum amount of data that is required for the intended processing activities. Data minimization supports data protection by design and by default, assists with ensuring the integrity and confidentiality of personal data and makes it easier to keep the data accurate and up to date (see principle of accuracy). Contrary to the notion that more data yields better investigations, data minimization aligns more effectively with data protection principles. Focusing on precise collection of essential information, collected for specific purposes and used compliantly, ensures more efficient and legal outcomes.
Recommended by LinkedIn
Accuracy in handling and employing data minimization strategies is vital for GDPR compliance, ensuring data is collected for explicitly defined purposes and retained minimally. Focusing on accuracy of the processing activities also plays a great role in ensuring that insights and value can be derived from the end product.
Personal data must not be kept longer than is necessary for the purposes for which it was collected. Defining the appropriate storage period is a task that should be performed diligently (with the general approach of deleting personal data as soon as it ceases to be necessary to keep). Appropriate technical and organizational measures for safeguarding this principle should always be implemented within all the processing operations and in respective records of processing operations.
Adopting appropriate technical and organizational measures (security measures) enhances data protection, underpinned by the principle of accountability. Documenting these measures is essential for compliance. The security measures should not only cover cybersecurity (firewalls, encryption, access control, etc.) but also physical and organizational measures (CCTV surveillance, fire protection, security awareness training, etc.).
The principle of accountability is a newly introduced principle. Its key element is to be able to demonstrate compliance with the other GDPR principles by maintaining appropriate security measures, providing concise and accessible information to the individuals, implementing a clear data retention policy, following relevant code of conducts or certification schemes, implementing data breaches reporting mechanisms – all of those elements are essential for the compliance with the accountability principle, and therefore with the General Data Protection Regulation itself. Accountability is critical in the creation of open-source intelligence products. Clear policies, procedures, and training in privacy practices are necessary, supported by the appointment of a data protection officer who collaborates with legal experts. Staying updated with legal developments and court interpretations of data protection legislation is crucial for effective application.
Considering Other Privacy Laws
While GDPR sets a benchmark in Europe, a broader examination of global frameworks like the CCPA, Singapore’s Personal Data Protection Act (PDPA), and Brazil’s General Data Protection Law (LGPD) is necessary due to the international flow of personal data. While a short article cannot cover comprehensive compliance strategies globally and each legislation has unique aspects, such as restrictions on legitimate interest as a basis for data processing, general themes do emerge.
Conclusion
The modern influx of information presents opportunities and challenges for using OSINT, requiring a balanced approach to information gathering and privacy respect. Early adoption of best practices and consistent application of data protection principles are crucial as personal data’s value escalates, with substantial penalties for non-compliance. The modern world's flurry of activities offers vast opportunities for organizations to utilize OSINT, pressing them to balance staying informed with respecting privacy rights. The complex legal terrain of data protection necessitates adopting best practices early and consistently applying data protection principles. As personal data becomes akin to a new currency, navigating this data-intensive landscape with robust protection is crucial to avoid steep financial penalties.
About the Author
Wojciech Nazarek is a legal professional with 15 years of experience in data protection and privacy. Wojciech currently works as a General Counsel and Data Protection Officer at Tadaweb. Prior to joining Tadaweb, Wojciech worked as a legal counsel at a global social media listening company and a DPO at a multinational corporation.