Legal Issues in Reconciling Data Protection, AI, and Cybersecurity under EU Law

IAIN NASH, Peter Swire, Debrae Kennedy-Mayo, Annie Anton

Research output: Contribution to journalArticle (journal)peer-review

10 Downloads (Pure)

Abstract

This Paper focuses on certain legal responsibilities under
European Union (“EU”) law for companies that provide
cybersecurity services, by examining the intersection of data
protection (privacy), cybersecurity, and artificial intelligence (“AI”).
This Paper explores these issues in the context of a hypothetical
cybersecurity company known as “ACME Cyber Sentinel” providing
services to a hypothetical client named “TechGuard.” In four
scenarios, this Paper explores ACME Cyber Sentinel: (1) providing
cybersecurity service to TechGuard; (2) gathering and processing
data from multiple clients to analyze potential cybersecurity threats;
(3) training, evaluating, and deploying AI cybersecurity tools; and (4)
using these AI cybersecurity tools to provide the cybersecurity services
to TechGuard. Each of these scenarios includes two variations. The
first variation examines when the two companies are both based in the
EU, with no processing taking place outside the EU; the second
variation envisions that ACME Cyber Sentinel is based outside of the
EU, so that data flows to a different jurisdiction. This Paper also
analyzes legal principles from the EU General Data Protection Regulation (“GDPR”)1 and EU regulation establishing harmonized
rules on AI (“EU AI Act”)2 in the context of the main purposes for
which cybersecurity companies use personal data—to provide
cybersecurity services to protect the personal data of the client
company and to maintain state-of-the-art cybersecurity services and
tools (such as identifying new cybersecurity threats or training the
algorithms used in these cybersecurity tools). This Paper concludes
with the finding that EU-based businesses can enter into contracts
with cybersecurity companies to protect EU data with state-of-the-art
cybersecurity services and tools, but it is more difficult to locate a
lawful basis for using EU data to identify new cybersecurity threats or
to train new machine learning, AI and other cybersecurity tools. To
conclude, it is clear that further clarification from EU decision-
makers would help define whether and how access to personal data
will be lawful for cybersecurity purposes.
Original languageEnglish
Pages (from-to)871
Number of pages939
JournalMissouri Law Review
Volume89
Issue number3
Early online date5 Nov 2024
Publication statusPublished - 5 Nov 2024

Keywords

  • AI
  • Cybersecurity
  • GDPR
  • EU Law

Fingerprint

Dive into the research topics of 'Legal Issues in Reconciling Data Protection, AI, and Cybersecurity under EU Law'. Together they form a unique fingerprint.

Cite this