U.S. official warns of 'unintended consequences' of European data privacy law

By Dustin Volz and Joseph Menn
FILE PHOTO: Department of Homeland Security (DHS) Secretary Kirstjen Nielsen testifies before a House Homeland Security Subcommittee hearing on FY2019 Department of Homeland Security on Capitol Hill in Washington, U.S., April 11, 2018. REUTERS/Yuri Gripas

By Dustin Volz and Joseph Menn

SAN FRANCISCO (Reuters) - U.S. Department of Homeland Security Secretary Kirstjen Nielsen warned on Tuesday that a European data privacy law taking effect next month may have "unintended consequences" that harm the United States' ability to protect itself from cyber attacks.

The European Union law, called the General Data Protection Regulation (GDPR), is the biggest overhaul of online privacy since the birth of the internet, giving Europeans the right to know what data is stored on them and the right to have it deleted.

Online data privacy is important and contextual across borders and different cultures, Nielsen said during a keynote appearance at the RSA cyber security conference in San Francisco.

But "what we don't want are the unintended consequences of preventing the research community to be able to give us a heads up on (cyber) threats that are coming our way," she said.

"In other words, through trying to protect a citizen's privacy we eliminate the ability of many of the vendors and researchers who otherwise have access to data to see the trends in attacks," Nielsen said.

While some U.S. officials have in recent months raised concerns publicly about the European law, Nielsen is the most senior Trump administration official yet to do so.

Her remarks suggest that any attempts by the U.S. Congress to legislate comprehensive privacy protections would face hurdles from the Trump administration.

Calls for new digital privacy rights in American law have increased after disclosures that the political consultancy Cambridge Analytica obtained data on more than 87 million Facebook users from quizzes that were supposed to be for academic research.

Among the Trump administration's concerns are limitations the law seeks to impose on accessing data about website registrations that can often offer clues for investigators pursuing cyber criminals.

The strong limits on what can be done with data on users are a source of concern for security professionals in government, internet companies and outside forensics and investigations providers.

As things stand, many European uses and others who sign on to online services housed within the region would not be giving companies explicit permission to use their data in probes of fraud or other criminal activity, security experts told Reuters this week.

Unless the GDPR is amended, companies and outside investigators will lose access to material that many users have not realized they were giving up.

The experts said that they were working on ways to recover access to some of that material, which they declined to detail. The most straightforward would be an explicit declaration when users join what data could be used as evidence against people that harm them or against the users themselves.

On Monday, White House cyber coordinator Rob Joyce on Twitter said that GDPR would "undercut a key tool for identifying malicious domains on the internet."

He added: "Cyber criminals are celebrating GDPR."

Joyce said at a conference last month that U.S. officials were trying to persuade European regulators to allow a carve out in the law for security researchers to continue collecting data pertinent to data breaches or other cyber crime investigations.

(Reporting by Dustin Volz and Joseph Menn in San Francisco; Editing by Alistair Bell)