GDPR essentials for OSINT research

Two years ago I co-authored a blogpost with MwOsint on how the GDPR affects OSINT work. This post is an updated version of that original blog with some mistakes corrected, and a bit more focus on a GDPR proof OSINT research methodology.

In almost all OSINT activities, personal data are processed (e.g., collected, stored, analysed, reproduced) such as names, DoBs, addresses, user names, phone numbers, IP addresses, pictures etc. Data protection legislation introduced in the European Union in May 2018, the General Data Protection Regulation (GDPR) regulates the processing of personal data. And even though OSINT researchers by definition collect their data from publicly available sources, they still should comply with the GDPR where applicable. And the GDPR is applicable to OSINT research if the researcher is a) located in the EU, or b) processes personal data related to EU citizens.

I will discuss the essential elements of the GDPR relevant for OSINT researchers. I will not look at the exceptions such as processing personal data for household use or for journalistic purposes which are for the most part exempted under the GDPR. Of course, the devil is in the details with respect to whether these exemptions really apply so make sure you understand these details if you feel you work is exempted under the GDPR. I will also not look at data protection aspects of OSINT for law enforcement use, as that falls under a different and specific law enforcement data protection framework.

Hence, the discussion below aims at OSINT in a private or commercial setting, where the researcher is dealing with matters such as corporate investigations, corporate intelligence, background investigations, asset-tracing, third party assessments and pre-employment screenings.

Please keep in mind that only the GDPR aspects will be discussed which are most relevant for OSINT work. The GDPR is an extensive regulation with numerous aspects which also can differ in their implementation between EU countries. As such it is impossible to comprehensively cover the application of the GDPR to OSINT research in a single blog post. And the obligatory disclaimer: while I have obtained my CIPP/E credential, I’m not a lawyer so if you are in need of legal advice, consult your friendly lawyer and don’t rely on this blogpost.

That all being said, I will discuss the following five key GDPR aspects for OSINT researchers:

  • Be accountable;
  • Make sure to have a legal basis for processing personal data;
  • Apply the key principles in the processing of personal data;
  • Understand, anticipate and honour the rights of the data subject;
  • Understand if you are the data controller or the data processor.

Be accountable

Often the requirement of accountability is mentioned as one of the last subjects when the GDPR is discussed. However, accountability is at the heart of the GDPR obligations. Anyone processing personal data and subject to the GDPR, should not just comply with the GDPR but also be able to demonstrate afterwards that they did. The GDPR has shifted the burden of proof to those processing personal data, so you need to document, document and document!

Of course, documenting your work is likely already an essential element in your OSINT methodology so integrating GDPR compliance in your existing methodology probably takes less effort than you may fear. In any case, make sure that for each of the matters as discussed below you can demonstrate how you complied with the GDPR.  Be able to answer questions like: ‘What legal basis did you rely on and why?’, ‘What data collection methods did you use and how are these proportionate to the task?’, ‘How did you honour the rights of the data subject?’, ‘How and how long did/do you store the collected personal data and why?’.

An efficient solution to aid documenting on how you comply with the GDPR can be to draft a research protocol in which you describe how you process personal data and how you apply the GDPR principles to your work. In any assignment, or when you get questions from the Data Protection Authority (DPA), you can refer to that protocol. Of course, your actual case notes should reflect that you indeed followed your research protocol.

Legal basis

Data protection regulation was never meant to render the processing of personal data impossible. Instead, it is meant to balance the need for data exchange in our society on the one hand with the fundamental right of privacy of citizens on the other. Privacy is an important right; however, it is not an absolute right. For example, individuals suspected of fraud cannot block an investigation into their person and actions by claiming that an investigation would infringe on their privacy.

The GDPR balances the right to privacy with (other) rights of other individuals. At the core the GDPR restricts the processing of personal data to situations where at least one of six legal bases for processing of personal data is present (Article 6.1). Two (or three) of these legal bases are potentially relevant for OSINT work: consent (Article 6.1.a), legal obligation (Article 6.1.c) and legitimate interest (Article 6.1.f). We will discuss these three in detail.

Consent

I hardly ever rely on consent as a legal basis for (OSINT) investigations as it is a very tricky legal basis. Article 7 of the GDPR sums up the conditions for consent, one of which is that the data subject should have free choice when giving consent. However, real free choice is scarse in this context. For example, free choice in an employer/employee relationship is unlikely. An employee can not reasonably refuse to give consent for a mid-employment screening as refusing could have consequences for his/her employment. So even though a client may provide you with a signed consent form of their employee, you may want to think twice using that as your (sole) legal basis for OSINt research.

Also, consent can – according to the GDPR – be withdrawn at any time. If a data subject withdraws his or her consent halfway into an investigation, what then? Yes, you had a legal basis for collecting the data to that point. But you can’t process the data any further.  

Due to this ambiguous legal nature of consent under the GDPR, I believe that for (OSINT) investigations the use of consent should be avoided whenever possible. The risk that the data subject could afterwards argue that he or she had no choice than to give consent because of the consequences, is simply too large. Therefore, even if your data subject is aware of the investigation and has given consent – which we often see in pre- or mid-employment screening – make sure there is an additional legal basis for your research, such as legitimate interest.

Legal Obligation

The second legal basis for processing personal data that may be relevant for OSINT research, is legal obligation. This could be the case when for example your client has the legal obligation to identify their customers and the source of their funds under Anti Money Laundering (AML) regulations. Especially if you are instructed by a (regulated) financial institution, this may likely be the overall legal basis for your OSINT research. In fact this is a rather straightforward legal basis.

Legitimate interest

The third, and most used, legal basis for processing personal data for OSINT research is a legitimate interest of your client. It means that (usually) your client has a legitimate interest to collect data in order to pursue its rights. For example, if a company has found that money has been stolen, it a has a legitimate interest to investigate the incident or have it investigated, including the processing or personal data of individuals possibly involved in the disappearance of the money.

Another example can be a civil law suit relating to any subject. Both parties in the litigation have a legitimate interest in collecting data to support their case, even if that means that personal data need to be processed.

And I have already mentioned the pre- and mid-employment screenings. While you can argue how ‘freely’ consent for such screenings is given, the company may have a legitimate interest to understand who they will be hiring and what risks they may run financially or with their reputation.

Note that the data collected should be relevant in light of the legitimate interest. If you are investigating intellectual property infringement, you may want to ask yourself if collecting data on the dating habits of the subject really is relevant. (Actually, I believe this is also a question of ethics rather than solely GDPR compliance.)

In sum, as an OSINT investigator, you should always understand and document the legal basis to process personal data before conducting your research. From an ethical point of view, I believe that you should always want to understand what the purpose of your work is and why the client wants the research to be carried out.

The GDPR adds a reason to document the legal basis. An easy way to document it is by explicitly detailing the situation in an engagement letter or contract for the work. Make sure it is signed by you and your client before you start to work. You may also want to include a clause on this subject in your terms and conditions (for details, consult your friendly lawyer).

Principles

On top of the required legal basis for the data processing, article 5 of the GDPR lists the principles to be taken into account when processing personal data. I will disucss the most relevant for OSINT research.

Lawfulness, fairness and transparency

Lawfulness consists of two parts. First you need a legal basis to process the personal data as discussed above. Secondly, your collection methods should be legally allowed. In other words: do not hack, steal or lie to obtain data. Again, the burden of proof is upon you so you also need to document the sources end methods used to obtain the data – which a professional OSINT researcher would do anyway.

Fairness relates to proportionality. Are the methods you use to obtain the data proportionate to the severity of the case you investigate? And is the type and amount of personal data you collect on the data subject proportionate in that respect as well? Be ready to answer this question for each and every OSINT research you perform.

Transparency is covered partly under the accountability; the data processor needs to be transparent in the purpose and type of data being processed. Tranparancy also is the principle under the duty to notify which I will discuss further below.

Data minimalisation

The GDPR requires you to minimise the amount of personal data processed to what you really need to reach the goal of the data processing. As much as necessary, as little as possible. So, when you scrape gigabytes of data, only the information relevant to your task should be retained. Collection and review of significant amounts of social media data, for example, in a pre-employment screening can be legitimate, however data not used in the final report should be deleted as soon as possible after review.

Again, situations may differ and especially as you may need to be able to show your client that you really reviewed certain data, you may need to retain that data. Also, here, having a clear protocol may help you, also when discussing the (im)possibilities with your client.

Accuracy

The GDPR obliges you to make sure that data is of good quality, thus do not use outdated information or data which you know is incorrect. Especially when working with so-called people search engines, you may stumble upon a lot of out-dated data on individuals. You are responsible for verifying the data where possible before further processing or reporting.

Of course, that is easier said than done, however you should be able to show what you did to validate the data you found and if you have only one unvalidated source, it may be wise to include the level of confidence when reporting your findings.  

Storage limitation

How long do you retain the data of your research assignments? The GDPR states that it should not be ‘longer than needed’, which is a pretty vague and open norm. In an ongoing litigation that could be years, but in many cases a long retention period is not needed at all. If your work does not fall under a specific legal retention period (could differ per country/profession) you could also choose to contractually limit the data retention period as much as possible and agree with your client a period of, for example, 1 year. Clearly stating your data retention policy in your research protocol may again help you in any discussion.

Integrity and confidentuality

You are responsible for keeping the personal data you process secure. The fact that you have collected all the data from open sources is completely irrelevant, the data should not be publicly disclosed from your side, especially not if you have combined different data sources which leads to a (fuller) picture of your subject’s personal life. To remember: If you cannot protect it, don’t collect it.

Data Subject rights

The fourth category of GDPR key aspects relevant for OSINT, are the provisions on data subject rights. According to GDPR, a data subject has the right of notification, the right of access, right to rectification, right to erasure of data and the right to restriction of data processing. I will discuss here only the right of notification as this is most relevant for all OSINT research (whereas the other rights only become relevant when the data subject invokes them).

GDPR article 14 states that when personal data are processed which are not directly obtained from the data subject, the data subject must be notified. The article details what the notification should contain, which is at least: what data are collected, who is processing the data, with what purpose and who are the recipients. The same article under (3) states that the notification should take place within a reasonable period after obtaining the personal data, but at the latest within one month, or, if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

So how to deal with the obligation to notify when you are conducting OSINT research on someone?

In the case of a pre-employment screening for example, the data subject is likely already notified, though you might want to make sure that the notification has been done properly and that you have documented this. If a consent form was signed, that could serve as proof of notification. Also note that if the client tells you that the data subject was notified, you do need to verify that the notification was indeed done and correctly, if you are the data controller (see below) as in that case it will be your responsibility.

Sometimes it is possible to be transparent about the fact that you conduct research and you could notify the subject as soon as you have collected the data. Having a standard letter may help making that process efficient.

However, in many cases a notification may prematurely warn the data subject, crossing an ongoing investigation or lawsuit and as such be detrimental to the legitimate interest of your client. So how to deal with notifications in such cases?

Fortunately, under article 23 GDPR member states may restrict certain obligations of data controllers, including the obligation to notify. Ten situations are listed (numbered a to j) in the article, under which the obligation could be restricted. Of these the most relevant for OSINT research are likely:

  • (d) the prevention, investigation, detection or prosecution of criminal offences
  • (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions
  • (i) the protection of the data subject or the rights and freedoms of others
  • (j) the enforcement of civil law claims

If any of these four situations apply to your OSINT research, you may postpone or forego the notification altogether.  Of course, if you would use such an exemption, you need to document the circumstances and considerations on why you think that this exemption is justified. Be careful and understand the local implementation of the (conditions for) exemptions before you apply them. Every EU Member State may have implemented the provisions of article 23 GDPR differently.

Are you the data controller or processor?

A final key point relevant for OSINT research is understanding whether you are the data ‘controller’ or data ‘processor’. The data processor is the one who determines the purposes and means of the processing of the personal data, and the data ‘processor’ is the one who processes personal data on behalf of a data controller.

The easiest situation is where you are the data processor and you process data under responsibility of the data controller. In those instances, most of the legal obligations as discussed are primarily the responsibility of the data controller, which then usually is your client.

However, the determination on whether you are the controller or processer depends on the level of freedom you have in choosing the purpose and methods of processing the data. If you determine the purpose, types of data and methods applied, you cannot argue that you are just the processor: in fact you ‘control’ the data processing.

Having a data processing agreement with a client – or adding a section on data processing to your existing agreement – is an important prerequisite to be regarded as the processor. To be regarded as the processor, the agreement should clearly show that you are instructed for a specific purpose, looking at specific types of data and applying specific methods (and excluding anything else) and reporting in a specific way. Once more, consult your friendly lawyer for more details.

Conclusion

While this blog post is already quite lengthy, I realise that many details related to how the GDPR applies to OSINT research have not been discussed. The GDPR has a number of other relevant articles, for example on processing of special categories of personal data which I will discuss in a separate blog post. Also, there still is limited jurisprudence on the GDPR as applied in investigations, which means that in many instances it is not exactly clear how the GDPR will be interpreted.

I hope however that the key principles of the GDPR as discussed above will give some guidance, if only for you to realise that you do need to give GDPR compliance proper attention. Especially in high profile cases, I recommend that you make sure to discuss these matters with your client and their (inhouse) legal counsel.

For now, get your copy of the GDPR as well as a copy of the implementing law in your country, read it, seek advice, understand it and most important: Comply with it. If any questions, feel free to send me an email.

(foto credits to @ferarcosn via Pexels)