idw – Informationsdienst Wissenschaft

Nachrichten, Termine, Experten

Grafik: idw-Logo
Grafik: idw-Logo

idw - Informationsdienst

Science Video Project

idw-News App:


Google Play Store

Share on: 
02/26/2024 13:19

Greater Legal Certainty for Cybersecurity Research

Cornelia Reitz Presse- und Öffentlichkeitsarbeit
Nationales Forschungszentrum für angewandte Cybersicherheit ATHENE

    Amendment Proposal for the General Data Protection Regulation (GDPR): ATHENE Position Paper Calls for Data Protection Preventive Assessment

    Cybersecurity researchers are frequently unable to comply with data protection statutes as they cannot know in advance whether they will process personal data, in what way or how much data they will process within their research activity. Three data protection experts from the National Research Center for Applied Cybersecurity ATHENE have therefore formulated a proposed amendment to the GDPR. Their objective is the legally binding introduction of the so called “data protection preventive assessment” that takes unplanned data access into account.

    The position paper in which they explain their approach can be downloaded free of charge on

    Cybersecurity researchers make the world a more secure place. They develop security software for members of the public and companies, they check existing IT systems and report any vulnerabilities found to those responsible, thereby eliminating security loopholes. Cybersecurity research thus contributes significantly to ensuring a secure digital society. However, this research is associated with a major data protection challenge: the European data protection legislation only provides for predictable, and therefore plannable, personal data processing. Yet in practice, cybersecurity researchers often come across personal data by chance in the course of their research, e.g. on the dark web, or they gain access to such data unintentionally and unplanned by other means. Therefore, they cannot predict whether they will come across data, in what way or how much data they will come across during their work and thus find themselves in a data protection dilemma when accessing personal data unintentionally and unplanned. The implementation of data protection law after gaining access to data is neither provided for in European data protection law nor does it seem sensible for the protection of the rights and freedoms of data subjects. As a result, the critical work of cybersecurity researchers is being impeded due to the fear of facing penalties.

    New legal instrument “data protection preventive assessment”

    To address this dilemma, often faced by scientists at universities, colleges, research institutes and companies, ATHENE data protection experts Annika Selzer, Sarah Stummer, and Alina Boll have drawn up a proposal to amend the GDPR, in which a new instrument of data protection law is proposed: the data protection preventive assessment. The idea behind the new instrument is to make assumptions prior to a cybersecurity research project as to what kind of personal data processing is probable during the planned research work (e.g. due to the technology used in the research work or other restrictive circumstances). Based on these assumptions, core aspects of data protection law could be implemented appropriately in advance. Improbable data processing, on the other hand, could be disregarded without violating applicable data protection law.

    If this instrument were to become part of the current European data protection legislation, as proposed in the position paper, cybersecurity research would emerge from the gray area of data protection law without unduly restricting the rights and freedoms of data subjects.

    "Only by rethinking data protection law […] it can ultimately be ensured that (relevant) scientific research is conducted in a legally secure manner and that our society can benefit from the advantages of this research in the long term", Annika Selzer and her colleagues state in their position paper.

    About the authors

    Dr. Annika Selzer, Sarah Stummer, LL.M., and Dipl. jur. Alina Boll compiled the proposed amendment to the GDPR in light of the second evaluation of the General Data Protection Regulation and published it in a position paper on

    Annika Selzer is head of the research department "IT Law and Interdisciplinary Privacy Research" at the Fraunhofer-Institute for Secure Information Technology SIT. Sarah Stummer and Alina Boll work in the same department as legal scholars. Annika Selzer is co-coordinator of the research area "Legal Aspects of Privacy and IT-Security" at the National Research Center for Applied Cyber Security ATHENE. The National Research Center for Applied Cyber Security ATHENE is the largest research center for cybersecurity and privacy in Europe. ATHENE is a research center of the Fraunhofer-Gesellschaft with its two institutes SIT and IGD and with the involvement of the universities TU Darmstadt, Goethe University Frankfurt and Darmstadt University of Applied Sciences.

    Contact for scientific information:

    Dr. Annika Selzer

    Original publication:

    More information:


    Position Paper on the Second GDPR Evaluation (2024)
    Position Paper on the Second GDPR Evaluation (2024)
    ATHENE Center

    Criteria of this press release:
    Business and commerce, Journalists, Scientists and scholars
    Information technology, Law
    transregional, national
    Science policy, Scientific Publications



    Search / advanced search of the idw archives
    Combination of search terms

    You can combine search terms with and, or and/or not, e.g. Philo not logy.


    You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).


    Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.

    Selection criteria

    You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).

    If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).