Intelligence notes

Dashboard

GDPR — General Data Protection Regulation

2 min read

GDPR — General Data Protection Regulation

BLUF

The General Data Protection Regulation — Regulation (EU) 2016/679, in force since 25 May 2018 — is the European Union’s omnibus data-protection law and the single most consequential legal constraint on open-source intelligence collection involving personal data of individuals in the EU/EEA. GDPR governs the processing of personal data (which includes collecting, storing, structuring, and analysing it — the core of OSINT workflows), requires a documented lawful basis for each processing activity, and reaches non-EU collectors via its extraterritorial scope (Art. 3(2)) whenever they monitor the behaviour of, or offer services to, data subjects in the Union. For OSINT practitioners, “publicly available” does not mean “unregulated”: scraping, aggregating, and profiling public personal data still constitutes processing and triggers GDPR obligations. Verify current applicability against post-2024 amendments and the evolving EU data-governance package (DGA, AI Act interactions) before operational reliance.

Key Points (OSINT relevance)

  • Art. 3(2) extraterritoriality: a non-EU analyst monitoring the behaviour of EU data subjects falls under GDPR even with no EU establishment.
  • Lawful bases (Art. 6): processing requires one of six bases — consent, contract, legal obligation, vital interests, public task, or legitimate interests. Legitimate interest is the basis most invoked for OSINT but requires a documented balancing test against the subject’s rights.
  • Special-category data (Art. 9): political opinions, religion, health, biometrics, etc. carry a higher bar — relevant when profiling targets surfaces sensitive attributes.
  • Journalistic / academic exemption (Art. 85): Member States must reconcile GDPR with freedom of expression; the journalistic, academic, artistic, and literary processing exemption is the key carve-out for investigative and research OSINT — but it is nationally implemented and variable, not a blanket safe harbour.
  • Data-subject rights (access, erasure, objection) and the accountability principle still apply to retained OSINT holdings.

Key Connections

  • OSINT Legal Framework — operational legal SOP where GDPR compliance is applied
  • OSINT Ethics — the ethical layer paralleling GDPR’s legal constraints
  • OSINT — the discipline GDPR most directly constrains
  • Berkeley Protocol — international open-source investigation standard intersecting with data-protection law

Sources

  • Regulation (EU) 2016/679 (GDPR), full text — eur-lex.europa.eu — [High confidence — primary, statutory]
  • European Data Protection Board (EDPB) guidelines on lawful basis and Art. 85 — [High confidence]
  • Berkeley Protocol on Digital Open Source Investigations (2022), legal-framework chapter — [High confidence]
  • Currency caveat: verify against post-2024 EU amendments and national Art. 85 implementations before relying operationally.

Graph View

Backlinks