Scrutinising the interplay between data protection and cybersecurity: A paradox shrouded behind the 'state-of-the-art'

Conducting an in-depth examination of the security requirements of Article 32 GDPR, this article investigates the dual dynamics between data protection and cybersecurity. Even though cybersecurity is commonly understood as essential for the protection of personal data, the manner in which cybersecurity is pursued in practice may simultaneously pose risks to data protection. Importantly, this article shows that below the surface of Article 32 GDPR a paradox emerges whereby cybersecurity tools albeit implemented for the protection of personal data, simultaneously pose risks to data protection. In other words, in order to safeguard data protection, data protection is concurrently put at peril. This paradox remains hidden behind the open-ended and technology neutral legislative requirement of implementing appropriate SoA TOMs. In order to expose this paradox, the article first sketches a more tangible interpretation of SoA in the context of Article 32 GDPR identifying various specific technological cybersecurity solutions that are recommended to be implemented. Ultimately, the article stresses the urgent need for explicit choices by the legislator for navigating the trade-off and balancing between cybersecurity and data protection. Finally, the article shows that the open-endedness of Article 32 GDPR sits uneasily with the broad notion of non-material damages.