EU Data Protection Update Q2-2022

From the vantage point of data protection and privacy, the second quarter of 2022 was characterized by concerns about IT security against the backdrop of the war in Ukraine. Yet the quarter also saw an accelerated pace of legislative and administrative activity as well as some enforcements.

Data Protection and Cyberattacks as Weapons of War

The weaponizing of hacking in 21st century cyberwar

War in the 21st century does not only use conventional weapons but weaponizes everything, including money, credit, commodities, and IT systems. Hacking has become a tool of warfare in the Ukraine conflict, being used by all parties concerned. While Russian state sponsored groups try to inflict harm on Ukrainian IT infrastructure, Ukraine's "IT Army" of hackers tries to take the war back to Russian cybersoil. The Center for Strategic & International Studies thinks that this conflict, while not the first, may be the most severe cyberwar so far.

Cyberwar, however, is hard to limit to a specific geographic area. Attacks on systems and software may hurt – unintentionally or even intentionally – also non-involved actors and have repercussions worldwide. The fallout of the conflict is being felt in a high number of data incidents globally, but especially in Europe. The German Federal Office for Information Security (BSI) warns of an increased threat level, in particular regarding critical infrastructure. The attack on a satellite network controlling windfarms in Germany, having taken thousands of turbines off the grid, shows how well founded such concerns are.

Yet data protection is also being used as a tool of economic sanctioning. In a move that may or may lie in the blurry area between genuine concern and weaponizing, the Russian court of the Tagansky District of Moscow fined Google with 15 million Rubles on 16.6.2022 for failure to host the data or Russian Citizens in Russia as required by applicable law.

War and cyber-ethics – an unexplored territory

The war in Ukraine also shows data protection issues from another very pressing side, reminding us of the ethical background of privacy.

When Ukrainian officials run scans on dead Russian soldier's faces to identify them and then contact their families back home: is that a kind and maybe even necessary application of Clearview AI's technology or a gruesome act of psychological warfare?

And when, as an act of warfare, names, birthdays, and passport numbers of soldiers are being published, thus doxing those individuals, making them a target also in their civilian life, is that a justified act of self-defense or not?

As data protection is very often about weighting the pros and cons of technologies and applications, we may use such stark examples as a basis for debate and a means to sharpen our judgement. The jury is still out.

Attack on Mailchimp Highlights Dangers of Centralized Data Storage

The giant E-Mail-marketing platform Mailchimp was hit by a hacking attack that resulted in a data breach: the audience data of more than 100 Mailchimp accounts was successfully stolen, with a focus on companies being active in finance and cryptocurrencies.

Mailchimp is a technologically sophisticated company and reacted swiftly. That the attack was nevertheless successful shows that even companies employing state-of-the-art technical and organizational data protection measures (TOM) may be breached, highlighting the dangers of centralized data storage.

Census in Germany – the Origin Story of Data Protection

The German Census ("Volkszählung") started in May 2022. The aim of the census is to get more reliable data on the life of Germans, but also their property including real estate.

Critical discussion of the census and its various privacy aspects was almost absent in the public sphere. This comes as a surprise as it was the 1983 census that gave birth to the very idea of data protection as an individual right in (then) West-Germany. That census was stopped by an injunction of the constitutional court which had concerns about the legality of the procedure, in particular regarding proper observance of privacy and data protection.

In the final decision in December 1983, the court found data protection ("informationelle Selbstbestimmung") to be a basic right according to the Grundgesetz, the German constitution. This verdict is seen as the basis for data protection legislation on the German as well as European level. Therefore, the lack of any current public debate is rather surprising.

Industry and Administrative Initiatives

Microsoft limits Azure's AI capabilities for privacy concerns

Microsoft committed itself to a responsible approach when developing AI applications in a companywide responsible AI Standard. For privacy and ethical concerns, Microsoft shall no longer use capabilities to process emotional states and attributes such as gender, age, smile, facial hair, hair, and makeup.

As such AI capabilities were included in Microsoft's Azure Services and via APIs accessible by third parties, the new standard will have industry wide repercussions.

Guidelines for privacy in healthcare issues by German and Spanish legislators

The German Bundesamt für Sicherheit in der Informationstechnik (BSI, Federal office for Information Security) published guidelines on system and application design for healthcare applications. As such application process sensitive data, privacy concerns are of high importance. Indeed, hospitals and healthcare providers have been subject to hacking activities and had to endure data breaches. Therefore, the focus of the guidelines is on technical data security.

Directed at the same industry but geared towards individual professionals, the Spanish Agencia Española de Protección de Datos published guidelines highlighting the organizational side of data processing activities, such as making sure there is legal basis for processing and securing data subject rights of the patients.

Google launched a new Cookie Consent banner in April 2022 following a fine and enforcement actions handed out by CNIL (we reported on that in our last data protection overview).

Not only has the text of the banner been updated to make the effect of cookies more transparent, but the choices users can make are now also radically different. Where previously users had to scroll through an endless list of bullet points with many clicks needed to reject every cookie class individually, they now can reject all not strictly necessary cookies with just one button.

Legislation

EU Parliament approves Data Governance Act

The European Parliament approved the Data Governance Act (GDGA) on April 6th, 2022. The idea of the DGA is to give companies and start-ups better access to data to enable them developing better apps, products, and services. This way, the single market shall be extended to data as well and barriers of access to data will be lowered.

The way the DGA works is by establishing – and then regulating – services that act as data marketplaces. To make sure those act according to applicable law, such services will have to ask for a license and be subject to supervision. The services may not use the data themselves but share them with third parties against a fee. Individuals (technically: data subjects) may be able to create a data wallet on those services, thus not only having control over their data but participate in their sharing.

It is hoped that this may facilitate the sharing of data that otherwise would be held confidential in data silos, thus fostering an open, data driven economy. From a bird's eye view the DGA deals with the issue who owns data, who can be their custodian, and how public access can be organized. What we thus have here is the establishment of a framework for digital property rights in the 21st century.

Before coming into effect, the proposal needs to be approved by the Council of the European Union. However, no amendments are being expected.

BSI issues request to re-shore cloud services to EU

The German Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security), according to many sources, asked large providers of critical infrastructure to switch to using only European cloud services. The background of this request is allegedly not only compliance with data protection requirements but also a hardening of the respective IT infrastructure.

Political Agreement on EU Digital Services Act

The European Parliament and EU Member States reached a political agreement on the final text for the EU Digital Services Act (DSA). The DSA will set new standards on the accountability of Online-Platforms for harmful or outright illegal content. Such platforms will face much wider ranging duties to remove illegal content faster and protect individual rights better.

On the data protection side the Digital Services Act will bring clear and harmonized rules on cookie banners. This must be fair and avoid any dark patterns that nudge the user's decision to accept cookies.

Provisional Agreement on Directive on Cyber security in the EU

The EU Council and the European Parliament agreed on a provisional agreement on the NIS2 directive, which will replace the current directive on security of network and information systems. The directive will cover high-risk sectors such as energy, transportation, health, and digital infrastructure and also include medium sized firms.

Enforcements

The European Data Protection Board published new guidelines on calculating EU General Data Protection Regulation fines in an attempt of EU-wide harmonization. The amount has to be based on factors such as the nature and severity of a violation as well as the size of the business.

Greek Authority fines Clearview AI with 20 million Euro for privacy breach

In our Data Protection Update for the first quarter of 2022 we reported about the Clearview AI case and how national data protection legislators fined Clearview for the – rather brazen – breach of pretty much any stipulation in the GDPR.

As those fines are being handed out on a national level, the Hellenic Data Protection Authority fined Clearview AI with another 20 million Euro for the use of personal data of EU citizens by the company for the purposes of facial recognition and AI training.

Not only did Clearview AI use the data without permission, but also failed to inform the concerned data subjects or grant them any of the other data subject rights under the GDPR.

Office 365 faces headwinds in German public sector as data protection

authorities have concerns due to its transfer of data to the US. The reason is that the regulators see no proper grounds for such transfer, especially after the Privacy Shield was declared invalid in the Schrems II verdict of the European Court of Justice (CJEU). Background is a probe into the use of Microsoft Office 365 in schools. A working group of state regulators came to the conclusion that the use of the office software is not possible in a data protection compliant way.

Dutch Ministry of Foreign Affairs fined for unlawful visa processing

Not only private companies are subject to privacy enforcement but the government and public sector as well. Autoriteit Persoonsgegevens, the Dutch Data Protection Authority, fined the Dutch Ministry of Foreign Affairs with 565.000 Euro for lack to technical-organizational measures (TOM) to properly protect data processing activities in visa processing as well as lack of information given to the data subjects.

Consumer Protection Organizations have court standing in privacy matters

The European Court of Justice (CJEU) ruled on April 28th, 2022 that consumer advocacy groups have the right to bring forward legal proceedings against alleged data protection breaches. As the law of civil procedure is a national matter, such national law has to allow such action. The GDRP, however, does not specifically mention them. The question in the case was if such silence of the GDPR has to be interpreted as a preclusion for national regulation insofar.

In the case, a German Consumer Protection Organization brought forward a case against Meta Platforms for not providing a clear explanation of how it processes user data. Meta doubted the organization's right to sue in court as the GDRP is silent on this matter.

Indeed, it would be paradoxical if a law that is intended to secure the rights of consumers could not be enforced by consumer rights groups.

Meta Platforms hit with – yet another – data protection investigation

Meta Platforms is subject to another investigations by Ireland's Data Protection Commission. This is subject to many data protection authorities due to its sometimes-cavalier approach towards privacy. This time for alleged breaches of children's data rights on Instagram.