EU Data Protection Update Q3-2022

European map colored in blue with the 12 yellow European stars on top with a centered paragraph symbol standing for a European Data Protection

The third quarter of the year is typically a time, where even privacy activists, lawmakers, lawyers, and administrative people are tanning on the beach. Yet in 2022 there was a flurry of activity, discussions, and developments.

German courts disagree on data transfers to the US

Two decisions of German courts, coming from the unexpected angle of procurement law, made for rather big waves in the data protection space.

The Public Procurement Chamber of Baden-Württemberg blocked a European subsidiary of a US company from bidding for public services on the ground that data (including potentially sensitive data, as the tender came from two municipal hospital companies) might be illegally transferred to the US. This would violate the GDPR, blocking the offer from being considered.

While the respective data was stored on European servers, the US mother company is subject to the US Cloud-Act, enabling US intelligence agencies to access the respective data. The US Cloud Act covers also European Subsidiaries, even if they store their data in the EU. Engity has discussed this extensively here on this Blog.

The decision was overturned by the Karlsruhe Higher Regional Court on the grounds that the respective bidder gave contractual guarantees regarding proper GDPR compliance. Only if there are doubts about those guarantees on the basis of concrete indications must the contracting authority obtain supplementary information and check whether the performance promise can be fulfilled.

Engity thinks that the Karlsruhe Higher Regional Court is naive in thinking that the EU subsidiary will rather keep a contract with the EU authority than to break US law, considering that the latter comes with severe consequences for the mother company and a gag order.
At least the discussion is opened.

Ransomware attacks and Identity theft of the rise

While there is an ongoing flurry of legislative and administrative action, we also see a further rise in cybercrime and security breaches causing billions of Euros of damages to both, industry, and governments. This includes ransomware but also, to a large extend, identity theft – or both, as they often go hand in hand.

The challenge posed is to increase the often-neglected technical side of data protection.

Encryption Wars 3.0

An ongoing discussion in Q3 2022 was that of secure communication versus crime prevention and similar noble causes. The noble cause in concrete being the fight against material showing child abuse. In its "Proposal for a regulation of the European Parliament and of the council laying down rules to prevent and combat child sexual abuse", the EU, in fact, calls for backdoors in private messaging platforms like WhatsApp, Telegram, or Signal, so those platforms can scan message contents for violations of applicable laws.

The proposal received harsh criticism in Q3. Opponents point out that, while the goal to prevent the spread of illegal material may be noble, the idea to implement backdoors in platforms or perform client-side scanning of uploaded material, risks the very core of security and privacy.
A pushback comes also from within the EU, namely from the European Digital Privacy Supervisor and the European Digital Protection Board, calling the proposal "disproportionate".

We at Engity believe that breaking encryption is not the right approach to tackle the problem. Once the genie of a backdoor in seemingly secure communication is out of the bottle, it is impossible to put it back in. Data that is open for one party is open for everybody. Unsecure communication will hurt privacy and security for European private users as well as businesses and open the door for IP-theft and surveillance.

Industry and Administrative Initiatives

Helpful tools provided by administrative and supervisory bodies

Data protection rules are proliferating and staying in compliance with all of them can be difficult. Data protection authorities address this problem by issuing checklists, guidance, and To-Do's. While it the past such publications tended to be overly complex catering to professionals and DPO's, we see those tools becoming more hands-on and ready to use.

As the GDPR applies all over the EU (and sometimes beyond), it is recommended to look for the best tools from all over the area. A few examples:

  • The UK's Information Commissioner's Office issued a helpful six-step guide for small businesses on how to handle data protection complaints they received.
  • Latvia's data protection authority published guidelines on the role of the DPO / Data Protection Officer in public and private organizations.
  • The U.K. Information Commissioner's Office offered clear guidelines for binding corporate tools as a way to transfer data to third countries.

Start-ups creating tools for better data protection compliance

Businesses increasingly use technology in managing all kinds of things, helping them to navigate an increasingly complex world by automating tasks, basically having some processes run by machines. This also applies to compliance with privacy and data protection legislation. There is an evolving scene of start-ups developing software and workflow tools in this space.

Here are a few examples:

  • Nightfall AI raised money to develop a tool that identifies personal data, and in particular sensitive data, flowing in and out of applications. The idea is that it is hard to protect sensitive data when it is unclear where they actually are; a problem that is proliferating in a tech environment that runs mainly on cloud apps.
  • DynamoFL develops technology that enables businesses using data to train AI applications without sharing personal data. There is a need for such applications to be trained on quality data sets in fields like finance, health care, or crime prevention. At the same time, personal data must be protected. Balancing those conflicting goals is, therefore, important.
  • In all modesty we would also like to mention Engity's IAM – Identity and Access Management. This product enables organizations to mange their IAM needs in a GDPR compliant manner as data are only stored on the US. Since Engity, unlike most competitors, is not subject to the US Cloud Act, there is no implied US data transfer.

Legislation

European Commission released proposal for "EU Cyber Resilience Act"

Many devices connected to the Internet are unsafe. They can be hit by cyberattacks very easily and thus enable all kinds of cybercrime. Security is no primary concern for either producers or consumers, but price is – resulting in a race to the bottom.

The basic idea of the EU Cyber Resilience Act is to address this issue and to force manufactures to enhance the security of their products, but also to enable consumers to use such products in a secure way. These obligations are supplemented by reporting obligations should manufactures become aware of any active exploitation of a vulnerability in their products.

The proposal of the Cyber Resilience Act will go through the legislative procedure which may take a few months. After entering into force, the addressees will have to years to comply with the new requirements.

EU Digital Markets Act signed into law

The EU Digital Markets Act ("EU-DMA") addresses big platforms and tries to prevent them acting as gatekeepers, controlling one (or more) "core platform service" such as search or social networking.

While the EU-DMA has lots of features, most of which address competition and media law, there is also quite a bit of data protection legislation contained in it. In particular, it prevents such platforms from processing their user's personal data for targeting advertising, unless informed consent is granted. Furthermore, the details of how users are profiled will have to be disclosed.

The EU-DMA get a fair share of critique ranging from stifling competition by overregulation to not addressing some major issues such as gatekeeper acquisitions. It will come into force on 1 November 2022, some key rules will start applying on 2 May 2023.

Enforcements

Harsh fine for appointing Data Protection Officer despite conflict of interest

The Berlin Commissioner for Data Protection and Freedom of information imposed a harsh fine of 525,000 Euro against a company that had appointed a Data Protection Officer (DPO) despite an obvious conflict of interest.

A DPO has the task to monitor compliance with all applicable data protection regulation. This includes commissioned data processing. In the case at hand, however, the DPO was also General Manager of two companies acting as data processors for the company now fined. He did, in effect, monitor his own compliance, creating a very obvious conflict of interest.

Denmark joins rest of Europe in reigning in Google Analytics data transfers

Datatilsynet, Denmark's data protection authority, joins the rest of the European Union in stopping data transfers to Google Analytics unless further measures are taken, such as pseudonymization. Without such measures, Analytics must not be used any longer in Denmark.

While the Danish decision is in a sense only a "follow-up" to similar rulings in virtually all other EU-countries, it serves as a reminder that the GDPR is to be interpreted uniformly across the continent.

CNIL plans out 60 million Euro fine for tracking and profiling

CNIL, France's Data Protection Authority, is considering handing out a 60 million Euro fine to ad-tech company Criteo for violating the GDPR. Criteo provides a set of tools that allows web users to be tracked and profiled, enabling behavioral ads and very fine-tuned targeting. Users were not asked for their consent.

As the Digital Markets Act shows (see discussion above), data protection watchdogs become increasingly concerned about excessive profiling as this practice is very opaque and users have almost no way of understanding what exactly happens to their data.

LfD of Lower Saxony fines Volkswagen 1,1 million Euro

The State Commissioner for Data Protection (Landesbeauftragter für den Datenschutz, LfD) has issued a fine of 1,1 million Euro against Volkswagen. The carmaker commissioned a company to use vehicles with cameras attached to collect traffic data which were needed to train driver assistance programs. The vehicles were missing a notice that data processing (read: recording of persons) was taking place as well as further information required under Art. 13 GDPR, such as purpose and duration of processing.

In addition, Volkswagen and the company carrying out the data collection had not concluded a DPA as required by Art. 28 GDPR.

DPC announces decision announces fine of 405 million Euro against Instagram

The Irish Data Protection Commission (DPC) finally announced it long awaited decision in the case of the use of children's data on Instagram. We already discussed the draft of this decision in our quarterly data protection review Q2/2022.

In particular, Instagram enabled the publication of e-mail addresses and telephone numbers of minors on business accounts.

The fine handed out amounts to 405 million Euro. Further measures are demanded to make Meta's data processing to comply with the GDPR.