Dear readers,

In recent weeks, numerous companies and government agencies have been attacked by the Clop hacker group, as is evident from media reports. The group exploited a vulnerability in the file transfer program “MOVEit Transfer” that had been undiscovered for months. According to the manufacturer, the affected software is used in thousands of organizations worldwide. Clop now publishes more names of companies affected every week. These are said to include corporations such as Sony and Shell, government agencies, insurance companies and banks such as Deutsche Bank, Comdirect and ING. Recently, German companies such as Siemens Energy and Rhenus as well as various health insurance companies have also been listed. Clop no longer relies on encrypting data in its attacks (as in classic ransomware attacks), but instead extracts it, transfers it to its system, and then threatens companies with the release of sensitive data if they do not pay the demanded ransom. Clop’s demands are adjusted in each case to the company concerned and in individual cases include amounts of more than 35 million euros.

With regard to the vulnerability in the MOVEit Transfer software, the BSI recommended implementing the measures proposed by the manufacturer as early as June 2023 and looking for a compromise of the system. In the BSI’s view, there is an immediate need for action.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Third country transfers - new adequacy decision for the U.S.

International data transfers occur in everyday corporate life in connection with the use of a variety of online applications. This applies, for example, to the use of video conferencing services such as Microsoft Teams and Zoom, the use of applications such as Office 365, and the integration of cloud and e-mail services, but also to the cooperation and exchange of data with other Group companies. In particular, collaboration with U.S. service providers and partners remains highly relevant for a majority of companies, despite the data protection difficulties associated with international data transfers. In the survey “Data Protection in German Business: GDPR & International Data Transfers”, published by the digital association Bitkom in the fall of 2022, almost two-thirds of the companies surveyed said that not transferring data internationally would have serious negative consequences for them. Responders also made clear the importance of a robust legal basis for international data transfers.

To the main topic

OLG Brandenburg: Reason unrelated to data protection in a claim for information

On June 16, 2023, the Higher Regional Court of Brandenburg ruled that it is an abuse of rights for a customer to assert a claim for information under data protection law against his insurance company in order to check whether a premium increase is lawful (OLG Brandenburg, decision dated 16.06.2023 - Ref. 11 U 9/23).

Specifically, in the case underlying the decision, the parties disputed the effectiveness of premium increases under a private health insurance policy. The court first determined that the scope of application of the GDPR was not even opened, since the customer requested information that was not personal data. The amount of the factors triggering the recalculation of the premium was a calculated variable with no direct reference to the customer. The court further stated that the insurance company - even if one were to assume the applicability of the GDPR - would have a right of refusal pursuant to Art. 12 (5) (2) GDPR. The wording of the provision makes it clear that the provision also covers other abusive applications beyond the explicitly mentioned circumstances. The purpose of the right of access pursuant to Article 15 GDPR is to enable data subjects to check whether data relating to them is correct and processed in a permissible manner, in particular in order to be able to assert further data subject rights, if necessary. In the present case, however, the customer was not concerned with the corresponding data protection purposes, but exclusively with the review of the premium increase carried out by the insurance company and the enforcement of payment claims. Accordingly, the request for information is not based on a data protection objective or any other legitimate purpose, so that it is to be regarded as an abuse of rights. Since there is accordingly already no legitimate purpose, it is also irrelevant to the preliminary ruling proceedings of the Higher Regional Court of Koblenz currently pending before the ECJ (OLG Koblenz, decision dated 19.08.2022 - Ref. 10 U 603/22; pending: ECJ - Ref. C-672/22) and another reference procedure of the BGH (BGH, decision dated 29.03.2022 - Ref. VI ZR 1352/20).

In substance, the decision is to be welcomed; however, it remains to be noted that there need not be a special reason for requests for information under data protection law and therefore, at best, a very limited examination can take place as to whether there is a legitimate purpose for the request.

(Christina Prowald)

LG Tübingen: Liability of a cyber insurance for hacker attack

In its decision of May 26, 2023, the Regional Court of Tübingen addressed the question of when a cyber insurance company must be liable for a hacker attack (LG Tübingen, decision dated 26.05.2023 - Ref. 4 O 193/21).

It held that in the case of a „pass-the-hash” attack in which administrator rights for all of the company’s servers were captured by exploiting a known vulnerability in Microsoft’s operating system, the fact that not all servers were equipped with the latest security updates did not affect a claim for benefits against the insurer. A possible breach of a duty of disclosure in this regard was not causal, neither for the occurrence or determination of the insured event, nor for the determination or scope of the duty to pay benefits, insofar as the policyholder had not acted fraudulently. The scope of application of Section 81 (2) of the German Insurance Contract Act (VVG) (bringing about of the insured event by the policyholder) was not opened if the risk situation - in the specific case the lack of security measures to prevent the attack - already existed at the time the contract was concluded and was or could have been the basis of the insurer’s risk assessment.

The company was able to prove within the proceedings that the lack of security updates had no effect on the occurrence of the insured event or the extent of the damage. Moreover, it was not possible to establish that the risk questions required for the conclusion of the contract were answered in a fraudulent manner. The injured company was awarded a claim in the amount of 2.85 million euros out of a submitted damage sum of 3.7 million euros, which the company demanded from the insurance company.

(Christina Prowald)

AG Augsburg: Footer in e-mail is not unauthorized advertising

On June 9, 2023, the Augsburg District Court ruled that an e-mail containing links to the company’s own website and social media channels in the footer does not constitute unauthorized advertising (AG Augsburg, decision dated 09.06.2023 - Ref. 12 C 11/23).

The court first stated that, according to common usage, the term advertising encompasses all measures of a company aimed at promoting the sale of its products or services and must be understood broadly. However, the mere reference to a company’s Internet presence following the employee’s contact details without linking it to a product or other advertising information did not constitute advertising. The court found that a reference to this effect did not serve to promote sales, but rather for information purposes. The decision is particularly interesting because in the past the courts have often tended to interpret the concept of advertising very broadly.

(Christina Prowald)

BfDI welcomes ECJ’s Meta decision

On July 4, 2023, the ECJ ruled that a national competition authority may find an infringement of the GDPR in the context of the assessment of whether a dominant position is being abused (ECJ, decision dated 04.07.2023 - Ref. C-252/21).

The background to the lawsuit is Meta’s practice of collecting data and activities from Facebook users both inside and outside the social network at subsidiaries and via interfaces on other websites, associating them with users’ Facebook accounts and linking them to detailed user profiles, in particular to personalize advertising messages. In the Federal Cartel Office’s view, Meta is abusing its dominant position in this way, which is why the competition authority banned Meta from making the use of the social network dependent on the processing of its off-Facebook data and from processing it without consent. The Federal Cartel Office based its decision on Meta’s violation of the GDPR. In the course of the further proceedings, the Düsseldorf Higher Regional Court then raised, among other things, the question of whether the Federal Cartel Office may examine whether data processing complies with the requirements of the GDPR.

The ECJ has now ruled that, in the context of examining whether an undertaking is abusing a dominant position, it may prove necessary for a competition authority also to examine whether the conduct of the undertaking is compatible with rules other than those of competition law. At the same time, he clarified that the data protection supervisory authorities are primarily concerned with identifying data protection breaches. For this reason, the competition authority would have to involve the competent data protection supervisory authority before making its own decision with regard to data protection issues and take into account any decisions or investigation by the data protection supervisory authority.

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Professor Ulrich Kelber, welcomes the ruling in its significance for data protection and commented: “I am pleased that the ECJ recognizes that compliance with data protection requirements is relevant to competition and allows antitrust authorities to also examine the compatibility of companies’ conduct with data protection law in order to protect competition. I congratulate the Federal Cartel Office on this success.”

(Christina Prowald)

EDPS: Use of cloud services at the ECJ

The European Data Protection Supervisor (EDPS) on July 13, 2023 ruled that the ECJ’s use of cloud video conferencing services is permissible under data protection law (press release dated 14.07.2023). In its decision, it found that the use of Cisco Webex and related services complies with the requirements of the GDPR.

The decision was made on the basis of the revised agreement between ECJ and Cisco, which ensured that personal data would only be processed in the EU or EEA. The EDPS encouraged stakeholders to remain committed to complying with data protection requirements when using cloud services, referring in particular to thorough assessments and analyses of potential risks related to third country laws in this regard. Wojciech Wiewiórowski, EDPS, commented: “EU institutions, bodies, offices and agencies in their day-to-day work must uphold individuals’ fundamental rights and in particular data protection rules when using videoconferencing tools. This is even more true when the use of these tools may involve transfers of personal data to countries outside the EU and the European Economic Area (EEA) that can lead to increased risks for the rights and freedoms of individuals. I welcome that the Court has taken leadership to obtain significant changes from Cisco; we hope this achievement can act as an example for other EU institutions, bodies, offices and agencies.”

The EDPS also announced his intention to provide relevant advice and guidance in the coming months.

(Christina Prowald)   

LfD Lower Saxony: Fine for e-mail newsletter without unsubscribe option

The 28th Activity Report of the State Data Protection Commissioner of Lower Saxony for the year 2022 shows that the authority imposed a fine of 50,000 euros on a company because the company’s e-mail newsletter system did not allow unsubscribes for a relevant period of time due to a technical malfunction (28th Activity Report of the LfD). Since the company sent out a large number of newsletters, those affected received a considerable number of unsolicited advertising e-mails. Those affected who tried to unsubscribe via the company’s service staff were also unsuccessful. In addition to the fact that advertising objections were thus ignored, the company also failed to comply with a request for information from a person affected. The fine was accepted by the company.

(Christina Prowald)

LfD Lower Saxony: Coordinated auditing of media websites

Together with the data protection supervisory authorities of several German federal states, the State Data Protection Commissioner of Lower Saxony (LfD) conducted a coordinated audit of the websites of a total of 49 media companies (press release dated 10.07.2023). In particular, the new regulations of the TTDSG were also taken into account and the use of so-called pure subscription models was examined. The comprehensive legal assessment was published in a corresponding resolution of the Data Protection Conference, from which it follows that “pure subscription models” are generally permissible, taking into account the requirements of data protection law (we reported in May 2023).

During the investigation, numerous data protection violations were identified on various websites with regard to the use of cookies and other tracking technologies. The companies were informed about this circumstance and had the opportunity to implement the requirements regarding the data protection-compliant design of the consent banners, including the integrated pure-subscription model. In particular, the audit criticized the fact that cookies were already set before the consent request was made, as well as missing information, an insufficient scope of consent, manipulation of users and the lack of a button to reject cookies. After the companies were informed of the violations, all responsible parties made adjustments and the violations were mostly eliminated. At the end, the companies also received a comprehensive final letter in which the remaining deficits in terms of data protection law were outlined. At the same time, the LfD reserved the right to conduct a new review.

(Christina Prowald)

LfD MV: Concerns about Sentry Mode at Tesla

The electric vehicles of the American manufacturer Tesla have a so-called Sentry Mode; when activated, the vehicle monitors the environment and independently activates the camera, for example, when people or other vehicles approach the car. The corresponding recordings are then stored on a USB stick, for example, and can later be used by the vehicle owner to provide evidence. This design gives rise to obvious opportunities for abuse, since the making of recordings in public spaces, which is not recognizable to the persons concerned, leads to considerable impairment of privacy.

In a statement, the supervisory authority in Mecklenburg-Western Pomerania has now fittingly expressed data protection concerns about this function and pointed out that the situation is comparable to the use of dashcams. With reference to the case law of the Federal Court of Justice (BGH, decision dated 15.05.2018 - Ref. VI ZR 233/17), only short-term and occasion-related recording can be considered. Not every recording by the vehicle meets these requirements; moreover, the immediate deletion of the data after a short storage period is not ensured. It is therefore required that the function be disabled by vehicle owners.

The supervisory authority’s opinion was prompted by frequent complaints about the function by data subjects. In the past, the Federation of German Consumer Organizations (vzbv) had also successfully challenged the sentry mode (LG Berlin, decision dated 21.03.2023 - Ref. 52 O 242/22).

(Dr. Sebastian Meyer)

SDTB: Facebook Fan Page Ban

On July 5, 2023, the Saxon Data Protection and Transparency Commissioner (SDTB), Dr. Juliane Hundert, prohibited the State Chancellery of Saxony from continuing to operate the Facebook Fan Page of the Free State of Saxony pursuant to Article 58 (2) (f) GDPR (press release dated 07.07.2023). The State Chancellery had four weeks to comply with the order. In addition, the SDTB issued a warning to the Saxon State Chancellery under Article 58 (2) (b) GDPR for violating the accountability obligation under Article 5 (2) GDPR and the obligation not to process data without a corresponding legal basis under Section 25 (1) (1) TTDSG and Article 5 (1) (a) GDPR.

The SDTB stated that with regard to the processing of personal data in the context of the use of a Facebook Fan Page, joint responsibility still existed. In this respect, the State Chancellery was obliged to provide positive evidence of compliance with data protection regulations. However, it had not succeeded in doing so. Particularly because of their role model function, public bodies such as the State Chancellery must comply with the law. In order to prevent violations of the law, the page would have to be shut down. Even if the State Chancellery is obliged to do public relations work, this may only be done in a lawful manner. However, it is not possible to use Facebook without violating the law. In addition, Dr. Juliane Hundert also criticized the violation of the TTDSG, as Facebook was setting cookies, transmitting data and creating highly enriched personal advertising profiles without a sufficient legal basis. An appeal against the decision can be filed with the Dresden Administrative Court within one month.

Dr. Juliane Hundert made it clear: “The proceedings against the Saxon State Chancellery are exemplary. Other public bodies in the Free State of Saxony also use Facebook and are obliged to act lawfully. They should not hide behind the proceedings against the Saxon State Chancellery, but should actively and immediately end the use of their Facebook Fan Pages in violation of data protection.”

The Federal Commissioner for Data Protection and Freedom of Information, Professor Ulrich Kelber, had previously stated in February 2023 that it was not possible to operate a Facebook Fan Page in compliance with data protection laws and instructed the Federal Press Office to discontinue operation of the federal government’s Facebook Fan Page (we reported in March 2023). The Federal Press Office subsequently brought an action against the decision before the Cologne Administrative Court.

(Christina Prowald)

Sweden: Fine for use of Google Analytics

On July 3, 2023, the Swedish Data Protection Authority (IMY) banned four companies from further use of Google Analytics (press release dated 03.07.2023). One of the companies had recently stopped using the analytics tool itself, while the remaining three companies had been instructed to stop using the service as well. Two of the four companies were also fined.

IMY had previously examined how the companies CDON, Coop, Dagens Industri and Tele 2 used the Google Analytics service for web statistics and to what extent personal data was transmitted to the USA. The investigation was prompted by various complaints from the organization None of Your Business (NYOB) about the transfer of personal data to the United States in violation of data protection laws. The Swedish Data Protection Authority concluded that the data submitted as part of the use of Google Analytics was personal data, as the data could be linked to other unique data submitted. Moreover, the safeguard measures taken by the four companies would not have been sufficient to ensure a level of protection equivalent to the EU or the EEA. The companies had based the data transfers on the standard contractual clauses, but had not taken sufficient additional security measures beyond that. IMY therefore imposed an additional fine of 12 million Swedish kronor on Tele 2 and 300,000 Swedish kronor on CDON for failing to take the same comprehensive protective measures as Coop and Dagens Industri.

Legal counsel Sandra Arvidsson expressed that the decisions could provide guidance to other organizations using Google Analytics.

(Christina Prowald)

Norway: Ban on behavioral advertising on Facebook and Instagram

On July 14, 2023, the Norwegian Data Protection Authority imposed a temporary ban on behavioral advertising on Facebook and Instagram based on monitoring and profiling of users in Norway against Meta Group (notice dated 17.07.2023). The ban is initially to apply until October, or until Meta can prove that it is complying with the legal requirements. If Meta does not comply with the Norwegian regulator’s decision, the company faces a penalty of up to one million Norwegian kronor per day.

As early as late last year, the Irish Data Protection Authority found that Meta had used illegal behavioral advertising. Despite various adjustments on the part of Meta, the ECJ again found in July 2023 that Meta’s behavioral advertising was still not in compliance with the law. The Norwegian Data Protection Authority has now taken action as a result of this circumstance. It said that its decision did not mean a ban on Facebook or Instagram in Norway. Rather, the aim is to ensure that the services can be used safely and that the rights of those affected are respected. Although Meta’s headquarters are located in Dublin, another data protection authority may also take action if urgent action is required. The Norwegian Data Protection Authority has already announced that, if necessary, the matter will be referred after the summer to the European Data Supervisory Authority (EDSA), which will then decide whether to extend the measure.

Tobias Judin, Head of International Affairs at the Norwegian Data Protection Authority, expressed that invasive commercial surveillance for marketing purposes is one of the biggest threats to online privacy today. If Meta decides which advertising is shown to those affected, the company simultaneously decides what is not shown to the person affected. This could impair the freedom of opinion and information in society.

(Christina Prowald)

USA: Federal Trade Commission against Amazon and OpenAI

The Federal Trade Commission (FTC) and the Department of Justice (DOJ) have fined Amazon and two subsidiaries 25 million dollars in a wide-ranging case and ordered Amazon to erase data because the company violated the COPPA rule (press release dated 31.05.2023). The orders proposed by the FTC and DOJ must first be approved by a federal court before they take effect.

The authority is accusing Amazon of permanently storing Alexa voice recordings of children, contrary to its own claims, and failing to comply with deletion requests from parents. In addition, the data had been used for the company’s own purposes, including training algorithms, and had been compromised by unnecessary access. The agency found that Amazon failed to establish an effective system to ensure that the company adequately informs parents of the deletion of the recordings and complies with users’ requests for deletion. In addition, problems with Amazon’s deletion of geolocation data had not been fixed.

According to press reports, the FTC has also opened an investigation against ChatGPT operator OpenAI (report dated 13.07.2023). It said it was investigating whether OpenAI had violated consumer protection laws by putting people’s reputations and data at risk. The Washington Post refers to a 20-page subpoena from the agency. The subpoena covers the collection, use and protection of user data, the training of AI systems, and an incident in which users’ conversations and financial information were available to anyone.

(Christina Prowald)