Daniel Rücker is a partner in Noerr’s Munich office. He specialises in information technology law and data protection law and heads the Noerr data privacy group. Besides complex data protection law matters such as the structuring of international data flows, he supports clients in privacy by design as well as in the context of data breaches and data protection litigation.
Sebastian Dienst is an associated partner based in Noerr’s Munich office and a member of the data privacy and digital business practice groups. He specialises in data protection law and IT law. Sebastian has wide-ranging expertise in advising international companies from various industry sectors, especially in the areas of data protection governance, data protection by design, data breach management and data protection litigation.
Pascal Schumacher is a tech lawyer and associated partner with Noerr’s data privacy group. Based in Berlin, Pascal focuses on regulated industries and data protection. He has particular industry expertise in the infrastructure, telecoms, banking and e-health sectors. His work includes digital platforms, privacy governance and litigation, and complex data and tech agreements.
David Bomhard is a physicist and lawyer specialising in legal advice in connection with digitisation of processes and complex IT projects (especially IT outsourcing, cloud computing, agile software development, automation of corporate processes, and use of artificial intelligence). One of his key focuses is on IT and cloud outsourcing at BaFin-regulated companies (especially insurance companies and banks).
1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
On 28 May 2021, the German IT Security Act 2.0 came into force. The new law is intended as a legal basis for the federal government’s cybersecurity strategy and to improve information security in Germany. This is accompanied by a massive expansion of the staff of the Federal Office for Information Security (BSI). Essentially, the German IT Security Act 2.0 pursues four goals: strengthening the role of the BSI; expanding the content of obligations for operators of critical infrastructure and other companies in the special public interest; introduction of a uniform IT security label to protect consumers; and strengthening the state’s protective function.
One of the most significant changes is that the Act on the BSI (BSIG) now also provides for special obligations for ‘enterprises in the special public interest’. This initially includes companies that are of considerable economic importance for Germany or that are of essential importance for such companies as suppliers because of their unique selling propositions (see section 2(14) BSIG).
IT security is not only a focus at national level but also a high priority for the European Union. In terms of IT security, the EU legislator has primarily set standards for the entire EU with the NIS Directive (EU) 2016/1148), which was already implemented in the German BSIG in June 2017. Meanwhile, a revised NIS 2 Directive is emerging. On 13 May 2022, a political agreement was reached on this. The NIS 2 Directive is now subject to formal approval by the European Parliament and the Council. In particular, it is becoming apparent that the NIS 2 Directive will expand the current scope by adding new sectors and services as essential or important entities (eg, providers of public electronic communications networks and services, digital service providers such as social networking services platforms, food businesses, healthcare providers, postal service providers and operators of ground-based infrastructure that support the provision of space-based services). Also, the NIS 2 Directive will provide for minimum standards for a regulatory framework of cybersecurity risk management measures for companies (eg, risk analysis and information system security policies, incident handling including a process for incident reporting, supply chain security and the use of cryptography and encryption).
In all likelihood, the German IT Security Act 2.0 will also soon have to be adapted to the new NIS 2 Directive in scope and measures.
IT security and cloud applications are also increasingly in the focus of the German Federal Financial Supervisory Authority (BaFin). The main purpose of the financial supervisory regulations on digital outsourcing is to prevent financial institutions and insurance companies from losing the ability to control or steer, as this could impact control by the supervisory authorities. Where activities and processes are outsourced, the supervised enterprise thus continues to be responsible for compliance with all applicable statutory provisions. Regulatory standards regarding IT security in the financial sector are subject to strong dynamics, which places high demands on the monitoring of the legal situation by supervised companies.
Numerous guidelines can be found at national and European level, which provide detailed specifications of the legal requirements for cybersecurity standards.
Banks and financial institutions must, among others, comply with the requirements of the European Banking Authority (EBA) guidelines on outsourcing, which entered into force on 30 September 2019. They should complete the documentation of all existing outsourcing arrangements, in line with these EBA Guidelines already now, in certain cases by no later than 31 December 2021. At the national level, banks must comply in particular with the circular concerning new minimum requirements for risk management (MaRisk) last updated by BaFin on 10 August 2021.
With regard to insurance companies, the new European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on outsourcing to cloud service providers apply from 1 January 2021 to all cloud outsourcing arrangements entered into or amended on or after this date. Insurance companies should review and amend existing cloud outsourcing arrangements related to critical or important operational functions or activities accordingly with a view to ensuring compliance with these EIOPA Guidelines by 31 December 2022. At the national level, insurance companies must comply in particular with the circular concerning supervisory requirements for IT services in the insurance sector (VAIT) last updated by BaFin on 3 March 2022.
2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
There are two key factors that organisations must assess when deciding whether to notify supervisory authorities and data subjects. (i) What data protection role does the organisation have for the personal data that is affected by the personal data breach: controller or processor? (ii) What risks for data subjects result from the personal data breach?
Controllers (ie, entities that decide the means and purposes of the processing of personal data) are subject to risk-based notification and communication obligations. According to article 33(1) GDPR, controllers must notify any personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to natural persons. According to the wording of the law, even personal data breaches that result in a low risk would have to be notified. In practice, however, German data protection authorities seem to understand the term ‘unless the personal data breach is unlikely to result in a risk’ as ‘unless the personal data breach only results in a low risk’. Against this background, some German supervisory authorities do not expect controllers to notify personal data breaches with only low risks.
Controllers must notify personal data breaches without undue delay and, where feasible, not later than 72 hours after having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay (article 33(1) GDPR). When a personal data breach is likely to result in a high risk to data subjects, controllers must communicate the personal data breach to the affected data subjects without undue delay (article 34(1) GDPR). Where such individual communication would involve disproportionate effort, controllers must issue a public communication or take similar measures whereby the data subjects are informed in an equally effective manner (article 34(3)(c) GDPR).
Processors (ie, entities that process personal data exclusively on behalf of one or more controllers) are not required to notify personal data breaches to supervisory authorities or communicate personal data breaches to data subjects. However, by law, processors must notify controllers without undue delay after becoming aware of a personal data breach (article 33(2) GDPR). Typically, this notification obligation is also included in data processing agreements between controllers and processors.
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
One of the biggest issues that companies have to deal with when it comes to personal data breaches is to identify any security incidents in the first place. In particular, this requires raising awareness and training employees on a regular basis to ensure that employees recognise security incidents and report such incidents internally.
Another major issue for organisations in practice is gathering the relevant facts on the security incident to determine whether an incident actually qualifies as a personal data breach, which may require notification to supervisory authorities and communication to data subjects. In particular, as the GDPR does not provide specific instructions and reliable criteria for the assessment of the risks of personal data breaches, also the risk assessment is also proving to be a big challenge for many organisations in practice.
As already pointed out above, controllers must notify data breaches without undue delay and, where feasible, not later than 72 hours after having become aware of it. These quite short statutory deadlines for notifications pose major challenges for organisations in practice. To be able to be able to meet these challenging notification obligations, organisations require robust and reliable data breach management processes. Such processes should be defined in a dedicated data breach policy that clearly outlines the essential steps to manage any data breaches. The processes should be tested in ‘fire drills’ on a regular basis and improved based on the results of these exercises.
In order to mitigate possible adverse effects of any personal data breach, organisations must take appropriate measures as soon as possible. In particular, organisations may avoid communication obligations towards data subjects if subsequent measures ensure that any high risks to data subjects are no longer likely to materialise (see article 34(3)(b) GDPR). In order to be able to take the necessary steps right away, organisations have to be well prepared for dealing with personal data breaches. Again, this requires robust and reliable data breach management processes that should be laid down in a data breach policy.
When notifying personal data breaches to supervisory authorities and communicating personal data breaches to data subjects, organisations must disclose rather comprehensive information on the incident at hand. The notification to supervisory authorities and communication to data subjects must include a description of the nature of the personal data breach, a description of the likely consequences of the personal data breach as well as a description of the measures taken or proposed to be taken by the controller to address the personal data breach (see articles 33(3) and 34(2) GDPR). The communication to data subjects must be in in clear and plain language (article 34(2) GDPR).
Controllers must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance (article 33(5) GDPR). In order to meet these requirements – also in light of the statutory accountability obligation (article 5(2) GDPR) – controllers must comprehensively document any personal data breaches, even where the breaches do not require notification.
4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
A key issue and prerequisite for improving cybersecurity preparedness is that companies know their IT-systems, business processes and the data involved as well as relevant service providers involved. This knowledge allows them to assess the relevant risks associated with particular data, systems and processes and to take appropriate measures on the basis of a risk-based approach. Although, at least to the extent personal data are involved, the GDPR requires companies to document all that information, in practice, in our experience many companies have serious backlogs in that regard.
Based on a profound knowledge of their relevant systems, data and processes, companies strive to improve cybersecurity and the hardening of their systems from a mere technical point of view. In that context, they have to consider the various legal requirements for adequate IT security, not only GDPR requirements but also industry- and sector-specific requirements as already detailed above.
Beyond that, companies work out emergency plans. In that context, they also need to identify the individual legal requirements to be considered in the event of an emergency. From a GDPR point of view, it is essential to have a data breach policy and additional standard operating procedures with detailed guidance on who has to do what in which sequence. The relevant steps and measures to be taken need to be described in a way that is easy to understand and, even under stress and pressure, can be executed step by step. That also includes practical criteria for assessing whether a cyber incident actually involves a personal data breach, criteria for assessing the risk of a personal data breach, for whether a data breach has to be notified the data protection authorities and on whether also data subjects have to be informed. Notification obligations to authorities, in particular the BSI, can also result from the German IT-Security Act as well as other industry specific requirements, for example, in the fields of banking and insurance. The involvement of and cooperation with police and public prosecutors should also be considered in emergency plans as they will often be involved in context with cyberattacks. Furthermore, insurance topics have to be considered, in particular guidance on whether and to what extent relevant insurances exist, when and how insurers have to be involved and what other obligations have to be considered in order to not endanger insurance coverage. For ransomware attacks, it has to be considered whether ransom payments infringe national or international laws, in particular sanctions under EU and US law for facilitating ransomware payments. From a company law point of view, an emergency plan should require guidance on whether and when ad hoc information may need to be issued in the event of a cyberattack.
Last but not least, employees have to be trained on emergency plans, and companies are well advised to also simulate actual emergencies to further improve their cybersecurity preparedness.
5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
The use of cloud services by both private and public organisations is on the rise in Germany, like everywhere else. The advantages are obvious: Cloud services allow ubiquitous data access for employees around the world, they are often more cost-efficient than building a local server infrastructure and many cloud providers are today highly reputable and ensure the highest levels of security, availability and redundancy. On the other hand, a company should also weigh the risks when considering whether to rely on external cloud systems for the hosting of personal data. In particular, cloud providers are popular targets for cyberattacks, which may create additional risks for data security and privacy. In our experience, organisations should consider two important aspects: where the cloud servers are located and how the data is protected (ie, whether the provider offers sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement state of the art technical and organisational measures).
From a data protection law perspective, cloud services are typically considered a form of controller–processor relationship. The parties are therefore required to conclude a data processing agreement (article 28 GDPR). The controller and processor may choose to negotiate an individual contract containing the compulsory elements set out in article 28 GDPR. Alternatively, the parties can use, in whole or in part, standard contractual clauses that the Commission recently adopted in June 2021 (see article 28(7) GDPR).
The use of cloud services often involves data transfers to recipients outside the EU which is subject to particular restrictions. The GDPR (articles 44 et seqq.) require the data exporter and the data importer to rely on a numerus clausus of transfer mechanisms, of which in the context of cloud services standard contractual clauses (SCCs) are probably the most relevant. This is true in particular since the CJEU invalidated the EU/US Privacy Shield in its Schrems II judgment of July 2020. But the CJEU’s ruling also put international transfers based on SCCs under pressure. According to the Court, data exporters must ensure that importers are able to guarantee the inviolability of the received data, which primarily depends on local surveillance laws and government competences for access to personal data.
Partly in response to this unsatisfactory legal situation, the EU Commission has now published new SCCs for transfers to third countries (article 46(2) (c) GDPR), replacing the previous versions from 2001. For controllers and processors currently using previous sets of SCCs, there is a transition period of 18 months. Even though the new SCCs contain a provision dealing with the effects of local laws on the compliance of data transfers, due to their nature as contractual clauses they ultimately cannot resolve conflicts with mandatory local law of third countries. Thus, even on the basis of the new SCCs, data exporters will not be able to avoid checking in detail which surveillance laws the data importer is subject to and whether these laws affect the obligations under the SCCs. For this purpose, it is indispensable to analyse the specific data transfers in detail and to determine which laws of the third country apply in each case.
For certain sectors, the use of cloud hosting services is subject to specific regulations. For the use of cloud services by financial services providers, for example, the Federal Financial Supervisory Authority (BaFin) has issued guidance addressed to all regulated financial services providers. Under that guidance, the use of cloud services by financial services providers is not permitted to result in a situation where the responsibility for the outsourced activities and processes is delegated to the cloud provider. Where activities and processes are outsourced to a cloud provider, the financial services provider continues to be responsible for compliance with all applicable statutory regulations. To that end, the guidance suggests a number of requirements for terms that should be included in the cloud services agreement, for example, in terms of information security, authorisation management, emergency measures and control rights. This also includes that the cloud services provider must commit to cooperate with the supervisory authorities, including tolerating any on-site inspections. If the cloud provider does not agree to such terms, the financial services provider will be precluded from using the cloud for important functions.
6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
Following the increase in cybersecurity threats in recent years, the German government has started to implement systems and strategies addressing this growing concern. Central to formulating measures against cybersecurity threats is the BSI. Its role ranges from developing and enforcing binding IT security standards, raising awareness for the importance of internet security among the population as well as protecting federal networks and the German industry against attacks and vulnerabilities.
The BSI has published a cybersecurity strategy, which outlines Germany’s position regarding cyber threats, the roles of each institution and long-term goals. The latest strategy was published in 2016 and was revised in 2021, highlighting 30 measures in the following four fields of action: (i) increasing digital awareness/competencies, such as introducing two-factor authentication and other consumer-friendly cybersecurity measures; (ii) increasing cooperation between the state and the industry, such as creating ‘risk assessment’ processes for companies to assess their own risk for cyberattacks as well as creating cybersecurity certifications; (iii) creating effective and sustainable state infrastructure for cybersecurity by creating a clear course of action on how to deal with software vulnerabilities; and (iv) actively engaging with European and international cybersecurity politics to fight cyber crime.
Apart from the BSI, there are several other institutions that address cyber crime. This includes the National Cyber Defence Centre, which was established in 2011 to identify and respond to attacks on governmental and economic IT-infrastructure as well work with the German government in creating more effective preventative measures.
Another important agency to highlight is the Central Office for Information Technology in the Security Sector (ZITiS), which was founded in 2017. ZITiS is neither a police nor an intelligence agency, and has no regulatory powers but rather acts as a service provider for the security and intelligence authorities in Germany and supports them by pooling technical expertise in the areas of telecommunication surveillance, digital forensics, cryptanalysis and big data analysis.
Finally, the National Cyber Security Council plays a key role in consulting the government in terms of its strategic orientation in fighting cybercrime and comprises different stakeholders that provide balanced perspectives to the government.
7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
In our experience, it is still common among advisers and companies to underestimate risks resulting from privacy and data security issues in M&A deals. These issues are often at the (commercial) heart of a transaction and therefore essential for long-term success and post-closing integration.
In our view, the most relevant factors for a risk-adequate approach to privacy and data security in M&A transactions can be summarised as follows.
First, it is essential early in the M&A process to understand the business model of the target company and the details of how it has structured data processing in its commercial operations. This requires a thorough due diligence of the target’s IT systems and commercial operations to determine whether personal data, in particular customer data, is lawfully collected and to identify potential limitations in using the data as intended post closing. Against the background of increased cyberattacks, due diligence should also pay particular attention to whether business secrets, critical know-how and personal data have been properly protected by the target and its group of companies. Valuations of companies more and more critically depend on IT security and intruders are becoming increasingly sophisticated. Any and all issues should be addressed through appropriate and custom tailored language in the representations, warranties and post closing undertakings in the deal documentation.
The second area concerns the structuring of the (bidding and) transaction process. Setting up a straightforward risk-sensitive and compliant privacy structure for the transaction process early on is in our experience a top priority. Privacy related workstreams already start with the selection of the data room provider, the structuring of access levels and content, and setting up clean teams agreements for particularly sensitive documents. In later phases of the transaction, for example, issues ranging from employee and customer communications to migration preparation and migration play an important role.
We recommend setting up a data protection “step plan” at an early stage to define and document the legal basis for each data transfer within the transaction and coordinate such step plan with all parties involved. Letting this slide regularly leads to unpleasant surprises in the critical phase between signing and closing, eg when a company invokes data protection compliance to inform customers about the deal while another party insists on confidentiality so as not to jeopardise the deal in the home stretch.
Particularities arise in international M&A deals, which can involve the transfer of large amounts of personal data outside the EEA. Companies should make sure that they process such data in full compliance with the GDPR.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
Clients should assure that their counsel is familiar with all the relevant different kinds of issues that may be involved in cyberattacks. The counsel involved should be used to cooperating with the relevant authorities in order to solve issues as smoothly as possible to client. Clients should involve a firm that holds available a cyber risks team with specialists in all different areas of law involved that is able to react quickly and that cooperates seamlessly and efficiently.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
Different interpretations of the legal requirements and different enforcement practices of 18 individual data protection supervisory authorities at a German federal and state level makes advising on data protection law in Germany even more interesting.
The relevance of contract drafting is increasing. Outsourcing and cloud contracts must strike the right balance between customer-specific cybersecurity requirements and established service provider standards.
How is the privacy landscape changing in your jurisdiction?
The privacy landscape is still characterised by a large number of unresolved legal issues and a constantly evolving practice. Companies should closely monitor the legal developments and update processes and documentation. Claims for damages following breaches of data privacy were initially rarely enforced; however claimant-friendly case law has been established on non-material damages following data privacy breaches. Exclusion of liability for minor damage is often no longer considered, and some courts find a victim’s feelings to be damage.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
We have seen a growing number of ransomware attacks. Some of these attacks are prepared very well in advance. One of the most important precautions for companies to mitigate such scenarios are reliable, safe and frequent data backups.