This article is an extract from GTDT Market Intelligence Privacy & Cybersecurity 2023. Click here for the full guide.
1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
Since May 2021, the German IT Security Act 2.0 has been in force and serves as key regulation for cybersecurity in Germany. Essentially, the German IT Security Act 2.0 pursued four goals: strengthening the role of the BSI, expanding the content of obligations for operators of critical infrastructures and other companies in the special public interest, introduction of a uniform IT security label to protect consumers and strengthening the state’s protective function.
However, the German IT Security Act 2.0 will be revised soon, as on a European Union level the Network and Information Security Directive 2.0 (NIS-2 Directive) has passed in December 2022 and now sets (new) minimum of legal requirements to be transposed into national law by each EU member state.
The NIS 2 Directive expands the current scope of regulated industry by adding new sectors and adding new services as essential or important entities (eg, providers of public electronic communications networks, digital service providers (such as social networking services platforms), food businesses, healthcare services, postal service providers). Also, the NIS-2 Directive addresses cybersecurity risk management measures for companies (eg, risk analysis and information system security policies). In addition, cooperation regarding cybersecurity on an EU level is further strengthened.
In Germany, the draft bill for a law to implement the NIS-2 Directive has become available online. The draft provides for a revision and expansion of the current legal framework. It will implement the required changes especially due to sectors and services specified by the Directive or the catalogue of minimum security requirements of article 21 (2) of the Directive. In addition, liability rules are expanded.
On the topic of cyber threats and specifically resilience to such threats, Regulation (EU) No. 2022/2554 on digital operational resilience for the financial sector (DORA) is to be mentioned. DORA is a sector-specific regulation for mainly financial entities regarding the security of their network and information systems, including risk management, reporting and digital resilience testing requirements. DORA applies from 17 January 2025. It aims to establish a unified framework for managing cyber security and ICT risks in the financial markets and addresses gaps and resolves inconsistencies found in previous legal acts.
To address cybersecurity threats due to mainly vulnerabilities and lack of product-related security updates, the EU Commission proposed the Cyber Resilience Act. The proposed regulation addresses mainly manufacturers of products with digital elements to meet security requirements over the full life cycle of the product. Like existing regulation in product safety, the proposal also covers monitoring and reporting obligations in the case of incidents.
IT security and cloud applications remain in the focus of the German Federal Financial Supervisory Authority (BaFin). The main purpose of the financial supervisory regulations on digital outsourcing is to prevent financial institutions and insurance companies from losing the ability to control or steer, as this could impact control by the supervisory authorities. Where activities and processes are outsourced, the supervised enterprise thus continues to be responsible for compliance with all applicable statutory provisions. Regulatory standards regarding IT security in the financial sector are subject to strong dynamics which places high demands on the monitoring of the legal situation by supervised companies.
Numerous guidelines can be found at national and European level, which provide detailed specifications of the legal requirements for cybersecurity standards:
Banks and financial institutions must, among others, comply with the requirements of the European Banking Authority guidelines on outsourcing, which entered into force on 30 September 2019. At the national level, banks must comply in particular with the circular concerning new minimum requirements for risk management. An amended draft of the latest circular was published on 26 September 2022 and is expected to become official soon.
2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
There are two key factors that organisations must assess when deciding whether to notify supervisory authorities and data subjects: (1) What data protection role does the organisation have for the personal data that is affected by the personal data breach: controller or processor? (2) What risks for data subjects result from the personal data breach?
Controllers (ie, entities that decide the means and purposes of the processing of personal data) are subject to risk-based notification and communication obligations. According to article 33(1) GDPR, controllers must notify any personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to natural persons. According to the wording of the law, even personal data breaches that result in a low risk would have to be notified. In practice, however, German data protection authorities seem to understand the term ‘unless the personal data breach is unlikely to result in a risk’ as ‘unless the personal data breach only results in a low risk’. Against this background, at least some German supervisory authorities do not expect controllers to notify personal data breaches with only low risks.
Controllers must notify personal data breaches without undue delay and, where feasible, not later than 72 hours after having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay (article 33(1) GDPR). When a personal data breach is likely to result in a high risk to data subjects, controllers must communicate the personal data breach to the affected data subjects without undue delay (article 34(1) GDPR). Where such individual communication would involve disproportionate effort, controllers must issue a public communication or take similar measures whereby the data subjects are informed in an equally effective manner (article 34(3)(c) GDPR).
Processors (ie, entities that process personal data exclusively on behalf of one or more controller(s)) are not required to notify personal data breaches to supervisory authorities or communicate personal data breaches to data subjects. However, by law, processors must notify controllers without undue delay after becoming aware of a personal data breach (article 33(2) GDPR). Typically, such notification obligation is also included in data processing agreements between controllers and processors.
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
One of the biggest issues that companies have to deal with when it comes to personal data breaches is to identify any security incidents in the first place. In particular, this requires raising awareness and training employees on a regular basis to ensure that employees recognise security incidents and report such incidents internally.
Another major issue for organisations in practice is to gather the relevant facts on the security incident to determine whether an incident actually qualifies as a personal data breach that may require notification to supervisory authorities and communication to data subjects. In particular, as the GDPR does not provide specific instructions and reliable criteria for the assessment of the risks of personal data breaches, risk assessment also proves to be a big challenge for many organisations in practice.
As already pointed out above, controllers must notify data breaches without undue delay and, where feasible, not later than 72 hours after having become aware of it. These quite short statutory deadlines for notifications pose major challenges for organisations in practice. To be able to meet these challenging notification obligations, organisations require robust and reliable data breach management processes. Such processes should be defined in a dedicated data breach policy that clearly outlines the essential steps to manage any data breaches. The processes should be tested in ‘fire drills’ on a regular basis and improved based on the results of such exercises.
To mitigate possible adverse effects of any personal data breach, organisations must take appropriate measures as soon as possible. In particular, organisations may avoid communication obligations towards data subjects if subsequent measures ensure that any high risks to data subjects are no longer likely to materialise (see article 34(3)(b) GDPR). To be able to take the necessary steps right away, organisations have to be well prepared for dealing with personal data breaches. Again, this requires robust and reliable data breach management processes that should be laid down in a data breach policy.
When notifying personal data breaches to supervisory authorities and communicating personal data breaches to data subjects, organisations must disclose rather comprehensive information on the incident at hand. The notification to supervisory authorities and communication to data subjects must include a description of the nature of the personal data breach, a description of the likely consequences of the personal data breach as well as a description of the measures taken or proposed to be taken by the controller to address the personal data breach (see article 33(3), 34(2) GDPR). The communication to data subjects must be in in clear and plain language (34(2) GDPR).
Controllers must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance (article 33(5) GDPR). To meet these requirements – also in light of the statutory accountability obligation (article 5(2) GDPR) – controllers must comprehensively document any personal data breaches, even where such breaches do not require notification.
4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
A key issue and prerequisite for improving cybersecurity preparedness is that companies know their IT systems, business processes and the data involved as well as relevant service providers involved. Such knowledge allows them to assess the relevant risks associated with particular data, systems and processes and to take appropriate measures on the basis of a risk-based approach. Although, at least to the extent personal data are involved, the GDPR requires companies to document all that information, in practice, we experience that many companies have serious backlogs in that regard.
Based on a profound knowledge of their relevant systems, data and processes, companies strive to improve cybersecurity and the hardening of their systems from a mere technical point of view. In that context, they must consider the various legal requirements for an adequate IT security, not only GDPR requirements but also industry and sector specific requirements as already detailed above.
Beyond that, companies work out emergency plans. In that context, they also need to identify the individual legal requirements to be considered in case of emergency. From a GDPR point of view, it is essential to have a data breach policy and additional standard operating procedures with detailed guidance on who must do what in which sequence. The relevant steps and measures to be taken need to be described in a way that is easy to understand and, even under stress and pressure, can be executed step by step. That also includes practical criteria for assessing whether a cyber incident actually involves a personal data breach, criteria for assessing the risk of a personal data breach, for whether a data breach has to be notified the data protection authorities and on whether also data subjects have to be informed. Notification obligations to authorities, in particular the Federal Office for Information Security (BSI), can also result from the German IT Security Act as well as other industry specific requirements, for example, in the fields of banking and insurance. The involvement of and cooperation with police and public prosecutors should also be considered in emergency plans as they will often be involved in context with cyberattacks. Furthermore, insurance topics have to be considered, in particular guidance on whether and to what extent relevant insurances exist, when and how insurers have to be involved and what other obligations have to be considered in order to not endanger insurance coverage. For ransomware attacks it must be considered whether ransom payments infringe national or international laws, in particular sanctions under EU and US law for facilitating ransomware payments. From a company law point of view, an emergency plan should require guidance on whether and when ad hoc information may need to be issued in case of cyberattacks.
Last not least, employees must be trained on emergency plans and companies are well advised to also simulate actual emergencies to further improve their cybersecurity preparedness.
5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
The use of cloud services by both private and public organisations is on the rise in Germany, as everywhere else. The advantages are obvious: Cloud services allow ubiquitous data access for employees around the world, they are often more cost-efficient than building a local server infrastructure, and many cloud providers are today highly reputable and ensure the highest levels of security, availability and redundancy. On the other hand, a company should also weigh the risks when considering to rely on external cloud systems for the hosting of personal data. In particular, cloud providers are popular targets of cyberattacks that may create additional risks for data security and privacy. In our experience organisations should consider two important aspects: where are the cloud servers located and how is the data protected (ie, does the provider offer sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement state of the art technical and organisational measures?)
From a data protection law perspective, cloud services are typically considered a form of controller-processor relationship. The parties are therefore required to conclude a data processing agreement (article 28 GDPR). The controller and processor may choose to negotiate an individual contract containing the compulsory elements set out in article 28 GDPR. Alternatively, the parties can use, in whole or in part, standard contractual clauses that the Commission has very recently adopted in June 2021 (see article 28(7) GDPR).
The use of cloud services often involves data transfers to recipients outside the EU, which is subject to particular restrictions. The GDPR (articles 44 et seqq) require the data exporter and the data importer to rely on a numerus clausus of transfer mechanisms, of which in the context of cloud services standard contractual clauses (SCCs) are probably the most relevant. This is true in particular since the CJEU invalidated the EU/US Privacy Shield in its Schrems II judgment of July 2020. But the CJEU’s ruling also put international transfers based on SCCs under pressure. According to the Court, data exporters must ensure that importers are able to guarantee the inviolability of the received data, which primarily depends on local surveillance laws and government competences for access to personal data.
Partly in response to this unsatisfactory legal situation, the EU Commission has now published new SCCs for transfers to third countries (article 46(2) (c) GDPR), replacing the previous versions from 2001. For controllers and processors using previous sets of SCCs, there was a transition period of 18 months, which expired at the end of 2022. Even though the new SCCs contain a provision dealing with the effects of local laws on the compliance of data transfers, due to their nature as contractual clauses they ultimately cannot resolve conflicts with mandatory local law of third countries. Thus, even on the basis of the new SCCs, data exporters will not be able to avoid checking in detail which surveillance laws the data importer is subject to and whether these laws affect the obligations under the SCCs. For this purpose, it is indispensable to analyse the specific data transfers in detail and to determine which laws of the third country apply in each case. The US government and the EU Commission are currently working on a successor for the EU/US Privacy Shield, the so-called EU–US Data Privacy Framework. The White House has released an executive order detailing privacy commitments by the US to the EU. On that basis, the EU Commission has launched an adequacy procedure involving the relevant EU institutions, which is still ongoing. It is currently unclear if or when the procedure will result in a binding adequacy decision providing a secure legal basis for data transfers to the US.
For certain sectors the use of cloud hosting services is subject to specific regulations. For the use of cloud services by financial services providers, for example, the Federal Financial Supervisory Authority (BaFin) has issued a guidance addressed to all regulated financial services providers. Under that guidance, the use of cloud services by financial services providers is not permitted to result in a situation where the responsibility for the outsourced activities and processes is delegated to the cloud provider. Where activities and processes are outsourced to a cloud provider, the financial services provider continues to be responsible for compliance with all applicable statutory regulations. To that end, the guidance suggests a number of requirements for terms that should be included in the cloud services agreement, for example, in terms of information security, authorisation management, emergency measures and control rights. This also includes that the cloud services provider must commit to cooperate with the supervisory authorities, including tolerating any on-site inspections. If the cloud provider does not agree to such terms, the financial services provider will be precluded from using of cloud for important functions.
6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
Following the increase in cybersecurity threats in recent years, the German government has started to implement systems and strategies addressing this growing concern. Central to formulating measures against cybersecurity threats is the Federal Office for Information Security (BSI). Its role ranges from developing and enforcing binding IT security standards, raising awareness for the importance of internet security amongst the population as well as protecting federal networks and the German industry against attacks and vulnerabilities.
The BSI has published a cybersecurity strategy, which outlines Germany’s position regarding cyber threats, the roles of each institution and long-term goals. The latest strategy highlights measures in the following four fields of actions: First, improving safe and self-determined behaviour in a digitalised environment by increasing digital awareness or competencies, such as introducing two-factor authentication and other consumer-friendly cybersecurity measures. Second, increasing cooperation between the state and the industry, such as establishing a cooperative communication platform on cyberattacks between the state, business, science and society or promoting research and development of resilient, secure IT products, services and systems for the EU internal market. Third, creating effective and sustainable state infrastructure for cybersecurity by creating a clear course of action on how to deal with software vulnerabilities. Fourth, actively engaging with European and international cybersecurity politics to fight cybercrime.
Apart from the BSI, there are several other institutions that address cybercrime. This includes the National Cyber Defense Center, which was established in 2011 to identify and respond to attacks on governmental and economical IT-infrastructure as well work with the German government in creating more effective preventative measures.
Another important agency to highlight is the Central Office for Information Technology in the Security Sector (ZITiS), which was founded in 2017. ZITiS is neither a police nor an intelligence agency, and has no regulatory powers but rather acts as a service provider for the security and intelligence authorities in Germany and supports them by pooling technical expertise in the areas of telecommunication surveillance, digital forensics, cryptanalysis and big data analysis.
Finally, the National Cyber Security Council plays a key role in consulting the government in terms of their strategic orientation in fighting cybercrime and comprises different stakeholders from economy and society that provide balanced perspectives to the government.
7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
In our experience, it is still common among advisers and companies to underestimate risks resulting from privacy and data security issues in M&A deals. In fact, these issues are often at the (commercial) heart of a transaction and therefore essential for long-term success and post-closing integration.
In our view, the most relevant factors for a risk-adequate approach to privacy and data security in M&A transactions can be summarised in two ways.
First, it is essential early in the M&A process to understand the business model of the target company and the details of how it has structured data processing in its commercial operations. This requires a thorough due diligence of the target’s IT systems and commercial operations to determine whether personal data, in particular customer data, is lawfully collected and to identify potential limitations in using the data as intended post closing. Against the background of increased cyberattacks, due diligence should also pay particular attention to whether business secrets, critical know-how and personal data have been properly protected by the target and its group of companies. Valuations of companies more and more critically depend on IT security and intruders are becoming increasingly sophisticated. Any and all issues should be addressed through appropriate and custom-tailored language in the representations, warranties and post-closing undertakings in the deal documentation.
The second area concerns the structuring of the (bidding and) transaction process. Setting up a straightforward risk-sensitive and compliant privacy structure for the transaction process early on is in our experience a top priority. Privacy-related workstreams already start with the selection of the data room provider, the structuring of access levels and content, and setting up clean teams agreements for particularly sensitive documents. In later phases of the transaction, for example, issues ranging from employee and customer communications to migration preparation and migration play an important role.
We recommend setting up a data protection ‘step plan’ at an early stage to define and document the legal basis for each data transfer within the transaction and coordinate such step plan with all parties involved. Letting this slide regularly leads to unpleasant surprises in the critical phase between signing and closing (eg, when a company invokes data protection compliance to inform customers about the deal while another party insists on confidentiality so as not to jeopardise the deal in the home stretch).
Particularities arise in international M&A deals that can involve the transfer of large amounts of personal data outside the EEA. Companies should make sure that they process such data in full compliance with the GDPR.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
Clients should assure that their counsel is familiar with all the relevant different kinds of issues that may be involved in cyberattacks. That is not limited to data security law and data protection law but includes also legal topics in criminal law, insurance law, sanctions law or company law. Furthermore, the counsel involved should be used to cooperate with the relevant authorities to solve issues as smooth as possible to protect the client against escalations, fines and other disadvantages beyond the actual incident. As all these competences will typically not be concentrated in one person, clients should involve a firm that holds available a cyber risks team with specialists in all different areas of law involved and that is able to react quick and that cooperates seamless and efficient.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
The GDPR, which strongly harmonises data protection law in the EU, still leaves some room for more specific provisions in national law of EU member states in certain areas (eg, in the employment context), which still results in a rather fragmented and complex data protection law landscape. In Germany, specific data protection laws of 16 federal states further contribute to this complex legal landscape. Different interpretations of the legal requirements and different enforcement practices of 18 individual data protection supervisory authorities on a German federal and state level makes advising on data protection law in Germany even more interesting.
With increasing regulation of cybersecurity, the relevance of contract drafting also increases.
How is the privacy landscape changing in your jurisdiction?
The privacy landscape is still characterised by a large number of unresolved legal issues and a constantly evolving practice of authorities and courts. Numerous new sector-specific regulations, like the IT Security Act 2.0 or the Telecommunications-Telemedia-Data Protection Act, both of which have been passed in May/June 2021, increase the pace even further. All of this requires companies to closely monitor the legal developments and update processes and documentation in response to the evolving environment. We also notice that the number of privacy-related court proceedings has increased rapidly, which is why we find it important that companies face the challenges of data protection litigation strategically.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
In our practice, we have been experiencing a growing number of ransomware attacks. Some of these attacks are prepared very well in advance, systems and data are encrypted and attackers make it very difficult to restore data without paying ransom. One of the most important precautions for companies to mitigate such scenarios are reliable, save and frequent data backups.
