The steady advance of digitalization means that data processing is becoming an integral part of all areas of life. Numerous digital services and products have long since become an integral part of many people's everyday lives. Individual data processing systems can no longer be viewed in isolation from one another. Rather, the rapid development of technology has led to the progressive networking of various IT systems whose data processing processes are inextricably linked. At the same time, ever larger volumes of data can be processed, whereby the processing is mostly automated and increasingly carried out using artificially intelligent algorithms. All of this leads to complex data processing structures that are difficult to understand in individual cases, often with multi-layered constellations of stakeholders. As data processing regularly relates to personal data, the developments outlined above pose considerable challenges for data protection and IT security from a legal perspective.

The research project “Systematic privacy for large, real-life data processing systems” of the National Research Center for Applied Cybersecurity ATHENE is dedicated to these legal challenges. The opportunities and risks of large data processing systems are being examined from a legal perspective. Possible measures are being developed which, on the one hand, do not hinder technical progress and, at the same time, guarantee adequate protection of the rights of natural persons when processing their personal data. In order to adequately take into account the increasing system networking, a holistic approach is being pursued that takes into account the entire digital network, including its various dimensions and players. 

The University of Kassel, Chair for Public Law, IT Law and Environmental Law (Prof. Dr. Hornung, LL.M.), is concerned with the IT security requirements for large data processing systems. If personal data is processed by big data applications or artificially intelligent algorithms, this leads to considerable challenges for IT security. In this context, the need for protection of the person affected by the data processing is insufficiently addressed de lege lata. For example, the BSIG and the BSI-KritisV do not address this aspect in the area of IT security regulation for critical infrastructures (KRITIS). With the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0), the category of “companies in the special public interest” was introduced in the BSIG. However, companies have significantly reduced obligations compared to the KRITIS sector. Art. 32 GDPR does set out requirements for controllers and processors with regard to the security of personal data processing. However, its “risk-based approach” leads to considerable uncertainty as to which specific measures are required in individual cases. In contrast to the KRITIS sector, there is also a lack of a catalogue of requirements issued by the authorities. It is also largely unclear what role the cybersecurity certification introduced at European level and the new German IT security label can play here in the future.

The University of Kassel first examines the possibility of operationalizing Art. 32 GDPR for large data processing systems. This is done with reference to existing risk models and approaches of data protection supervisory authorities (e.g. the German standard data protection model). The existing need for regulation is then identified. This also includes mechanisms for self-regulation and the question of binding and non-binding IT security standards. The effects of the IT Security Act 2.0 on the IT security requirements for large data processing systems are then assessed. The focus here is particularly on the new obligations for large companies and the newly introduced IT security label. Finally, regulatory proposals for the design of the law at European and national level, which are currently being drafted, will be accompanied and evaluated.

The project is coordinated by the Fraunhofer Institute for Secure Information Technology SIT (Dr. Annika Selzer). The Goethe University Frankfurt (Prof. Dr. Indra Spiecker gen. Döhmann, LL.M.) and the Hochschule Darmstadt, University of Applied Sciences (Prof. Dr. Thomas Wilmer) are also involved in the implementation of the project.

For further information see the ATHENE website.

Funding:
Federal Ministry of Education and Research and Hessian Ministry of Higher Education, Research and the Arts

Duration:
January 2022 - December 2025

Project leader:
Prof. Dr. Gerrit Hornung, LL.M.

Staff:
Till Schaller
Maximilian Büscher