Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 62 | 2019-07-22


Draft bill on IT security law 2.0
Dr. Lutz Martin Keppeler


There has been intense work on the IT security law 2.0 since the “German doxing case" of late 2018/early 2019 when large volumes of data of German celebrities and politicians were published. This bill will significantly extend the importance and the competences of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (“BSI”) in information technology. The fact that the BSI's staff should be almost doubled is indicative of this.

Although it cannot yet be foreseen when the law will be enacted and what its final content will be, it is advisable for all media companies and all companies that produce or sell smart devices in Germany to familiarize themselves with the following important regulations.

1) Introduction of a voluntary IT security label

One of the most interesting innovations is the introduction of a standardized voluntary IT security label. The aim of introducing it is to provide consumers with comprehensible, transparent and uniform information about the IT security of various consumer products and services. This will enable consumers to make an informed well-grounded choice when purchasing their devices.

The new Sec. 9a of the Act on the Federal Office for Security in Information Technology (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (“BSIG”) aims to regulate the conditions for a new IT security label. It should contain a manufacturer declaration of certain IT security properties (manufacturers' "security promises”) and furthermore dynamic BSI information on any potential security gaps.

This means that products will have an "electronic package leaflet" with additional security information that the buyer can download spontaneously while purchasing via a reference (e.g. QR code or link on the packaging) and view current security information on a product information page. It must be possible for the BSI to dynamically (i.e. regularly) check this security information in order to guarantee the credibility of the IT security label.

2) Extension of critical infrastructure to "media companies"

The current obligations of operators of critical infrastructure under the Information Security Law will be broadened to cover further sections of the economy. These include reporting obligations and minimum standard obligations pursuant to Sections 8a and 8b BSIG.

The intended extension will cover the media sector. Although the sector does not fall under critical infrastructure in the narrower meaning of Sec. 2 (10) BSIG, it will be subject to the law if the infrastructure in question is of special public interest in the meaning of Sec. 2 (14)(1) of the amended BSIG. The draft bill gives the following justification: Press freedom, freedom of reporting and media pluralism are interests which are protected by the constitution and cornerstones of the fundamental system of freedom and democracy in Germany. Any influence over or restriction of those interests may have a negative impact on society and the fundamental system of freedom and democracy

The nature of the individual thresholds, and whether every blogger or only a few high-circulation press media will be affected, is as yet intentionally unclear. This will likely be more closely defined in a subsequent regulation. Depending on the configuration of applicability, many companies could be affected, including forum providers, social networks, communication apps operators or the press.

3) Increased fines

To bring the new act in line with the GDPR, Sec. 14 (2) BSIG allows for penalties of up to EUR 20,000,000 or up to 4 % of the company's entire global turnover during the previous business year. In this way, the sanctions will reflect the economic clout of the company in question. Previously, the maximum sanction was EUR 100,000, which was considerably too low in proportion to the economic might of critical infrastructure operators.

Basing the fines on the regulations of the GDPR aims to make them effective and appropriate and to act as a deterrent. The aim is to make sanctions for breaches of measurements to secure facilities as severe as breaches of data protection law. This will bring parity to the two regulatory fields.

Section 14 (1) of the amended BSIG includes a revised list of offences that can be sanctioned. This was necessary because the previous sanctions only covered a fraction of the obligations subject to Section 8a BSIG. The list of infringements was fine-tuned in respect of the obligation to make disclosures and to provide evidence. In addition, the use of an IT security label which has been revoked or which has not yet been approved will also result in a fine.

Conclusion

Media operators should be prepared to meet additional and more stringent IT security requirements, even though the mandatory measures will presumably be only laid down in detail at a later stage.
Companies that sell software or smart devices to consumers should give timely consideration to whether they wish to use the voluntary IT security label, and what "security promises" they can actually make in this context.


Author


Dr. Lutz Martin Keppeler is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.

Contact

T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Dr. Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke, LL.M.
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf





I want to
unsubscribe

subscribe









Heuking Kühn Lüer Wojtek
© 2019 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.

datenschutz@heuking.de