Issue 98 (CW 43-45/2024)

1.1 EDPB: Report on the evaluation of the EU-US DPF

Even if you have doubts after the US election about the extent to which you should still read it: The day before the election, the EDSA published its Report on the evaluation of the EU-US Data Privacy Framework publishedThe EDPB encourages, among other things, the development of guidance by the US authorities clarifying the requirements that DPF-certified companies must meet when transferring personal data received from EU exporters. Guidance from the US authorities on personal data would also be welcome. The EDPB agrees to provide feedback on these guidelines. The practical functioning of the various safeguards, e.g. the implementation of the principles of necessity and proportionality, should also be monitored. The EDPB also recommends that the Commission monitor future developments in relation to the U.S. Foreign Intelligence Surveillance Act, particularly in light of the expanded scope of Section 702 following its reauthorization by the U.S. Congress earlier this year. The BfDI was there.

1.2 Global Privacy Assembly: Resolution for trustworthy international data traffic

The BfDI informsthat the conference of the Global Privacy Assembly has adopted a resolution with recommendations on trustworthy international data traffic or Data Free Flow Trust (DFFT).

1.3 LfDI Baden-Württemberg: Municipal champions honored

The LfDI Baden-Württemberg has announced the winners of its competition announced. Four local authorities were recognized for their exemplary work in the area of data protection and freedom of information. An expert jury made up of representatives from the Gemeindetag, Städtetag, Landkreistag and the State Commissioner awarded the prize in the area of data protection to the Neckar-Odenwald district office. The city of Offenburg impressed the jury in the area of freedom of information. The jury also awarded two special prizes for particularly far-sighted projects to the city of Stuttgart and the city of Freiburg. We recommend taking a closer look at the award-winning projects, especially as contact persons are also provided for queries.

1.4 BBfDI: Newsletter

The Berlin BfDI now also offers a which provides information about its work, events and publications.

1.5 BBfDI: Standard process for administrative digitization

The BBfDI informedthat the standard data protection process was created as a result of the consultations on administrative digitization: Together with the IT Service Centre Berlin (ITDZ), a comprehensive guideline was created that offers public authorities in the state of Berlin assistance with data protection-compliant digitization. Authorities could use it to implement the data protection requirements themselves and meet their legal obligations. The standard process published in September 2024 is divided into three sections:

• First, the specific standard process steps for implementing the data protection requirements are presented. These are based on the project management manual of the state of Berlin.
• This is followed by an overview of when and how data protection officers and data protection supervisory authorities are to be involved.
• Finally, there are three handouts that address specific implementation requirements and highlight the data protection requirements, for example in the project environment analysis, in procurement procedures or in the data protection impact assessment.

Although a number of Slides publishedHowever, the project manual itself is only available within the Berlin administration.

1.6 Saxony: Control led to improvement on 1,500 websites

The Saxon Data Protection and Transparency Officer (SDTB) reports on its websitethat more than 1,500 website operators had improved their sites as a result of a large-scale audit. During an inspection in May, it discovered the illegal use of Google Analytics on 2,300 of 30,000 websites in Saxony. In all of these cases, data was collected with the web analysis service without the visitors having previously consented to the setting of Analytics cookies and/or the establishment of server connections to Google Analytics. Those responsible who continue to process user data unlawfully with Google Analytics despite the SDTB's request must now expect sanctions.

1.7 HmbBfDI: Overview of case law on the right to be forgotten

The HmbBfDI provides information on its website on the current case law of the Federal Court of Justice and the European Court of Justice on the right to be forgotten. Both the BGH and the ECJ have dealt with deletion claims this year. For example, a right to erasure can also be fulfilled by deletion on the relevant website or by removing the content from the search engine.

1.8 LDI NRW: Requirements for video surveillance at Christmas markets

Seasonal current information from the LDI NRW on the permissibility of video surveillance at Christmas markets. And as is often the case with lawyers, "it depends". And in this case, it depends on the respective risk situation.

1.9 Netherlands: Consultation on manipulative AI systems

The Dutch supervisory authority published an appeal for submissions on the ban on AI systems. This call for comments addresses two of the prohibitions in the AI Regulation: manipulative and deceptive AI systems (Prohibition A) and exploitative AI systems (Prohibition B). The call for comments sets out specific criteria for the bans and poses several questions. The comments can be submitted until November 17, 2024.

1.10 Netherlands: Consultation on emotion recognition with AI

The Dutch supervisory authority published an appeal for input on the ban on emotion recognition AI systems in the workplace and educational institutions. This call is part of a series of calls by the Dutch DPA, which is looking for insights from stakeholders to shape the enforcement of the ban appropriately and to share summaries with other European AI authorities. Stakeholders can submit feedback to the regulator until December 17, 2024.

1.11 Italy: Fines for non-corrected breaches of protection

The data protection authority Guaranteed privacy fined a company €900,000 for failing to respond to a known and reported security vulnerability in its systems for almost a year, resulting in a personal data breach. In August 2023, the company was the target of a ransomware-like cyber attack that resulted in servers and some workstations being blocked. In particular, the attack resulted in the exfiltration - and in some cases loss of availability - of files containing the personal data of around 25,000 people, including employees, former employees, relatives, company office holders, job applicants and representatives of companies that had business relationships with the company.
The information that was subsequently published on the dark web included personal and contact data, access and identification data, payment data as well as data on criminal convictions and offenses and - for individuals belonging to special categories - data on trade union membership and health status. Although the security breach had first been reported by the software manufacturer (September 2022, with the necessary updates provided in November 2022) and then by the National Cyber Security Agency (November 2022), the company had not updated its systems as recommended.
In doing so, the company had breached its obligations under data protection law, which require it to take technical and organizational measures to ensure a level of security appropriate to the risk. The measure also indicated that the company had not provided exhaustive information about the breach and the measures taken to mitigate or eliminate the identified vulnerabilities in the data breach notification to the data protection authority and in the subsequent addenda, resulting in an extension of the time required for the authority's reviews.
In the adopted measure, the Data Protection Inspectorate ordered the company, in addition to paying the fine of 900,000 euros, to implement an extraordinary measure to analyze the vulnerabilities of its systems, to develop a plan to detect and remedy these vulnerabilities and to establish detection and response times appropriate to the risk.

1.12 ICO: AI tools in recruitment

In the field of HR, you can obviously "wander" seamlessly between English and German terms. So I don't need to change the title "AI Tools in Recruitment" of the British supervisor's publication at all. It reports on their Investigations into the use of AI in hiring tools and publishes its report on this subject under the title "AI tools in recruitment".

1.13 Australia: Guide to tracking pixels and data protection requirements

The Office of the Australian Information Commissioner (OAIC) has published a Guide to the use of tracking pixels and data protection obligations has been published. It contains general considerations for private sector organizations that use third-party tracking pixels on their websites.

1.14 BSI: Survey on AI security

Until November 15, you can still participate in the BSI survey on AI security can take part.

2.1 ECJ preview: Oral hearing WhatsApp v. EDSA

In WhatsApp's appeal against the EDPB's decision (C-97/23 P), the oral hearing is scheduled for 26.11.2024. WhatsApp makes asserted thereinthat the EGC in the proceedings (T-709/21) the concept of 'voidable act' and the case-law of the Court of Justice on Art. 263 TFEU misinterpreted the General Court by holding that EDPB binding decision 1/2021 of July 28, 2021 on the dispute between the supervisory authorities concerned (hereinafter the contested decision), subsequent to the draft decision prepared by the Irish data protection authority and concerning WhatsApp, was a mere preparatory act. WhatsApp further argues that the General Court erred in law in its interpretation of the term "binding decision" within the meaning of Art. 65 para. 1 GDPR and the principle of uniform interpretation and application of Union law.

2.2 BGH: Leading decision on non-material damages

The BGH announcesto make use of the recently introduced option of a leading decision procedure. The decision of the BGH thus provides guidance to the courts of lower instances, but does not bind them. As a rule, however, the courts of lower instances follow the line of the BGH. The subject of these leading decision proceedings are claims for non-material damages arising from Art. 82 GDPR in the so-called Facebook scraping cases. Plaintiffs' representatives are pleased Frank's addendum: At the request of Mr. Kramer, I am linking two more more Reports that deal with the content of the procedure. There also appears to be a Announcement date for 18.11.2024.

2.3 LG Lübeck: Missing AV agreement and compensation for damages in the event of data extraction

The LG Lübeck ruled on liability in the event of a data withdrawal from a processor. A data subject was awarded 350 euros in non-material damages following a data leak to the processor of a music streaming service. The streaming service had initially denied everything. It then emerged that it did not have a corresponding agreement with its service provider. The Lübeck Regional Court ruled that the lack of a legally compliant data processing agreement under Art. 28 GDPR even the transfer of data to the (sub)processor is unlawful [RN 79] and can give rise to claims for damages. Since the court was convinced of the data subject's fears based on the hearing at the oral hearing, it also awarded non-material damages (RN 106).

2.4 Aachen Regional Court: Criminal liability of an ethical hacker

Via the lower instance at the AG Jülich we had already reported. Now confirmed after this report the Regional Court of Aachen handed down its verdict in the Modern Solution case, which brought charges against a service provider when he uncovered a security vulnerability at Modern Solution on behalf of another customer. The judgment of the Regional Court of Aachen is not final, an appeal has been allowed - and has probably also been lodged. Frank's addendum: I would like to add here a comment to offer.

2.5 OLG Zweibrücken: The number of followers is irrelevant in the case of online insults

A man insulted the former Chancellor in a post about the coverage of the flood disaster in the Ahr valley and was convicted by the Kaiserslautern district court. The Kaiserslautern Regional Court overturned the conviction on the grounds that he only had 417 followers. Insults directed against people in political life according to § 188 StGB In addition to the statement itself, the circumstances of the individual case must also be taken into account. In addition to the person concerned, this also relates to the scope of the respective publication. The Facebook user's post on his private profile with 417 "friends" did not have the reach to justify criminal liability for his actions. A conviction for (simple) insult would be precluded by the lack of a criminal complaint by the former Federal Chancellor. OLG Zweibrücken referred the case back to the regional court: the number of followers is irrelevant. Only the content of the statement and not other circumstances were relevant for criminal liability. This was also in line with the intention of the legislature, which had considerably extended the scope of the criminal offence by amending the law shortly before the crime in order to better protect people who are involved in political life from hate and agitation on the internet (the decision of the Higher Regional Court of Zweibrücken is not yet published).

3.1 Legislation in Germany - outlook without traffic lights

Due to the failure of the last coalition, current legislative procedures are no longer in danger of being completed. This concerns, for example, the changes to the Computer criminal law of the BMJ and Quick Freeze, the amendments to the BDSG of the BMI, e.g. on the Data Protection Conference and credit scoring, the plans of the BMI and BMAS for an Employee Data Act and the BMI for implementing the requirements of the NIS2 Directive or the BMJ on the eEvidence Directive. Implementations from the AI Regulation are also still missing.

3.2 DSA: Implementing regulation on transparency reports

The European Commission has published a Implementing Regulation adoptedwhich sets out the rules and reporting forms for transparency reporting by providers of intermediary services under the Digital Services Act. With the new implementing regulation will standardize the format, content and reporting periods for these transparency reports, detail their content moderation practices and include specific categories of information. Previously, it was difficult to evaluate and compare the moderation practices of intermediary services due to inconsistencies between reporting practices. The reports also differed greatly in format and interpretation of data categories.

3.3 ENISA: Consultation on technical measures for the NIS2 guidelines

ENISA is developing technical guidance to support EU Member States and institutions in implementing the technical and methodological requirements of the NIS2 cybersecurity risk management measures set out in the Commission Implementing Regulation (EU) 2024/2690 of 17.10.2024 are set out. In addition invites industry representatives from the sector to submit comments on the technical guidelines for the NIS2 implementing act on cybersecurity measures for critical facilities in the digital infrastructure sector by December 9, 2024

3.4 Bundestag: Hearing on NIS2 implementation

On 04.11.2024, the Bundestag's Committee on Internal Affairs and Homeland Affairs held a two-hour public hearing on the Draft law on the implementation of the NIS 2 Directive. The List of expertstheir opinions and the recording of the hearing can be found at here.

4.1 EU AI Act: A Guide

An international law firm offers a 75-page online guide that provides an introduction to the AI Act in 10 chapters. You can find it here.

4.2 bitkom: Implementation guide for the AI Regulation incl. online tool

bitkom also offers a Implementation guide for the AI Regulation which highlights the various aspects on 220 pages. The comprehensive guide is divided into individual audit steps, which are formulated as questions, and supplements the online tool. After an introduction to the objectives and system of the AI Regulation, the assessment begins with the question of whether an AI system within the meaning of the Regulation exists at all. This is followed by questions about the personal and geographical scope of application. The risk classification is then discussed. Depending on which risk class the AI system is assigned to and which group of so-called regulation addressees the company falls into, the compliance requirements of the regulation are dealt with individually one after the other. At the end, providers are given a step-by-step explanation of how compliance can be demonstrated and which ongoing obligations need to be fulfilled. The guide focuses on so-called "AI systems with a specific intended use". It also covers AI models with a general purpose. There is also the cited Online tool free of charge.

4.3 Five key factors on AI and data protection

Become clear here Key qualifications such as AI setup, transparency, documentation requirements, how an AI system works and data subject rights under the GDPR are explained.

4.4 Copilot and false messages

Anyone who complains about too much regulation in the use of AI should consider whether they would like to swap places with a court reporter and cultural journalist from Tübingen who has been covering criminal trials for years. It's just silly when Bing's AI chat Copilot now presents him as the perpetrator of various crimes in replies. The Report Microsoft reportedly took care of a fix - but after a few days the same statements were back in the chat.

4.5 USA: Framework to Advance AI Governance and Risk Management in National Security

The US National Security Council has Guidelines issued for federal authoritiesthat use AI in the context of national security and defense to mitigate potential risks from AI and ensure that the use of AI is consistent with the country's core values. It is called "Framework to Advance AI Governance and Risk Management in National Security".

4.6 Liability for AI in a country comparison

This publication deals with liability issues for AI for AI-generated results under international, EU and UK copyright law: "Infringing AI: Liability for AI-Generated Outputs under International, EU, and UK Copyright Law" at the University of Cambridge.

4.7 Increase in electricity demand through AI

This example shows that artificial intelligence is obviously often used by people who may have fallen somewhat short of natural intelligence. from this report show:

"When texts and images are generated using modern AI models, a lot of electricity is consumed, similar to AI training: According to the expert's calculations, generating an image based on a text query consumes as much energy as half a cell phone charge."

The report also includes a forecast from a study According to this, electricity demand will triple by 2030, so please consider whether every visual supplement must necessarily be created with AI!

4.8 Obligations arising from the AI Regulation

A compilation of the obligations under the AI Regulation was published on LinkedIn publishedwhich shows obligations in tabular form by AI system and AI model and below that by provider and operator. Ideally, this should also include a reference to the relevant legal basis from the KIVO with a recital.

5.1 Successful cybercrime investigations (online platform "Dstat,CC")

The BKA informedthat another successful investigation against cyber criminals has been achieved. In an internationally coordinated operation by the Central Office for Combating Cybercrime (ZIT) of the Public Prosecutor General's Office in Frankfurt am Main with the Hessian State Criminal Police Office (HLKA) and the Federal Criminal Police Office (BKA) on suspicion of various cybercrime offenses, two arrest warrants were executed by officers of the HLKA and extensive evidence was seized. The two suspects, aged 19 and 28 from Darmstadt and the Rhein-Lahn district, are accused of providing and administering various criminal infrastructures on the internet, which were used, among other things, for trafficking in narcotics in not small quantities and for computer sabotage by means of so-called DDoS attacks. In addition, the two suspects are accused in the BKA's investigation section of being involved in the operation of the online platform "Dstat.CC". This is a central scene platform which, with a comprehensive listing and evaluation of stresser services, made it possible to carry out DDoS attacks quickly and easily in order to attack websites or other web-based services and restrict their availability or render them completely unresponsive.

5.2 Podcast on cybercrime and digital resilience

And because it goes well with cybercrime and the BKA: Here is a Podcast (approx. 29 min.) with the head of the BKA's cybercrime department. The discussion covers not only successful investigations, but also how private and public cyber expertise can interact and what measures companies should take to better protect themselves.

5.3 Hunting criminals on the Internet - Podcast on the book publication

A senior public prosecutor at the Central Office for Combating Cybercrime (ZIT) speaks on the occasion of the publication of her book in this podcast of WDR (25 min.) about her field of activity.

5.4 Podcast on MS 365 Copilot and data protection

In this 48-minute podcast a data protection expert talks to a Microsoft representative (Modern Work Global Black Belt) about MS 365 Copilot and related issues, including key Copilot features; access to data; historization of prompts and outputs; user input locations and deletion periods; rights management; classification; employee monitoring, protection mechanisms and classification; GDPR Art. 15Information with co-pilot - and much more.

5.5 Responsibilities for sub-processors

These Publication of a law firm deals with the consequences for practice of the Opinion 22/2024 of the EDPBabout which we have already reported had. It emphasizes that this opinion already represents a guideline for the interpretation of data protection supervisory authorities.

5.6 BVDW: Dealing with deepfakes

The BVDW publishes a classification of the legal status quo. Even though there are currently no specific legal regulations on the criminal liability of deepfakes, they are already subject to various legal standards. This is the result of a legal classification published by the German Association for the Digital Economy (BVDW). According to this, there are already numerous laws at both European and national level that apply to deepfakes. The eleven-page whitepaper is available here - and the BVDW remains true to itself - the download is only available in return for advertising consent.

5.7 Trusted Flagger according to DSA and data protection

About the harsh criticism We have already worked on the trusted flags in the DSA (Digital Service Act). reported. In a follow-up article the author now deals with the data protection aspects of reports and reporters.

5.8 Basis for the lawfulness of data processing

Not only beginners in data protection topics should read this freely available Contribution to the different legal bases from Art. 6 GDPR and the classification in the case law. Not only is the respective ECJ decision included, but the author also reveals where his assessment has changed. Chapeau!

5.9 GI: Concerns due to dependence on Microsoft

It's not entirely new: every well-managed company tries to avoid becoming dependent on suppliers. And every well-run state does not depend on foreign countries. And that's why the German Informatics Society (GI) vehemently warns against the authorities becoming dependent on Microsoft, such as reported in detail here will. And that even before last week's US election.

5.10 Databases on fines under the GDPR

Due to the current situation, here is a list of the fines I am aware of under the GDPR. GDPR fines database, GDPR Enforcement Tracker and of course GDPRhub. The EDSA guidelines should also be included: Guidelines 04/2022 for the calculation of fines under the GDPR.

5.11 Cyber risk still underestimated

Somehow it's hard to believe: according to this report According to the G Data Index, the cyber risk is underestimated despite the increase in attacks in Germany. Sure - someone will take care of it! The study "Cybersecurity in figures" describes, among other things, the dangerous discrepancy between private and professional IT security perceptions and the corresponding actions of employees:

"It is crucial that each individual recognizes that they must make an active contribution to IT security in order to be prepared against cyber threats."

5.12 Digital preservation of evidence after a cyber incident

We've reported so much about cyber attacks, but what should you do when they actually happen? This is what this blog postwho explains how to proceed to ensure that digital evidence will stand up in court. He explains the most important steps and legal framework conditions that affected companies should observe.

5.13 Report on the ECJ ruling on legitimate interest

About the judgment of the ECJ (C-621/22) to economic interests in Art. 6 para. 1 lit. f GDPR we had already reported. In this Blog post its significance is considered.

5.14 Lecture notes on European data law from the University of Münster

The tireless Institute for Information, Telecommunications and Media Law at the University of Münster has published a 400-page work on "Data Law" ("Data Law") published in English as of November 2024.

5.15 Security in computer games

It is well known that computer games offer some risks, such as the gateway to cybergrooming. However, the extent to which these also represent IT security risks must now also be discussed. With one provider a critical security vulnerability which could be used to access over 700 million player accounts.

5.16 Just do it!

Under the title "Just do it" here explains the key requirements for company founders from a data protection perspective in a series of videos. The first introductory video lasts 9 minutes.

5.17 Events

14.11.2024, 09:00 - 15:30, Berlin: The BlnBfDI and jugendnetz.berlin invite child and youth work professionals to the 2nd symposium to exchange ideas on how good, contemporary media work can also succeed in working with children and young people while respecting data protection. Further information and registration here.

14.11.2024, on site or online: Since October 10, 2024, the Chamber of Industry and Commerce in Bavaria has been offering on-site seminars as well as webinars on the topic of "Taking a closer look - Effective measures for your IT security". In an easy-to-understand format, companies and organizations are taught in a practical way what they need to pay attention to, because cyber attacks can endanger the existence of companies, which is why IT security is crucial. The eleven events will focus on helping small and medium-sized companies to improve their IT security. Experts from the field of IT security will present various protective measures and practical advice. Details with dates and topics are here deposited.

The Saarland State Media Authority (LMS) and the German Federal Office for Information Security (BSI) are taking an in-depth look at the AI transformation and its effects in their 9-part lecture series. Further information, including registration for the respective event, can be found in the links. A flyer with further information can be found here.

• 14.11.2024, 16:00 - 17:30: AI and journalism
• 05.12.2024, 16:00 - 17:30: Audit scenarios for AI applications: The EU AI Act in its implementation
• 16.01.2025, 16:00 - 17:30: Artificial intelligence in public administration
• 30.01.2025, 16:00 - 17:30: AI, (in)fairness and automation: What does AI do to us, what do we do with AI?
• 13.02.2025, 16:00 - 17:30: Strengthen diversity, regulate responsibility, maintain trust: AI in information technology, media supervision and regulation

18.11.2024, 13:00 - 14:30, online: Personal data from various sources (official statistics, registers, household and business surveys) are of great importance in social and economic research. For example, the distributional effects of tax policy measures can only be precisely estimated on the basis of such disaggregated data. Under the title "Personal data in research: opportunities and challenges", an expert will address this topic. Examples of the potential of such data use for research and policy advice will be presented. Practical and legal challenges that arise when anonymizing and linking data from different sources will then be presented. The generation of synthetic data as an alternative or supplement to anonymization will also be addressed. Further information and registration here.

18.11.2024, 14:00 - 15:30, online: On the occasion of the European Day for the Protection of Children from Sexual Exploitation and Sexual Abuse, the German complaints bodies of eco, FSM and jugendschutz.net invite you to the online event "Gemeinsam gegen sexualisierte Gewalt im Netz - Was Fachkräfte wissen müssen". The event is aimed at educational professionals, multipliers and all other interested parties. The German complaints offices will provide insights into their practical work and show what knowledge is essential for the protection of children and young people online. Together with the online advice platform for young people JUUUPORT, they will explain how an age-appropriate reporting form helps young people to report problematic online content. Various options for reporting suspicious content will be discussed and the preventative measures that can help to make the use of online services safer for children and young people will be explained. During the event, there will also be the opportunity to ask questions in the chat. Further information and registration here.

19.11.2024, 14:30 - 18:00, at the CNIL and online: The CNIL informedthat it is inviting people to an event on the topic of "Surveillance and the ethics of freedoms". Details of the program have not yet been announced. Under the abbreviation AIR (for avenirs, innovations, révolutions - futures, innovations, revolutions), the CNIL defines its mission, which was given to it by the law for a digital republic. It organizes public debates on the new challenges of digitalization, bringing together experts from the fields of practice and science.

19.11.2024, 18:15 - 19:45, online: As part of the public online lectures "Data protection in practice" at Saarland University, the topic "Highlights from case law and supervisory authority practice on GDPR data subject rights" will be discussed. Further information and access data here.

21.11.2024, 19:00 - 22:00, Zurich: Once a month, hackers, activists and other interested parties meet at the Debattierhaus Karl der Grosse for a net politics evening to discuss topics relating to information technology, networking and its impact on society. On 21.11.2024, the topic will be "The state of data ethics in Switzerland". Further information here.

26.11.2024, 18:15 - 19:45, online: As part of the public online lectures "Data protection in practice" at Saarland University, the topic "Cyber attack in my organization - what to do?" will be discussed. Further information and access data here.

29.11.2024, 14:00 - 18:30, Munich: Representatives of the practice and the BayLDA will deal with current issues. Further information and registration here.

03.12.2024, 15:00 - 16:30, online: The CEDPO announced an event as an online webinar on LinkedIn. However, apart from naming the panelists, there is no further information or a link yet, not even to the Websites of the CEDPO.

28.01.2025, 09:30 - 17:00, Brussels and online: From November 4, 2024, registration is open for a hybrid event in Brussels exploring the current and future landscape of data protection. The main topics to be discussed during the event include the digital agenda under new political mandates, neuroscience, access to data for law enforcement and the future of data protection. Read more here and here.

In of this series different topics are offered, please refer to the website for the exact times and registration options:

• Issue 3: How should national supervision be structured? 29.01.2025 \\ on site at the Weizenbaum Institute
• Issue 4: Preparation and implementation of the AI Regulation in the economy 25.02.2025 \\ online
• Issue 5: AI Regulation and European innovation and competitiveness 16.04.2025 \\ online
• Issue 6: Topic to be announced shortly 28.05.2025 \\ online
• Issue 7: Topic to be announced shortly 09.07.2025 \\ on site at the Bertelsmann Stiftung Berlin

6.1 Hidden lobbying?

Well, it didn't really seem that hidden to me, like reported here is being made: According to the report, 29% of contributors to workshops at EU level would not disclose whose interests they represent. Researchers from three NGOs then analysed almost 4,000 registrations for European Commission workshops organized earlier this year to test companies' compliance with the Digital Markets Act (DMA), a law designed to curb anti-competitive behaviour. To check compliance, the Commission organized six workshops in March last year, one for each company. All participants were asked to describe any links to the companies on the agenda. However, the researchers found that 21% of participants - working in law firms, lobbying firms, trade associations and think tanks - did not mention their links to the companies discussed in their applications. If you can't figure out what happens next, you can read more at the source linked above.

7.1 A different kind of police prevention for cyber security

An escape room was set up in the Nuremberg Museum of Communication. openedwhich is aimed at school classes from Year 7 onwards during the week and in which pupils are familiarized with dangers and countermeasures on the Internet in a fun way. Information also on booking the "Cyberforce Academy" here.

7.2 Dresden: Deduction of data from eligible voters

A system administrator of the city of Dresden is accusedof having illegally extracted the data records of 430,000 people. How this is to be classified under criminal law will be here discussed. Fitting to this here Frank's addendum: I have one more thing to add. Article from "on site" for you.

8.1 Speaking of AI ...

• • At Google, a quarter of all newly written code is now generated by AI and then "only" checked by software engineers before it is published. And I always thought that checking was much more time-consuming than writing? But I'm sure an AI will soon be able to do that too ...
  • Now new: the AI-powered breakup. What AI's summary capabilities can't be used for.
  • Nothing exciting happening in your Facebook or Instagram feed? Don't worry, there's a solution...
  • In France, on the other hand ... AI super radar traps. AI simply makes everything better. Although, in the Netherlands they have had different experiences. If only they had all read Cory Doctorov on the subject of surveillance by AI beforehand.
  • Where AI-assisted systems work really well, however, is in generating images. When it comes to depictions of child abuse, the penalties are rightly high.
  • Halloween was celebrated again at the end of October. In Dublin, for example, with a parade attended by thousands. Which, unfortunately, was "only" thought up by an AI. What's the big deal with hallucinations? Hey, party!
  • Not only is Intel not coming to Magdeburg, but now they've also been kicked out of the Dow Jones. They've been replaced by NVIDIA, you know, because of AI and all that.
  • Finally, you no longer have to watch bad Amazon series, but can read through the AI summary. Do I understand this correctly? First, bad series content is produced with AI assistance and then nobody has to watch it anymore because there are AI-generated summaries? That's what I call efficient use of energy.
  • Google seems to have developed a watermark for recognizing AI-generated texts. It is supposed to be quite good.
  • "The potential for abuse will grow when the tax-farmers start using artificial intelligence." A fascinating essay about a US peculiarity in the tax system that, you guessed it, is being "improved" by AI. And this is all still pre-Trump 2.0.
  • What does a company do if nobody wants to buy its AI features? Quite clearly. It packs said AI features into the popular standard product and then makes it more expensive. Win, win, Microsoft!
  • OK, this post is a bit off-topic for this category. But it's not a particularly big step from "Being replaced by robots" to "Being replaced by the use of AI". So it's worth reading.

8.2 Addendum to the BigBrotherAwards 2024

We already talked about the BigBrotherAwards 2024 already reported. This year, in addition to the video of the event and the laudatory speeches, there are also Caricatures.

8.3 ePA - another update

The topic, which we have already regularly reported are increasingly being reported in the media. This is where the Opt-out option reported.

8.4 How a company lost control during a cyberattack - an experience report

Of course, this was just a test. But it was probably quite successful. Worth reading is the Report in any case.

8.5 On Prioritizing Cybersecurity Advice

With the contents from this source deals with this report. What is it all about? Don't just deal with various possible risks one after the other and work through them like a checklist, prioritize the risks before you deal with them. Some measures are more valuable than others ...

8.6 The German government's password tips

OK, OK, these don't seem to be the official tips. But nevertheless, have a look the tips to.

9.1 Data protection simply explained - extended

The page "Data protection made easy" with the previous video clips to raise awareness among students has been updated. Who can find out exactly why?