How EU regulators are warning of Russian data protection threats

The regulator urged all companies that export personal data from Norway to recipients in Ukraine and Russia “to reconsider the legal basis for the data transfers.”

On March 10, Datatilsynet issued another warning, this time flagging an increased risk of network attacks and the need for companies to have adequate and effective security measures, particularly regarding mobile devices and authentication.

Other European Union data protection regulators have so far not taken similar actions, deferring instead to their countries’ national cybercrime and defense agencies to take the lead.

Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) is not planning to release its own recommendations. A spokesperson said there was little reason to do so given the safeguards necessary to ensure data transfers compliant with the EU’s General Data Protection Regulation (GDPR) to and from Ukraine and Russia are unchanged.

Article 46 of the GDPR says a data controller or processor “may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”

While the BfDI has not issued advice directly, Germany’s department in charge of cybersecurity, the Federal Office for Information Security, has issued several warnings about potential threats.

Lithuania’s State Data Protection Inspectorate (SDPI) believes the war in Ukraine brings new cybersecurity and online fraud risks. But like Germany, the SDPI has no immediate plans to publish recommendations for data controllers, though it added “the possibility cannot be excluded.”

Lithuania’s National Cyber Security Centre has published guidance and advice on how companies and individuals can protect their personal and financial information in the event of an increase in online fraud. It has also issued practical advice about how organizations can prepare for increased cybersecurity risks and the need to review whether they might be exposed to cybercrime and malware attacks due to their use of Russian-made software and IT components.

Estonia’s Data Protection Inspectorate has urged companies to conduct risk assessments if they are using software or applications of Russian origin, following the advice of the country’s Information System Authority. In an emailed statement, a spokesperson said “one must consider the data collected is transferred to Russia and may fall into the hands of Russian security services. Our advice is to avoid using them in both work and personal devices.”

Denmark’s data protection authority has also deferred to the country’s cybersecurity unit to issue warnings about data transfers and cyberterrorism.

Denmark’s Centre for Cyber Security on March 15 issued its latest threat assessment, which stated while there are “continuous attempts” from both cybercriminals and foreign states to attack networks and IT systems in Denmark, there is only a “limited” direct threat to Danish companies and citizens.

The center advised companies to prepare for more effective cybersecurity measures as cyber threats could increase if the war escalates and the North Atlantic Treaty Organization (NATO) intervenes directly. It also warned Danish companies present in Ukraine might be at greater risk of being targeted or affected by the increase in cyberattacks.

Sweden’s cybersecurity agency, MSB, also issued guidance, with tips including banning privately owned devices to carry out work-related tasks (unless approved by the employer), avoiding private cloud services, and paying increased attention to and reporting any new problems with IT systems. The guidance also advised companies to increase resources to IT departments so they can manage an expected surge in incidents.