Datatilsynet (Denmark) - 2023-432-0025
From GDPRhub
| Datatilsynet - 2023-432-0025 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 09.11.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Digitaliseringsstyrelsens |
| National Case Number/Name: | 2023-432-0025 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DA) |
| Initial Contributor: | ar |
The Danish DPA reprimanded the Agency for Digital Government for having used JavaScript in connection with MitID, the Danish digital ID. Even though there were widely known concerns with the programming language, the Agency utilised it without conducting a prior risk assessment, breaching, among others, Article 32(1) GDPR.
English Summary
Facts
On 20 January 2022, the Danish DPA received an inquiry from a citizen about the Agency for Digital Government’s (the controller) use of JavaScript, a programming language, in connection with MitID, the Danish digital ID. In general, the inquiry stated that JavaScript is outdated and not safe and that devices can easily be hacked if JavaScript is enabled, as highlighted by leading security experts for many years.
The DPA decided to further investigate the issue and requested the controller to present statements regarding the processing in question. The controller explained that it conducted a risk assessment of MitID and identified relevant risks, including overall risks related to code quality, which JavaScript falls under. However, it stated it did not assess possible risks to the rights of the data subjects when using specifically JavaScript. Nonetheless, it clarified to have implemented appropriate technical and organisational measures to ensure a sufficient level of security to protect the rights and freedoms of data subjects. Regarding this processing, the controller also clarified that many security requirements have been set to ensure that the system is secure and updated at all times. Finally, the controller noted that in 2013 it assessed the usage of JavaScript for NemID (the old eID, replaced by MitID) and found that a JavaScript solution would have always provided high security levels.
Holding
The DPA reminded that the GDPR in several provisions requires a data controller to address the risk to the rights and freedoms of the data subjects. Article 25 GDPR, Article 35 GDPR and Article 36 GDPR, among others, require to consider the risks to the rights of data subjects before initiating processing operations. In addition, the DPA reminded that under Article 5(1)(f) GDPR personal data must be processed in a manner that ensures appropriate security of the personal data concerned. It further noted that from both Article 5(2) GDPR and Article 24(1) GDPR it follows that a controller must be able to demonstrate compliance with the GDPR. For a supervisory authority to assess whether an adequate level of security has been ensured: the controller must document the identified risks and the mitigating measures taken.
Based on the information provided in the case, the DPA noted that the controller did not specifically assess whether the specific technology JavaScript could bring risks to the rights of the data subjects since it only carried out a risk assessment of MitID. Meanwhile, the DPA stated that the controller should have conducted a separate risk assessment of JavaScript since it was publicly known that the programming language had many issues. The DPA noted that, in this instance, this was crucial also due to the usage of JavaScript in MitID, a national infrastructure. Furthermore, the DPA found insufficient the controller’s referral to an assessment of JavaScript made several years before, the one concerning NemID.
Therefore, the DPA found that the controller did not demonstrate to have identified the risks that the use of JavaScript entails for the data subjects, nor introduced appropriate technical security measures to protect the data subjects. Thus, the DPA reprimanded the controller for processing personal data in violation of Article 5(2) GDPR, Article 5(1)(f) GDPR, Article 24(1) GDPR and Article 32(1) GDPR.
The DPA also requested the controller to carry out a specific assessment of the risk to the rights and freedoms of the data subjects that the use of JavaScript could bring, as well as of whether appropriate measures have been taken concerning the publicly known security risks of JavaScript.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Skip the main navigation Search The Digital Agency receives criticism for insufficient risk assessment Date: 09-11-2023 Decision Public authorities Criticism Supervision / self-operation case Processing security Risk assessment and impact analysis The Danish Data Protection Authority has investigated the Digitalisation Agency's assessment of risks for citizens who log in with MitID when the agency uses JavaScript for e.g. to exhibit the MitID login client. Journal number: 2023-432-0025. The Danish Data Protection Authority has received an inquiry from a citizen on 20 January 2022 about the Danish Agency for Digitalisation's use of JavaScript as a script language in connection with the use of MitID. It is generally stated in the inquiry that JavaScript is outdated and insecure, and that devices, including phones and computers, can be easily hacked if JavaScript is enabled. In addition, the inquiry refers to the fact that JavaScript has been highlighted as insecure by leading security experts for many years. Based on the inquiry, the Danish Data Protection Authority has chosen to start a case of its own initiative with a view to investigating the issue. 1. Decision After a review of the case, the Danish Data Protection Authority finds that there is a basis for expressing criticism that the Digital Agency's processing of personal data has not taken place in accordance with the rules in the data protection regulation[1] article 5, subsection 2, cf. subsection 1, letter f, and Article 24, subsection 1, cf. Article 32, subsection 1. 2. Case presentation By letters of 8 February and 18 March 2022, the Danish Data Protection Authority has requested opinions from the Danish Digital Agency for use in the processing of the case. The Digital Agency has sent statements in the matter by letters of 15 March and 27 April 2022. It then appears from the case that the Digital Agency uses JavaScript in connection with the use of MitID, including to display the MitID login client. Citizens must therefore activate JavaScript in their browsers if they want to use MitID. 2.1. The Digitization Agency's comments The Danish Digital Agency has generally stated that JavaScript is a programming language that is widely used all over the world for integration with browsers, and that most of the functions and applications that make the internet usable today are coded in some form of JavaScript. The Danish Agency for Digitalisation has also stated that the Danish Agency for Digitalisation has carried out a risk assessment of MitID, and that in the risk assessment the Agency has identified relevant risks associated with MitID, including overall risks in code quality, which JavaScript belongs to. The Danish Agency for Digitization has also stated that in the risk assessment the agency, among other things, has dealt with the risks of not having a code review. In this connection, the Digital Agency has stated that the risk to the rights of data subjects when using the specific technology JavaScript, however, has not been specifically assessed. The Digital Agency has further stated that the agency has implemented appropriate technical and organizational measures in order to ensure a sufficient level of security to protect the rights and freedoms of the data subjects. In this connection, the Digitalization Agency has stated that the agency has set a number of contractual requirements for Nets as a data processor. Nets are i.a. obliged to deliver an annual audit statement from an independent third party in order to document compliance with the Danish Agency for Digitalisation's requirements for information security and requirements regarding the processing of personal data. It appears from the Danish Digital Agency's statements that Nets must deliver an ISAE 3000 DK type I audit report (or equivalent audit report) specifically for all personal data that is processed in the MitID solution, including the requirements for information security. The Agency for Digitization has stated that there have been no comments in the first audit statement the agency has received. Nets is also obliged to continuously assess the MitID solution, so that it is ensured that the solution has a sufficient level of security at all times. In this connection, it appears that Nets is obliged to continuously make the necessary adjustments if vulnerabilities arise. In addition, it appears that Nets is obliged to ensure code quality and to use and update the latest technologies. The Danish Agency for Digitalisation has also stated that a large number of security requirements have been set to ensure that the solution is secure, updated etc. at all times. This also includes requirements for security when using JavaScript. In this connection, the Digital Agency has stated that Nets must update their vulnerability assessment of the MitID solution at least every two months, based on e.g. vulnerability scans. The Digital Agency has also stated that the risk assessment for MitID has shown that there is not a high risk for the rights of the registered. The Danish Agency for Digitalisation has finally noted that in 2013 the Danish Agency for Digitalisation assessed security measures for the introduction of JavaScript in the NemID solution, where the conclusion from the supplier's external security company nSense was that "a JavaScript solution will have the same, or perhaps even higher, level of security as the current Applet solution.” 3. Reason for the Data Protection Authority's decision Based on the information provided to the case, the Danish Data Protection Authority assumes that the Digital Agency uses JavaScript as a programming language for e.g. to exhibit the MitID login client. The Danish Data Protection Authority also assumes that the Digital Agency has not specifically assessed the risk to data subjects' rights when using the specific technology JavaScript, but that a risk assessment of MitID has been carried out, where relevant risks have been uncovered. The Data Protection Regulation requires on several points that a data controller deals with the risk to the rights and freedoms of the data subjects and can document the considerations and conclusions this has given rise to. It follows directly from the provisions in articles 5, subsection 1, letter f, 24, 25, 32, 33, 34, 35, 36 and 39, that the data controller must deal with the risk to the rights and freedoms of the data subjects. In addition, it follows from both Article 5, subsection 2, as regards the principles in Article 5, paragraph 1, and Article 24 as regards compliance with the entire regulation, that a data controller must be able to demonstrate compliance with the data protection rules. Among other things, articles 25, 35 and 36 require that consideration of the risks involved for the rights of the data subjects must take place before the processing is initiated. It follows from the data protection regulation's article 5, subsection 1, letter f, that personal data must be processed in a way that ensures sufficient security for the personal data in question, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. The data controller must also be able to demonstrate that the basic principles are complied with, which follows from the data protection regulation's article 5, subsection 2. Of the data protection regulation, article 32, subsection 1, it appears that the data controller must take appropriate technical and organizational measures to ensure a level of security that matches the risks involved in the data controller's processing of personal data. It follows from the data protection regulation article 24, subsection 1, that a data controller must implement appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing is in accordance with the regulation. The data controller thus has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are introduced to protect the data subjects against these risks. The data controller must also be able to demonstrate that personal data is processed in a way that ensures sufficient security for the persons to whom the data relates. In order for the supervisory authority to assess whether an adequate level of security has been ensured, it must thus be possible to document and explain which risks the data controller has identified and which mitigating measures have been taken with a view to reducing these risks. The Danish Data Protection Authority notes that it is not clear from the data protection regulation how detailed the risk assessment must be. The Danish Data Protection Authority is of the opinion that the data controller must determine an appropriate level in view of the risks that are relevant to the data controller's processing of personal data. If a supplier, data processor or available analyses, etc. establishes or indicates certain risk scenarios, it is the opinion of the Danish Data Protection Authority that data controllers should comply with these assessments. This applies in particular when the use of a technology is interpreted to entail high risks for the data subjects. At a minimum, there must be a substantiated assessment of why the relationship is not relevant in relation to the processing of personal data that takes place at the data controller. The Danish Data Protection Authority is of the opinion that it is a prerequisite for the use of a technology such as JavaScript in connection with a critical national infrastructure (such as MitID) that the data controller carries out a separate risk assessment of such technology when it is known that it may involve security risks. It is noted in this connection that there are several publicly known abuse scenarios when using JavaScript. In view of this, it is the opinion of the supervisory authority that these risk scenarios should have been addressed where relevant. Furthermore, the Danish Data Protection Authority is of the opinion that it is not sufficient to refer to an assessment that was carried out several years ago, where the same technology was used in relation to another solution (here NemID). Based on the above background, the Danish Data Protection Authority finds that the Danish Digital Agency – by not having specifically assessed the risk to the data subjects' rights when using JavaScript – has not demonstrated that they have identified the risks that the use of JavaScript entails for the data subjects, just as the Danish Data Protection Authority does not find that demonstrated that the Digital Agency has introduced appropriate technical security measures that protect data subjects against these risks. The Danish Data Protection Authority therefore expresses criticism that the Digital Agency's processing of personal data has not taken place in accordance with the data protection regulation's article 5, subsection 2, cf. subsection 1, letter f, and Article 24, subsection 1, cf. Article 32, subsection 1. When choosing a response, the Danish Data Protection Authority has placed emphasis on the fact that the Digital Agency has carried out a risk assessment of MitID, and that in the risk assessment the agency, among other things, has dealt with the overall risks of code quality. However, this risk assessment is not sufficiently detailed in the Data Protection Authority's view, as the agency has not carried out a specific assessment of the risk to the rights and freedoms of the data subjects when using the specific technology JavaScript, which is known to involve security risks. In this connection, the Danish Data Protection Authority has emphasized that this is critical national infrastructure and that the Digital Agency is a professional actor who should have made such an assessment. It is the Data Protection Authority's expectation that the Digital Agency will then carry out a specific assessment of the risk to the rights and freedoms of the data subjects that the use of JavaScript entails for the data subjects. In this connection, the supervisory authority expects the Digital Agency to make an assessment of whether appropriate measures have been taken in relation to the publicly known security risks that the use of JavaScript entails. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection). The Norwegian Data Protection Authority Carl Jacobsens Vej 35 2500 Valby Tel. 33 19 32 00 dt@datatilsynet.dk About us About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement Shortcuts Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme follow us The Norwegian Data Protection Authority on LinkedIn The Digital Agency receives criticism for insufficient risk assessment Date: 09-11-2023 Decision Public authorities Criticism Supervision / self-operation case Processing security Risk assessment and impact analysis The Danish Data Protection Authority has investigated the Digitalisation Agency's assessment of risks for citizens who log in with MitID when the agency uses JavaScript for e.g. to exhibit the MitID login client. Journal number: 2023-432-0025. The Danish Data Protection Authority has received an inquiry from a citizen on 20 January 2022 about the Danish Agency for Digitalisation's use of JavaScript as a script language in connection with the use of MitID. It is generally stated in the inquiry that JavaScript is outdated and insecure, and that devices, including phones and computers, can be easily hacked if JavaScript is enabled. In addition, the inquiry refers to the fact that JavaScript has been highlighted as insecure by leading security experts for many years. Based on the inquiry, the Danish Data Protection Authority has chosen to start a case of its own initiative with a view to investigating the issue. 1. Decision After a review of the case, the Danish Data Protection Authority finds that there is a basis for expressing criticism that the Digital Agency's processing of personal data has not taken place in accordance with the rules in the data protection regulation[1] article 5, subsection 2, cf. subsection 1, letter f, and Article 24, subsection 1, cf. Article 32, subsection 1. 2. Case presentation By letters of 8 February and 18 March 2022, the Danish Data Protection Authority has requested opinions from the Danish Digital Agency for use in the processing of the case. The Digital Agency has sent statements in the matter by letters of 15 March and 27 April 2022. It then appears from the case that the Digital Agency uses JavaScript in connection with the use of MitID, including to display the MitID login client. Citizens must therefore activate JavaScript in their browsers if they want to use MitID. 2.1. The Digitization Agency's comments The Danish Digital Agency has generally stated that JavaScript is a programming language that is widely used all over the world for integration with browsers, and that most of the functions and applications that make the internet usable today are coded in some form of JavaScript. The Danish Agency for Digitalisation has also stated that the Danish Agency for Digitalisation has carried out a risk assessment of MitID, and that in the risk assessment the Agency has identified relevant risks associated with MitID, including overall risks in code quality, which JavaScript belongs to. The Danish Agency for Digitization has also stated that in the risk assessment the agency, among other things, has dealt with the risks of not having a code review. In this connection, the Digital Agency has stated that the risk to the rights of data subjects when using the specific technology JavaScript, however, has not been specifically assessed. The Digital Agency has further stated that the agency has implemented appropriate technical and organizational measures in order to ensure a sufficient level of security to protect the rights and freedoms of the data subjects. In this connection, the Digitalization Agency has stated that the agency has set a number of contractual requirements for Nets as a data processor. Nets are i.a. obliged to deliver an annual audit statement from an independent third party in order to document compliance with the Danish Agency for Digitalisation's requirements for information security and requirements regarding the processing of personal data. It appears from the Danish Digital Agency's statements that Nets must deliver an ISAE 3000 DK type I audit report (or equivalent audit report) specifically for all personal data that is processed in the MitID solution, including the requirements for information security. The Agency for Digitization has stated that there have been no comments in the first audit statement the agency has received. Nets is also obliged to continuously assess the MitID solution, so that it is ensured that the solution has a sufficient level of security at all times. In this connection, it appears that Nets is obliged to continuously make the necessary adjustments if vulnerabilities arise. In addition, it appears that Nets is obliged to ensure code quality and to use and update the latest technologies. The Danish Agency for Digitalisation has also stated that a large number of security requirements have been set to ensure that the solution is secure, updated etc. at all times. This also includes requirements for security when using JavaScript. In this connection, the Digital Agency has stated that Nets must update their vulnerability assessment of the MitID solution at least every two months, based on, among other things, vulnerability scans. The Digital Agency has also stated that the risk assessment for MitID has shown that there is not a high risk to the rights of the registered. The Danish Digital Agency has finally noted that in 2013 the Danish Digital Agency assessed security measures for the introduction of JavaScript in the NemID solution, where the conclusion from the supplier's external security company nSense was that "a JavaScript solution will have the same, or perhaps even higher, level of security as the current Applet solution.” 3. Reason for the Data Protection Authority's decision Based on the information provided to the case, the Danish Data Protection Authority assumes that the Digital Agency uses JavaScript as a programming language for e.g. to exhibit the MitID login client. The Danish Data Protection Authority also assumes that the Digital Agency has not specifically assessed the risk to the rights of data subjects when using the specific technology JavaScript, but that a risk assessment of MitID has been carried out, where relevant risks have been uncovered. The Data Protection Regulation requires on several points that a data controller deals with the risk to the rights and freedoms of the data subjects and can document the considerations and conclusions this has given rise to. It follows directly from the provisions in articles 5, subsection 1, letter f, 24, 25, 32, 33, 34, 35, 36 and 39, that the data controller must deal with the risk to the rights and freedoms of the data subjects. In addition, it follows from both Article 5, subsection 2, as regards the principles in Article 5, paragraph 1, and Article 24 as regards compliance with the entire regulation, that a data controller must be able to demonstrate compliance with the data protection rules. Among other things, articles 25, 35 and 36 require that consideration of the risks involved for the rights of the data subjects must take place before the processing is initiated. It follows from the data protection regulation's article 5, subsection 1, letter f, that personal data must be processed in a way that ensures sufficient security for the personal data in question, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. The data controller must also be able to demonstrate that the basic principles are complied with, which follows from the data protection regulation's article 5, subsection 2. Of the data protection regulation, article 32, subsection 1, it appears that the data controller must take appropriate technical and organizational measures to ensure a level of security that matches the risks involved in the data controller's processing of personal data. It follows from the data protection regulation article 24, subsection 1, that a data controller must implement appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing is in accordance with the regulation. The data controller thus has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are introduced to protect the data subjects against these risks. The data controller must also be able to demonstrate that personal data is processed in a way that ensures sufficient security for the persons to whom the data relates. In order for the supervisory authority to assess whether an adequate level of security has been ensured, it must thus be possible to document and explain which risks the data controller has identified and which mitigating measures have been taken with a view to reducing these risks. The Danish Data Protection Authority notes that it is not clear from the data protection regulation how detailed the risk assessment must be. The Danish Data Protection Authority is of the opinion that the data controller must determine an appropriate level in view of the risks that are relevant to the data controller's processing of personal data. If a supplier, data processor or available analyses, etc. establishes or indicates certain risk scenarios, it is the opinion of the Danish Data Protection Authority that data controllers should comply with these assessments. This applies in particular when the use of a technology is interpreted to entail high risks for the data subjects. At a minimum, there must be a substantiated assessment of why the relationship is not relevant in relation to the processing of personal data that takes place at the data controller. The Danish Data Protection Authority is of the opinion that it is a prerequisite for the use of a technology such as JavaScript in connection with a critical national infrastructure (such as MitID) that the data controller carries out a separate risk assessment of such technology when it is known that it may involve security risks. It is noted in this connection that there are several publicly known abuse scenarios when using JavaScript. In view of this, it is the opinion of the supervisory authority that these risk scenarios should have been addressed where relevant. Furthermore, the Danish Data Protection Authority is of the opinion that it is not sufficient to refer to an assessment that was carried out several years ago, where the same technology was used in relation to another solution (here NemID). Based on the above, the Danish Data Protection Authority finds that the Danish Digital Agency – by not having specifically assessed the risk to the data subjects' rights when using JavaScript – has not demonstrated that they have identified the risks that the use of JavaScript entails for the data subjects, just as the Danish Data Protection Authority does not find that demonstrated that the Digital Agency has introduced appropriate technical security measures that protect data subjects against these risks. The Danish Data Protection Authority therefore expresses criticism that the Digital Agency's processing of personal data has not taken place in accordance with the data protection regulation's article 5, subsection 2, cf. subsection 1, letter f, and Article 24, subsection 1, cf. Article 32, subsection 1. When choosing a response, the Danish Data Protection Authority has placed emphasis on the fact that the Digital Agency has carried out a risk assessment of MitID, and that in the risk assessment the agency, among other things, has dealt with the overall risks of code quality. However, this risk assessment is not sufficiently detailed in the Data Protection Authority's view, as the agency has not carried out a specific assessment of the risk to the rights and freedoms of the data subjects when using the specific technology JavaScript, which is known to involve security risks. In this connection, the Danish Data Protection Authority has emphasized that this is critical national infrastructure and that the Digital Agency is a professional actor who should have made such an assessment. It is the Data Protection Authority's expectation that the Digital Agency will then carry out a specific assessment of the risk to the rights and freedoms of the data subjects that the use of JavaScript entails for the data subjects. In this connection, the supervisory authority expects the Digital Agency to make an assessment of whether appropriate measures have been taken in relation to the publicly known security risks that the use of JavaScript entails. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).
