Thodoris Chondrogiannos 28 • 11 • 2021

The Cisco case: The government violates GDPR and personal data protection legislation

Thodoris Chondrogiannos
The Cisco case: The government violates GDPR and personal data protection legislation
28 • 11 • 2021

In a state that adheres to the rule of law, the government must protect citizens’ personal data. However, according to the Hellenic Data Protection Authority, the Ministry of Education and Religion violated the GDPR and privacy legislation in its cooperation with Cisco on e-learning.

A state governed by the rule of law must effectively protect the personal data of its citizens against technology giants and multinational companies that may use or process them in violation of the law, in order to serve their own interests.

However, this did not happen in the Greek government’s cooperation with Cisco for the e-learning system. The Hellenic Data Protection Authority (HDPA) identified significant violations of legislation on personal data protection, raising serious questions about the Ministry of Education and Religion’s handling of the data of hundreds of thousands of members of the educational community.

On 16 November 2021 the Authority made public its decision (50/2021) on the compliance of the e-learning system – implemented by the ministry during the pandemic – with a series of legislative provisions of the General Data Protection Regulation (GDPR) and Law 3471/2006  on the protection of personal data and privacy in the field of electronic communications.

The HDPA’s involvement in the case did not begin with the above decision, though, nor did the problems with Cisco first appear in 2021. In September 2020, the Authority issued an opinion  (4/2020), in which it made recommendations to the Ministry of Education so that e-learning for schools fully complies with the provisions of the legislation on the processing of personal data. In fact, the Authority had spoken about the dangers regarding the personal data of students and teachers. These risks included, inter alia, the transfer of personal data outside the EU, the terms of the contract with Cisco (since its study showed that some data is kept by the private company), as well as the use of personal email addresses of teachers and their electronic transmission to Cisco, even if a teacher had not activated e-learning.

After a period of 14 months, the HDPA has published its decision, where it essentially examined whether the ministry complied with the above mentioned opinion, but also with the legislation on personal data. Not only did they not find compliance, but the Authority identified serious deficiencies and infringements in the following five areas:

Point 1: The Ministry of Education, in violation of GDPR, did not examine in detail the legality of the purposes of processing users’ personal data, in particular in relation to their consent to access information stored on a user’s terminal, when such access is not necessary for the provision of the service.

Point 3: The Ministry of Education did not provide teachers and students with the appropriate training, nor the necessary security measures, in order to know how to effectively protect their personal data. This is because, according to the HDPA, “the Ministry of Education as the party in charge of processing […] did not apply at the time of processing appropriate technical and organizational measures for the application of data protection principles and the incorporation of the necessary guarantees. The measures implemented thus far are in the right direction and must be supplemented so as to make them available to every teacher, while it must also be ensured that all teachers involved in the distance learning process have received some basic information to ensure the reduction of risks,” reasons the Authority.

Point 4: The Ministry of Education did not fulfill its GDPR obligations in relation to the expression of the opinion of the subjects or their representatives, i.e. it did not give the opportunity to students and their guardians to express their opinion about the processing of their personal data in order to ensure the “legal basis for the processing of their personal data.”

Point 5: Data transfer to non-EU countries was not properly assessed. The HDPA notes that Cisco (in this case the group and its companies) is subject to US law and therefore effective complementary measures had to be taken to ensure an adequate level of personal data protection, commensurate with that enshrined in EU and national law. However, such measures were not adopted.

After identifying the violations of the legislation, the Authority proceeded to reprimand the Ministry and ordered that the shortcomings be addressed within two months (four for the transmission of data).

The Ministry of Education reacts with surprise

Two days later, on November 18, the ministry issued a statement  reacting to these accusations. The ministry referred to “incorrect assumptions,” and the leadership claimed that the decision was surprising “due to the sudden change of direction by the Authority and the bypassing of its ongoing dialogue with the Ministry of Education and Religion.”

“The HDPA, with its 4/2020 opinion, had in principle considered e-learning legal, making some recommendations which were adopted by the Ministry within the stipulated three-month deadline. Since then, while the Ministry has been in constant contact with the Authority and provided additional requested information, no deviations from the privacy policy are noted, nor was there any mention of the points the HDPA have now invoked to justify its new decision,” noted the ministry.

The announcement shows that the ministry disputes not only the rationale of the decision, but also the integrity of the Authority, accusing it of suddenly and misleadingly changing course.

This case presents as particularly problematic in the context of a proper and lawful functioning of government within the rule of law, as the Ministry of Education didn’t only violate GDPR and the legislation on personal data protection, but also the Rules of Procedure of the Parliament in the context of parliamentary scrutiny, as well as transparency legislation.

Where is the problem with the rule of law?

One of the modern requirements of the rule of law is the effective protection of citizens’ personal data.

However, in this case, according to the HDPA, the Ministry of Education and Religion failed to fulfill this requirement, violating both the General Regulation on Data Protection (GDPR) and Law 3471/2006 on the protection of personal data and privacy in the field of electronic communications.

Thodoris Chondrogiannos
Submit a report if you have detected a violation of the rule of law!
Support govwatch