Legal expertise from Passau for a data protection-compliant update against deepfakes

In the age of AI, digital images, videos and audio files can be deceptive – and they are becoming increasingly so. The growing number of fakes and targeted disinformation not only jeopardises individual judgements, but also trust in the media, science and politics. A team led by Fraunhofer AISEC, which also included researchers from the University of Passau, systematically investigated how digital content can be verified for authenticity and origin in the future as part of the VeNIM project. The acronym stands for “Trust Concept for a Sustainable Information and Media Architecture”.

The aim was to develop a technical and legal trust architecture that makes the authenticity and integrity of data verifiable while at the same time protecting privacy – for journalists, activists and whistleblowers, for example. The basis for this was the international C2PA (Coalition for Content Provenance and Authenticity) standard, which was further developed in VeNIM through the C2PAExt concept.

Authenticity verification while protecting privacy

Prof. Dr. Daniel Loebenberger, Head of the Secure Infrastructure Department at Fraunhofer AISEC, presented the results on 11 November 2025 in Halle an der Saale: "With C2PAExt, we are creating a system that goes beyond standards for verifying the authenticity of media content. It combines cryptographic evidence, resilient watermarking and deepfake detection with a privacy-preserving provenance store. This means that in future, digital content can not only be verified technically, but also checked retrospectively to see whether it has been altered or manipulated – while fully protecting the privacy of users."

The University of Passau contributed legal expertise under the direction of Professor Meinhard Schröder. The holder of the Chair of Public Law, European Law and IT Law refers to ‘data protection by design,’ an innovation in the General Data Protection Regulation, according to which data protection must be considered from the outset. ‘In this project, we were able to put this into practice – it was not simply a matter of assessing whether an existing system was compliant with data protection regulations or not, but rather of identifying the relevant points from a data protection law perspective for a system that was just being developed and then designing the system in such a way that as little personal data as possible was processed.’

About C2PAExt

C2PAExt is an extension of the international standard C2PA, short for ‘Coalition for Content Provenance and Authenticity’. This standard deals with the origin and authenticity of digital content such as images, videos and audio files. With the help of cryptographic signatures and metadata, C2PA makes it possible to detect manipulation and increase the trustworthiness of media content. C2PAExt goes one step further: it not only ensures the integrity of media content, but also protects the privacy of users.

Data protection-compliant solutions

Technical solutions for verifying the authenticity of media content often require the storage of metadata, such as information about the authors of the content or the devices used to create it. However, this data may be personal and allow conclusions to be drawn about identities or locations. For example, a whistleblower uploads a manipulated document to be verified with C2PAExt. If metadata such as the time of editing or the device ID is stored unencrypted, their identity could be compromised, even if the actual content remains anonymous.

The legal team from Passau developed legally compliant solutions for such and other scenarios during the technical development phase. For example, the database that stores information about the origin of digital documents in C2PAExt was designed in such a way that no unnecessary personal information is processed.

This text was machine-translated from German.