As Managing Director, Europe, Roccia will lead IAPP’s growing Brussels office and engage with senior industry leaders, policymakers, regulators and civil society, keeping IAPP members informed and apprised of local developments. She will serve as the public voice for the IAPP across Europe and provide strategic guidance on European engagement and market expansion.
Today in Paris, next week in London and Washington, D.C., in April: as the song goes, the IAPP is “on the road again.” That is in fact our mantra for 2022. As fun as interacting with a computer screen can be, nothing beats privacy professionals meeting in person and talking shop. I am the new Managing Director for Europe, and I will help the IAPP keep an eye on all things privacy in Europe. Easy peasy, right?
Let’s start with some of this week’s highlights:
- The IAPP hosted CNIL’s President Marie-Laure Denis and EDPB’s Head of Secretariat Isabelle Vereecken at our DPI: France 2022 event this week. Key takeaways from the CNIL: its strategic priorities for 2022-2024 range from streamlining enforcement to better addressing cyber risks and new technology. In the hallways, the chatter was all about international data transfers, the Google Analytics decision(s) and how great it is to see people in 3D.
- Meanwhile the European Parliament’s Civil Liberties committee held a hearing on EU General Data Protection Regulation implementation, enforcement and lessons learned. Here is a short read-out.
- The Irish Data Protection Commission imposed a fine of 17 million euros on Meta for a series of 12 data breach notifications it received in 2018. Interesting decision but not to be confused with the DPC decision on the aftermaths of the “Schrems II” case, that one we are still waiting for.
- Work on the proposed Artificial Intelligence Act ramps up as MEP Axel Voss presented his draft opinion report before the Legal Affairs committee. Among the changes he recommends is to rely on legitimate interest for personal data processing when it is to train, validate and test data sets of an AI system “to ensure that the high-risk AI system performs as intended and safely and […] does not become the source of discrimination.” The lead committees have yet to present their take on the proposed regulation, so we are still months if not years away from seeing a final text.
- The EDPB adopted Guidelines on Article 60 of the GDPR aka “Guidelines on dark patterns in social media platform interfaces, toolbox on essential data protection safeguards for enforcement cooperation between EEA and third country SAs.” More info here.
A look-ahead:
Mark your calendars for March 21: that is the entry into force of the UK International Data Transfer Agreement, the addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) and a document setting out transitional provisions. More information and documents available here.
The Irish DPC’s much-anticipated decision in the Meta data transfer case is still some weeks away in the spring. Many are bracing for yet another transformative decision for the privacy profession writ-large, although it is likely to be appealed to the Irish Court, and possibly referred to the European Court of Justice, again.
Finally, the European Commission Directorates-General for Justice and Consumers has a lot on its plate as we await with bated breath some news about a possible agreement on an enhanced Privacy Shield agreement with the United States, its FAQ on the new standard contractual clauses, and its assessment report on most of its adequacy decisions with third countries.
If you want to connect, email me at iroccia@iapp.org or find me at one of our upcoming conferences.
Photo by Yannis Papanastasopoulos on Unsplash