Greetings! We are lucky to have an unseasonably warm fall here in Belgium. It is giving me a bit of a travel vibe, so let's use this week's digest to take a little tour of Europe:
- Munich: Last week, the IAPP hosted Data Protection Intensive: Deutschland 2022 in the heart of German Bavaria. The temperatures were unusually pleasant, and so were the discussions among privacy professionals who attended from Germany and beyond, from Spain to Finland. No topic seemed to dominate the conversations, but IT security, private enforcement in court — by contrast with regulator-led enforcement actions — and how to develop a culture of privacy across organizations ranked high on privacy pros' minds. The European and international hot topics of the day, ranging from understanding the ever-moving international data transfer paradigm to implementing the flurry of new EU laws, were also on many attendees' minds. Interestingly in that latter category, Bavarian regulators are zooming in on the Health Data Space regulation, proposed in March 2022 and are still in early negotiation stages, for it raises serious concerns related to its interplay with the EU General Data Protection Regulation. The transcripts of the opening and closing general sessions with regulators from Bavaria and Schleswig-Holstein and many panel presentations are available on the conference website.
- Luxembourg: The Digital Markets Act was published in the EU Official Journal (and with that little tidbit, you rightfully infer that the EU Publication Office is located in Luxembourg). The IAPP released its latest "overview of EU regulations" infographic on the DMA to help privacy pros determine whether and how deep they should dive into this new regulation. Its other half, the Digital Services Act, could be published in the OJEU in early November.
- Brussels: The European Data Protection Board had a busy October plenary session. Among others, it adopted and shared with the European Commission a wish list of aspects of national procedural law that should be harmonized at the EU level to facilitate GDPR enforcement. It also adopted an opinion that completed the approval process of the first certification criteria ("seal") under Article 42(5) of the GDPR. This process was originally brought before the Luxembourg DPA. Perhaps more importantly, the EDPB released its draft guidelines on personal data breach notification under GDPR, now open for public comments until Nov. 29.
- Tallin: The EU Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (or EU-LiSA agency) celebrated its 10 year anniversary. It is the agency that manages visas, criminal records or border control systems. The agency's mandate was reinforced and strengthened in 2018, and the anniversary was an occasion to take stock of past achievements and challenges ahead. According to European Data Protection Supervisor Wojciech Wiewiorowski, the most important challenge is not the re-use of data in the systems but rather the interoperability of the EU's large-scale IT systems. Their key issue is not political or technical; it is of a legal nature when one system created for one purpose is used for another purpose.
Next stop: Istanbul for the Global Privacy Assembly next week. Are you going as well? Let's meet up!