Editor's Note:

Ambassadors from EU member states voted unanimously to advance the AI Act 2 Feb. IAPP Staff Writer Caitlin Andrews and Editorial Director Jed Bracy reported the latest details.

This week is yet again filled with activity around the EU Artificial Intelligence Act, following last week's leak of the final draft text. As I write this column, all eyes are on EU ministers, who are planning to vote on the text amid a political crisis fueled by despaired farmers' demonstrations in Brussels' European quarter and Hungary's standoff which almost derailed EU's aid to Ukraine. If ministers approve the negotiated AI Act proposal, European Parliament will be next in setting a date for a plenary vote. And then the implementation work begins. 

Meanwhile, a few outstanding files with privacy and data protection equities are still moving through the Brussels machine.

The EU General Data Protection Regulation procedural harmonization for cross-border enforcement is arguably a legalese technical file discussed by a discrete group of stakeholders. However, disagreement between the European Commission and civil society groups is quite high. Parliament's draft report tilts firmly toward a fundamental rights' approach. One illustration is its take on the complaint procedure, which industry laments is more adversarial than the Commission intends with its proposal. The rapporteur Sergey Lagodinsky anticipates the draft report could be approved in committee in March and plenary in late April. Within the Council of the European Union, members states are still diverging but remain hard at work. The Belgian Council Presidency aims to reach a "general approach" agreement in May or June. Among the contested issues are ways for data protection authorities to reach consensus faster, admissibility of complaints, amicable settlement proposals and preliminary vetting as a way to reach early resolution in most simple cases. One point on which all institutions seem to agree, though, is that this file should remain a procedural issue, rather than a jumping off point to reopen the GDPR legislative process.

The European Health Data Space regulation proposal is also among the priorities of the Belgian delegation, who hope that trilogue negotiators will reach an agreement before 7 March. This timeline appears ambitious when confronted with the controversial points remaining between the Council and Parliament on primary and secondary uses of data. Regarding primary use, Parliament is arguing for a tighter system of safeguards than the Council, which would imply member states could define some of the restrictions, hence limiting harmonization at EU level. Parliament promotes even more safeguards for secondary use with a stratified approach mixing opt-in and opt-out provisions.

The EHDS is the most advanced, and arguably most complex, data space proposal the Commission has put forward thus far, so its result will be an important blueprint to consider for the nine other data spaces originally outlined in the EU Strategy for Data. As current discussions illustrate, data spaces may lead to better interconnection among member states' ecosystems but may not satisfy industry stakeholders' desire for harmonization across the EU.

Elsewhere:

  • The IAPP Data Protection Intensive: UK 2024 is in less than a month.
  • Mark your calendars: the call-for-proposals for the November IAPP Europe Data Protection Congress 2024 runs until 17 March.
  • The IAPP AI Governance Global 2024 comes to Brussels week of 4 June. Registration will open on 28 February and the developing program will be available in the coming weeks.