Too soon for Santa's greetings, but we are in the last stretch of the year. Brussels is slowly getting into the mood of the holiday season, Christmas trees are popping up, invitations to share the traditional melted-cheese raclette are coming through, and the IAPP Europe office is recovering from this year's Data Protection Congress. However, all this does not mean December will be any quieter than the rest of the year.
This week, the Council of the European Union adopted yet another piece of legislation, the Data Act. Spanish Minister of Digital Transformation José Luis Escrivá declared the regulation "will be a catalyst for a Europe fit for the digital age. The new law will unlock a huge economic potential and significantly contribute to a European internal market for data. Data trading and the overarching use of data will be boosted, and new market opportunities will open to the benefit of our citizens and businesses across Europe."
In practice, this means the Data Act primarily focuses on "industrial," nonpersonal data, but inevitably, personal data considerations will be more than present in its implementation.
The Data Act will introduce several substantive changes to the legislative framework governing data sharing. Among others, it will provide data access and use rights to connected device users (while protecting data holders' trade secrets and intellectual property), make data that was originally restricted available for use to groups including small and medium-sized companies, researchers and public bodies in case of public emergencies, and set new requirements governing compensation for data use, portability between service providers, and safeguards for nonpersonal data transfers to third countries.
While the act's final text has yet to be published in the official journal, the mind already boggles with anticipated implementation challenges, including ensuring consistency with personal data protection rules, with more recent instruments including the Data Governance Act and the Digital Markets Act, and with existing requirements and rights under contractual, competition and trade secret rights. The tip of the iceberg might be, for instance, to square EU General Data Protection Regulation concepts of controller, processor and sub-processor with the Data Act's data holder, data recipient and user definitions. Other questions will arise in very different terms, like requirements governing compensation for data use.
The European Commission and the marketplace will have to agree on what constitutes reasonable compensation for making data available to a recipient, or in the case of a micro, small or medium-size enterprise, compensation that does not exceed costs directly related to making the data available. Data made available for a public emergency shall be free of charge.
Elsewhere:
- In recent weeks, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs and Committee on Environment, Public Health and Food Safety adopted the draft report on the European Health Data Space. Moving this file along though the potential start of trilogue negotiations under this term is unlikely. Lead rapporteurs on the GDPR procedural harmonization on cross-border enforcement proposal and on the proposal to tackle child sexual abuse material also both published draft reports.
- Meanwhile, the AI Act remains the subject of wild predictions by observers as trilogue negotiations are hung up by very strong disagreement among member states, and between Council and Parliament, on how, and even whether, to regulate foundation models.
All this should not stop privacy pros from looking at their social calendars. There is a good chance your local KnowledgeNet is organizing an end of year meeting, maybe even a Happy Hour. Make sure to check online for more information.
Registrations are also open for the IAPP's first conferences of 2024 in London, England and Washington, D.C.