TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | A view from Brussels: Draft regulation on cybersecurity requirements; EDPB adopts application for BCR-C Related reading: A view from Brussels: The many hands holding up privacy in Europe



Jeopardy was one of my favorite TV shows when I was a kid. I remember watching it with my parents when I was 10 or 11 years old. I just loved the idea of challenging one's brain by thinking backward. Clearly, I was already a nerd. I would eagerly wait for a name or date I knew to pop up on the screen and then find the perfect, winning question to define it. I won't lie: it didn't happen very often at that age, but nothing stopped me from having a good time and trying. Fast forward a few decades, and now I am testing the concept against some of the updates I picked up this week. Care to play with me?

Proposed answer: The draft regulation on horizontal cybersecurity requirements for products with digital elements.

Question: What is the latest European Commission proposal privacy professionals should look at?

On 12 Nov., the European Commission published a new legislative proposal to update the EU regulation on market surveillance and compliance of products, and to tackle the "current imbalance of responsibilities in the market, where manufacturers are encouraged to be the first in the market, with security being an afterthought at best," according to Executive Vice-President Margrethe Vestager.

With almost 75 trillion connected objects estimated worldwide by 2025, this proposal seeks to shift responsibility for the cybersecurity of digital products, i.e., "any software or hardware product and its remote data processing solutions," to the manufacturers. Manufacturers would keep responsibility throughout the product's lifecycle. It seeks to impose minimum cybersecurity requirements for all digital products, with specific requirements for some product categories to be developed later through standardization.

Some of the essential security requirements envisaged include delivering digital products without any known exploitable vulnerabilities, drawing up a software bill of materials, applying effective and regular tests and reviews of the product's security with digital elements ,while also delivering the product with a secure by default configuration, including the possibility to reset the product to its original state.

Proposed answer: "Controller Binding Corporate Rules."

Question: What is the focus of the European Data Protection Board's current public consultation?

The European Data Protection Board is seeking comments on its draft Recommendations 1/2022 on the "Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules." The EDPB updated elements and principles found in BCR-C and expects all holders to bring their BCR-C, including those already approved, in line with requirements in the recommendations currently open for consultation. The structure and content of the application form remain largely the same but with a few notable adjustments, including a new acknowledgment spelling out the requirements from the Court of Justice of the European Union's "Schrems II" decision applicable to BCRs and a call for clearer sanctions to be included in mechanisms to ensure the binding nature of BCR-C on employees. Additionally, the effectiveness section has been streamlined. The recommendations were issued 14 Nov., and stakeholders have until 10 Jan. 2023 to submit feedback.

Proposed answer: "Data protection and criminal justice got married."

Question: How did European Data Protection Supervisor Wojciech Wiewiórowski open the EDPS Data Protection and Criminal Justice conference?

At a recent conference hosted by the EDPS, Wiewiórowski shared his thoughts about the marriage, as the effectiveness of laws governing the space is looked at in Brussels. According to Wiewiórowski, criminal justice and law enforcement work closely together but need to be reviewed independently. In criminal justice, data is usually more reliable and filtered, yet data protection regulators should pay extra attention to sensitivities and vulnerabilities, which may be higher than in other fields. Criminal justice is also governed by good lawyers, with high respect for law and compliance, but data protection authorities must be attentive to maintaining the status of justice authorities. "We still need to fight for independence of DPAs, of criminal justice authorities," he added, "this is essential for the rule of law."

Proposed answer: "International transfers, data deletion and governance."

Question: What are the top three strategic privacy priorities for 2022 in Europe?

This is one of many insights IAPP members can find in our recently released IAPP-EY Annual Privacy Governance Report 2022. The report is filled with granular sector- and region-specific detailed analyses of privacy governance and operating models, strategy and planning, compensation management, budget management and performance metrics and monitoring.

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.