“EDPB adopts guidelines on calculation of fines” — that is a headline to draw privacy professionals attention if there ever was one. In the European Data Protection Board’s words, the guidelines are meant to “harmonize the methodology data protection authorities (DPAs) use.” It provides a five-step process, with a harmonized “starting point” for the calculation of a fine: the categorization of infringements by nature, the seriousness of the infringement and the turnover of a business. Many privacy pros have called for more visibility and predictability when it comes to the calculation of fines. Over the past few months, several courts in Member States have indeed challenged the way some DPAs have made those determinations, adding to the lack of clarity. Care to weigh in on whether these new guidelines will do the trick? The EPDB is seeking views via a public consultation that runs until 27 June. Also worth a read is the EDPB annual report released 12 May.

Elsewhere, EU and U.S. officials headed south of Paris for the second meeting of the EU-US Trade and Technology Council. Launched in June 2021, the TTC serves as a forum for discussion between the two partners to coordinate on trade, economic and technology issues. Its 10 working groups look at technology standards and data governance among others, and cross-cutting issues such as artificial intelligence and cybersecurity. While none are dedicated to data protection, the joint statement issued 16 May highlights a few elements of relevance for privacy pros:

  • EU and U.S. officials plan to launch a common project utilizing privacy-enhancing technologies by the next TTC Ministerial Meeting.
  • The artificial intelligence sub-working group is working to develop a joint roadmap on evaluation and measurement tools for trustworthy AI and risk management.
  • There will be a continued focus on enhancing data access for researchers.
  • A willingness to increase the sharing of privacy-compliant information related to foreign information manipulation and interference.

The joint statement refers to more workstreams and possible outcomes; it also stresses at various points that many of these initiatives will be matched against the EU and U.S. “respective legal frameworks” and their decision-making autonomy. No road, however straight, is ever fully bump free.

And a few more tidbits:

  • European Health Data Space: The European Parliament is getting organized to work on the legislation proposed 3 May. It looks like the Committee on Civil Liberties, Justice and Home Affairs will take the lead with other committees leading on industry, internal market and health providing an opinion. The parliament leadership has yet to approve this setup.
  • Data Governance Act: The DGA was formally approved by the Council of the European Union 16 May, this new data sharing legislation will enter into force 20 days after its publication on the EU Official Journal in the coming days. Not sure whether you should care? The IAPP is working on something to help.
  • Cookie walls: On 16 May, France’s data protection authority, Commission nationale de l'informatique et des libertés, published evaluation criteria for cookie walls. “When an Internet user refuses the use of trackers on a website (for example by clicking on a "refuse all" button), the CNIL recommends that publishers offer a real and fair alternative allowing access to the site and which does not does not imply having to consent to the use of their data.”

Last but not least, we are approaching our first ever Data Protection Intensive: Nederland! We hope to see many of you in The Hague 8-9 June!

Photo by Yannis Papanastasopoulos on Unsplash