Monday, 20 March was officially French Language Day, as declared by the United Nations in 2010. As a French national, I couldn’t pass up the opportunity to flag this fun fact. One way this is relevant (though not necessarily useful) to privacy professionals is that the full text of the EU General Data Protection Regulation is 13% more wordy in French than English. More seriously, French was also the dominant language at last week’s IAPP Data Protection Intensive hosted in Paris. The Commission nationale de l'informatique et des libertés Secretary-General Louis Dutheillet de Lamothe gave some pointers about focus areas for the months to come: mobile apps, artificial intelligence and cybersecurity. Maintenant, vous savez!
During DPI France, the European Data Protection Board’s secretariat also announced the launch of the anticipated coordinated enforcement action on the designation and position of the data protection officer. This year-long process will start with actions by regulators ranging from sending questionnaires to registered DPOs to opening investigations. Wondering how the community is reacting to it? If it’s any indication, there were audible gasps in the DPI Plenary room when this was explained by the EDPB’s lead on the action, Gwendal Le Grand. The IAPP has reported amply on the launch and the process and will continue to develop additional resources to help DPOs and others navigate this process so watch this space.
European elections season is still a year away but, perhaps because it is “only” a year away, Brussels is pushing through priorities.
Data Act: The European Parliament adopted its position during last week’s plenary session. The trilogue negotiations with the Council and European Commission are set to start shortly. We provided a short overview of the Data Act in this column a few weeks ago in case you need a refresher. In short, the future regulation will establish "common rules governing the sharing of data generated by the use of connected products or related services ... to ensure fairness in data sharing contracts." Privacy professionals may need to look at what these new requirements may mean for their organization, though not only, if they operate in the internet of things space.
Artificial Intelligence Act: The European Parliament is working toward a vote on the AI Act in committee in April, with a plenary vote in May. Trilogue negotiations with the European Council would start soon after with hopes of reaching a final agreement by the end of the year. The two institutions are approaching the regulation quite differently, with the dominant view on the Parliament being more prescriptive overall than that of the European Council.
E-health data space: This proposal is increasingly prompting concerns from several European regulators who fear that the proposal may lower the guarantees afforded by the GDPR. The European Commission has been rebutting this claim forcefully. On the other end of the spectrum, some stakeholders are concerned by the increasing likelihood that data localization provisions would be adopted in this proposal. Note that in the same vein of data governance related acts, the European Commission is expected to unveil a “European mobility data space” proposal in the next quarter though not much transpired at this point about the contours or direction of this proposal.
A few other relevant proposals are still on their way. These include the European Digital Identity framework, the AI liability regulation, the Cybersecurity Resilience Act as well as the draft cybersecurity certification scheme which could be a technical gateway to sovereignty requirements at EU level. But let’s keep something for next week, shall we?
The IAPP Global Privacy Summit 2023 is just around the corner. We will have many breakouts and one plenary session featuring European experts so make sure you plan your visit. I look forward to seeing many of you in Washington!