Happy Data Privacy Week! Any fun plans? I have two things on my to-do list for that day. One is to use the excuse of the global celebration to make privacy sound cool to my children — somehow the EU General Data Protection Regulation-themed family dinner chats have not quite achieved that. And the other is to pack my suitcase as I head to IAPP headquarters for a week to prepare for 2023 with colleagues (and their dogs).
As I write these lines, we start to see reporting that Ireland’s Data Protection Commission just triggered the EU GDPR Article 65 dispute resolution process in its investigation of Meta’s standard contractual clauses. If we thought the recent decision about legal basis for targeted advertising was big, we need to brace ourselves for that one in the next month or two. The European Commission is still in the process of getting its draft adequacy decision for the U.S. approved by member states, which could still take a few months. Even if the process were sped up and we had an adequacy decision before the conclusion of the Article 65 process, if the scope of the European Data Protection Board and DPC final decisions go beyond trans-Atlantic transfers for Meta, there could still be severe complications for organizations that rely on standard contractual clauses (estimated more than 90% of organizations out there) for transfers to more than 160 other economies out there.
In a different vein, this week the European Union Agency for Cybersecurity held its EU cybersecurity policy conference. The agency has grown significantly since its creation, with an increased budget and expanded mandate. Some of its work is particularly relevant to privacy professionals, such as threat landscape analysis, guidance on breach notification and implementation of EU laws like the NIS2 Directive that entered into force last week.
In its recent threat landscape report, France’s cyber agency Agence nationale de la sécurité des systèmes d'information reported the level of threat across Europe remains very high. Attackers are improving their capabilities for financial gain, destabilization and espionage. Less incidents are geared toward regulated entities but, as a result, ANSSI noted an increase in attacks towards small- and medium-sized entities, exploiting known software vulnerabilities in particular.
Against this backdrop, the commission is focusing on five priorities in this space, primarily increasing detection capabilities as the situation in Ukraine showed just how important it is to have early detection capabilities. The December 2020 EU Cybersecurity Strategy announced the creation of a network of cybersecurity operational centers. The commission is supporting national efforts to improve cooperation on threat intelligence among member states wanting to work with trusted partners. Additionally, there is a focus on protecting critical infrastructures: Along with the NIS2 directive, the commission, member states and ENISA are also working to coordinate their risk assessment of critical infrastructures. Other priorities are related to reducing the surface of attack particularly for software (one of the main aspects of the proposed Cyber Resilience Act), increasing international cooperation and addressing the skill shortage.
With that, I'm leaving you with a few recent IAPP resources: