During the IAPP Europe Data Protection Congress 2024, European Commissioner for Justice Didier Reynders announced plans to convene a conference with adequacy partners on a global level and to "continue to work with international partners towards safe and free data flows." This high-level roundtable took place this week in a hybrid setting with representatives from 15 countries for which the EU has adopted an adequacy decision, including the Channel Islands, Japan and New Zealand.

The agenda consisted of two overarching themes: maximizing safe data flows as a network and beyond, and government access to data and supporting convergence in the commercial sphere through strengthened enforcement cooperation. In his opening remarks, Reynders referenced "recent and very interesting developments that aim at 'bridging' or connecting different transfer mechanisms," such as mutual adequacy arrangements or model contractual clauses.

Reynders stated that "clarity and transparency around safeguards applying to how government can access data for public interest reasons is an increasingly important component of trust in data flows." He also raised the possibility that the group of convened adequacy-powered jurisdictions could promote adherence to the Organisation for Economic Co-operation and Development's Declaration on Government Access to Data Held by Private Sector Entities.

This adequacy discussion took place just a week after the U.S. White House published its executive order on preventing access to Americans' bulk sensitive personal data and U.S. government-related data by countries of concern. As my colleague Cobun Zweifel-Keegan explains, the executive order includes "a forthcoming regulation from the U.S. Department of Justice, which would block or place restrictions on designated personal data transactions with foreign adversaries of the U.S. and their proxies." This executive order has been read by EU officials as a sign that the EU and the U.S. might be coming closer together.

Going eastside, the European Parliament should approve a protocol between the EU and Japan on the free flow of data next week. This protocol amends a 2017 economic agreement partnership and inserts provisions on data transfers, much aligned with the EU data flow provisions. The protocol will enter into force once Japan ratifies the agreement and the two sides complete internal procedures.

Elsewhere:

  • The Court of Justice of the European Union issued a significant decision Thursday regarding IAB Europe's "Transparency and Consent String." The effort by the digital marketing and advertising technology association brings the existing auction system into conformity with the EU General Data Protection Regulation. Following an unfavorable decision from the Belgian Data Protection Authority in 2022, the CJEU ruled "the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR.” As a result, IAB Europe is considered a "joint controller" under the GDPR.
  • Parliament's plenary vote to finally adopt the much-awaited proposed Artificial Intelligence Act was moved up to next week, 13 March, primarily to spread out the remaining votes across the last two plenary sessions before Parliament enters recess. A policy advisor for co-rapporteur Brando Benifei said this does not mean the AI Act will enter into force earlier as lawyer-linguists are still working hard to polish the text and the act is likely to enter into force at the end of May. The version to be adopted next week will receive a corrigendum in April, followed by adoption by the European Council.
  • On 6 March, EU member states under the Network and Information Systems Cooperation Group, published a compendium on protecting election integrity from a cybersecurity perspective. Among the "proposed measures are best practices on information sharing, awareness raising and trainings together with risk management, cybersecurity support for campaigns, parties and candidates, as well e-voting technology."
  • On 6 March, the European Commission officially became the enforcer of the Digital Markets Act. Late last week, Booking, ByteDance and X, formerly known as Twitter, formally notified the Commission that their core platform services potentially meet DMA thresholds as of January 2024, triggering gatekeeper qualification. This would result in having to apply DMA obligations, including appointing a DMA compliance officer who would report to the company's board and inform the European Commission of any plans of mergers or acquisition.
  • On 22 Feb., the Commission's Delegated Act on Independent Audits under the Digital Services Act entered into force. Under the Digital Services Act, very large online platforms and very large online search engines must undergo an annual audit conducted by an independent auditor to assess their compliance with the DSA and any adopted codes of conduct or crisis protocols. The act provides a framework to guide providers of very large online platforms and very large online search engines, as well as auditing organizations, in the preparation and issuance of audits.