The Pythagorean cup is a fascinating object, a glass that magically empties when filled with too much liquid — I discovered that at my own expense, thankfully with water. Sometimes I feel like a human representation of that glass trying to absorb too much policy and privacy news, and something tells me I am not alone.

The big news this week is the conclusion of the Data Act negotiations. Proposed in February 2022, it aims to create new requirements governing the use of and access to data of connected products and related services. As I discussed in an earlier column, the Data Act lays down data sharing obligations on private-sector companies, which understandably had raised concerns around trade secret protections and contractual freedom restrictions during the trilogue negotiations.

Of note, the European Commission will develop and recommend nonbinding model contractual terms to ensure "fair and balanced data sharing contracts," in particular on the imbalance of power when engaging with cloud providers. The text foresees a 20-month transition period once the text enters into force in the coming weeks. The IAPP will provide further analysis once the final approved text becomes available. In the meantime, the European Commission published an FAQ for a basic overview.

Elsewhere:

• The EU negotiations on the Cyber Resilience Act are set to wrap up next week and will create new cybersecurity requirements for "products with digital elements," i.e., connectable hardware and software products. The CRA, proposed last September, is meant to fill the legislative gap between the NIS2 directive's baseline sectoral approach and product-based legislation and clarify cybersecurity obligations for hardware and software. More on that soon.
• The Dutch data protection authority, Autoriteit Persoonsgegevens, is assertively promoting protection of personal data to play a bigger role in online security and cybersecurity. Ahead of a parliamentary debate of the Digital Affairs committee, the AP released a position paper calling for personal data to be explicitly part of infosec discussions; increased awareness of personal data protection in the EU's NIS2 Directive (the AP receives 21,000 data breach reports annually); and — more resources for the DPA. The Dutch government committed to investing 111 million euros in cybersecurity over 2022-2028; the AP wants its piece of that cake.
• European Commissioner for Justice Didier Reynders confirmed the EU-U.S. Data Privacy Framework could be finalized by late July. The U.S. Department of Justice still needs to finalize steps to implement the executive order. The next step will be for the European Commission to put its draft adequacy decision to a vote before the member states. Companies will then have three months to comply with new requirements under the DPF. Many will surely celebrate the fact they will have fewer transfer impact assessments to complete.
  • "Let's not repeat mistakes we made with social media." Microsoft's Brad Smith couldn't have been clearer with his message to the EU bubble about artificial intelligence governance. During an event hosted at the company's center in Brussels, Smith argued that "the tech sector needs to step up to ensure AI remains under human control, respects the rule of law and is subject to the force of regulation." Italian Member of European Parliament Brando Benifei, co-rapporteur on the AI Act, also encouraged voluntary schemes at international level and initiatives from the European Commission on voluntary compliance before the AI Act becomes applicable, at the earliest in 2026.
  • The IAPP released its first-ever "Key Terms for AI Governance." It provides succinct, but nuanced, definitions and explanations for some of the most common terms related to AI today. The explanations aim to present both policy and technical perspectives and add to the robust discourse on AI governance.