This newsletter comes to you from IAPP headquarters, where yours truly set up camp for a few days. Portsmouth, New Hampshire, has been home to the IAPP for much of its 23 years, before its Brussels satellite office opened in 2018. By that point, it was pretty clear that the EU capital had become an influential voice in the global privacy debate and rulemaking.

It was also clear that Brussels would expand its data and data governance policy agenda to "unlock the re-use potential of different types of data and create a common European data space" as it so eloquently put it at the time, taking a page out of the EU jargon playbook.

Five years later, the EU machinery is cranking to try and finalize arguably one of the most ambitious policy agendas it has ever had in this space. The prospect of European elections next June is injecting a sense of urgency on some of the files that have yet to be finalized by co-legislators. Nonetheless, many laws that were proposed over the past four years are now reaching crunch time and gradually coming to the desks of privacy professionals, and compliance and legal experts.

Among them, the Digital Markets Act reached another step when European Commissioner for Internal Market Thierry Breton publicly announced the six "most impactful online companies" that have been designated gatekeepers: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. These companies now have six months to comply with the DMA's provisions, including appointing a compliance officer that will report to their board and inform the European Commission of any plans for mergers or acquisition. "No big platform can behave as if it was 'too big to care,'" Breton adds. The commission will become the enforcer of the DMA as off 6 March 2024.

The DMA contains several provisions that will be important from a privacy perspective. It limits gatekeepers' ability to rely on the EU General Data Protection Regulation legal basis for processing in a few specific cases and prohibits them from combining personal data obtained from their subsidiaries. The DMA also requires gatekeepers to allow end users to easily change the default settings on the operating system, virtual assistant and web browser to ensure end users or third parties they authorized can freely port continuously, and in real time, data they provided or generated through the use of the gatekeeper's services. Gatekeepers will also have to enable end users to freely choose to opt-in to certain types of data processing and sign-in practices.

The DMA compliance officer function will play the central role in gatekeepers' organigram. It should be independent from the "operational functions of the gatekeeper" and "have the professional qualifications, knowledge, experience and ability necessary to fulfil (their) tasks." The job ad writes itself!

Elsewhere:

  • A game of musical chairs has started within the European Commission. As Executive Vice President Margrethe Vestager is about to leave her post, European Commissioner for Justice Didier Reynders — who oversees the privacy portfolio — is set to replace her. Iliana Ivanova, Bulgaria's commissioner-designate for innovation, research, culture, education and youth, appeared before the European Parliament for her confirmation hearing this week.
  • A reminder that the IAPP is currently running its annual call for volunteers until 29 Sept. Read up on opportunities to serve as a KnowledgeNet Chapter chair, advisory board member or Young Privacy Professional, as well as other ways to get involved.