The IAPP posted its summer reading list. That means summer holidays are getting closer, at least for me, so I started drafting a list of things to watch out for in the coming weeks. Summer or not, things keep on moving.

It has been a while since yours truly wrote about data transfers in this space. Call it oblivion, but the topic has not been an issue at the European political level in a little while, at least in the commercial arena — less so in the law enforcement space, but in a promising way.

The EU-U.S. Data Privacy Framework was adopted exactly one year ago, with a built-in periodic review mechanism, the first review due within a year of entry into force of the European Commission decision underpinning the framework.

ADVERTISEMENT

Cassie Ad, Managing consent and privacy in the age of AI

The Commission's decision set the purpose of that initial review to “verify whether all relevant elements (new mechanisms and new safeguards) have been fully implemented and are functioning effectively in practice.” The DPF had been the object of failed court challenges early on, and sporadic pokes from members of Parliament in light of the extension of the U.S. Foreign Intelligence Surveillance Act's Section 702 in December 2023.

The first review will be conducted 18-19 July in Washington, D.C., bringing together representatives from the European Commission and the European Data Protection Board, and the U.S. Department of Commerce and Federal Trade Commission, among others. Several aspects will be reviewed closely, including the newly established Data Protection Review Court and its ability to function as an independent and impartial redress mechanism.

In April, the EDPB adopted a public information note on the redress mechanism, rules of procedure on the cooperation and respective roles of data protection authorities and the EDPB secretariat regarding the submission of complaints, and two sets of template complaint forms to facilitate implementation of the redress mechanisms.

The EU-U.S. DPF lists 2,884 active participants as of this week.

Elsewhere:

  • We are still expecting a few European Council adoptions and publications to the EU Official Journal on files of interest, including the Cyber Resilience Act, the European Health Data Space and the Artificial Intelligence Act (publication expected 12 July).
  • We are also awaiting the European Commission's report on the application of the EU General Data Protection Regulation. Pending political approval and translation, it could be published as soon as the second half of July. It could also be held up until the next European commissioner for justice takes office.
  • As reported in the IAPP Daily Dashboard, Germany's Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber detailed the agency's data protection efforts and his work with the BfDI as he finalized his term 6 July. Meanwhile, Sweden's data protection authority, the Integritetsskyddsmyndigheten, appointed Eric Leijonram as director general.
  • At the end of June, the European Council adopted the EU strategic agenda 2024-2029. It is set around the time of the European Parliament elections and outlines the EU's political priorities until the next political cycle. It identifies the digital transition and AI as priorities and recognizes the importance of strengthening the EU's capacity when it comes to AI technologies in order to make Europe more competitive. In terms of the digital transition, focal points for the coming five years include building up a cross-border communications infrastructure, tapping into the potential of data and promoting its interoperability, boosting the investment in and application of digital technologies while ensuring privacy and security, and setting up EU-wide e-services through the establishment of the EU digital identity.

Isabelle Roccia is the managing director, Europe, for the International Association of Privacy Professionals.