Every July, the IAPP publishes a list of privacy summer reading second report on the application of the EU General Data Protection Regulation published by the European Commission 25 July. The 32-page report projects several actions to be taken by the Commission, legislators and privacy regulators with combined objectives:

  • Robust enforcement. The Commission calls for the adoption of its proposed reform of procedural rules for cross-border cases.
  • Proactive support from data protection authorities to stakeholders in their compliance efforts.
  • Consistent interpretation and application of the GDPR across the EU.
  • Effective cooperation between regulators — privacy and others — at both the national and EU level to guarantee consistent and coherent application of the growing body of EU digital rules.
  • Advance the Commission's international strategy on data protection.

Some objectives are lofty. For instance, that member states need to "ensure the effective and full independence of national data protection authorities” or that the European Data Protection Board and data protection authorities "are invited to engage in constructive dialogue with controllers and processors on compliance with the GDPR."

Yet, they reflect some feedback the European Commission received during its consultation period. The objectives also attest to its dynamic, if not combative, mindset only a few months before a new European Commissioner for Justice is due to take over. His/her to-do list appears in part in the report's conclusion: keep pressure on member states to ensure they comply with the GDPR; pursue actions centered on children's privacy protections; decide on the fate of the e-Privacy Directive; and continue ongoing and launch new adequacy talks, as well as cooperate with international partners on model contractual clauses as transfer tools, which promises fascinating developments in the coming months.

The next GDPR application report will be due in 2028.

DORA compliance

Five months away from the Digital Operational Resilience Act becoming applicable, industry is concerned about its ability to be ready. In a joint statement issued in late July, several associations representing both financial sector and information communication technology operators said, the "DORA's comprehensive requirements necessitate significant changes to financial entities' risk management processes and adjustments to existing frameworks spanning multiple operational and technological domains within a firm."

Signatories are asking for a better sense of supervisory authorities' approach to DORA enforcement actions and urge "continuous and effective convergence among supervisory authorities" during implementation and leading up to the 17 Jan. 2025 deadline.

The DORA aims to ensure member states' financial sectors can stay resilient through a severe operational disruption. It introduces requirements for network security and information technology systems of financial services companies, as well as third-party information communication technology providers. Technical standards are underway.

DSA

The Commission opened infringement proceedings against six member states — Belgium, Croatia, Luxembourg, Spain, Sweden, and The Netherlands — regarding the Digital Services Act competent authority designation, the so-called Digital Services Coordinators.

Either no designation had been made by the member states before the 17 Feb. deadline, or the designation had been made but the authority was not empowered as it should be under the DSA.

The six member states have two months to respond, otherwise the Commission may decide to issue reasoned opinions.

A similar communication was addressed to Ireland for not designating the competent authority under the Data Governance Act, applicable since 24 Sept. 2023.

Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.