During a recent webcast with cybersecurity hosts, I found myself discussing Brussels and why the EU capital matters so much when it comes to global influence specifically on legislation. Privacy pros witness every day the significant influence the EU General Data Protection Regulation (and ancillary developments) has on global privacy policy development. While other jurisdictions also exercise similar levels of influence, Brussels has two things that make it pretty unique: It is the first to adopt and the first to move.
When the EU member states decide on a political direction, the European Commission's first and foremost mandate is to propose legislation (and monitor its implementation and enforcement later on). In practice, this means we have the guarantees that 1) EU legislative proposals will keep coming and 2) these proposals will get approved. It may take years, but it will happen — "legislation never dies in Brussels," as a former boss of mine used to say.
And it is that reality that, in part, leads to the first mover effect. While Brussels is not the only one to look at how to regulate platforms, how to make data governance responsible or how to deal with children's privacy, it is consistently among the first jurisdictions to propose a turnkey solution, a floor map, a rulebook, however you call it, for other jurisdictions to look at and make their own — and the GDPR in the privacy field has set an undisputable precedent. Brussels’ legislative footprint is also translating in the field of multilateralism, such as in trade negotiations at the World Trade Organization or in policy discussions at the Organisation for Economic Co-operation and Development and the G-7. Brussels is a major regulatory-exporting power and it still has a few things to push through, so buckle up 2023.
A few things that happened this week:
- Cybersecurity: The NIS2 Directive entered into force 16 Jan. As an update to the EU Network and Information Security Directive, NIS2, aims to improve the resilience and incident response capacities of the public and private sectors and the EU as a whole through risk management measures and reporting obligations. Notably, NIS2 introduces a new classification of covered entities: essential entities and important entities. It expands the list of sectors and activities subject to cybersecurity obligations and the scope to medium and large entities. It also modifies breach notification requirements and introduces voluntary coordinated vulnerability disclosure for entities in scope. Member states have until October 2024 to transpose the directive, which will apply to covered entities as of 17 Jan. 2025.
- EDPB coordinated enforcement actions: The European Data Protection Board adopted in plenary its report on its coordinated enforcement action on the use of cloud-based services by the public sector. The report contains a series of recommendations (“points for attention”) for public bodies using cloud service providers. It notes the work is not over, as some formal investigations were launched at the national level last year and continue. More strategically for privacy pros, this report gives us a first glimpse at what the upcoming coordinated enforcement action on the position of DPO may look like. It will launch in February and run for about a year. The coordinated enforcement action was first launched in October 2021 following the adoption of the Coordinated Enforcement Framework. The framework is a way for the EDPB to prioritize certain topics for DPAs to work on at the national level.
- Privacy Shield: European Commissioner for Justice Didier Reynders this week reminded us the Privacy Shield process continues and the commission is working hard to convince European DPAs and member states the “third time’s a charm.” Reynders presented this week the EU draft adequacy decision for the U.S. based on the agreement “in principle” reached last April. Next, the EDPB will draft a nonbinding opinion and member states will convene to vote on whether to adopt the adequacy decision. This will still take a few months, so we can hope to see a final adoption by last spring (what's that? Did someone just say “and a ‘Schrems III’ complaint by summer”?).
Comments, feedback, updates, constructive criticism all welcome at iroccia@iapp.org