While the prospect of a possible U.S. privacy bill is understandably the buzz in the privacy community, the IAPP brought its Data Protection Intensive conference to The Hague. In the context of the ever-evolving data protection landscape, the Dutch data protection authority’s Director for Policy, International, Strategy and Communication stressed that “there are reasons for optimism but we should not be blind.” The Autoriteit has found that data protection is insufficiently secured in one in five new draft laws concerning data processing. However, it also sees awareness of the fundamental importance of privacy and data protection is increasing under the new government that took office in January this year.
Meanwhile, in Brussels, the French Presidency of the Council of Member States is coming to an end 30 June. Before the Czech Republic takes over 1 July, the Council took stock of the progress on a number of digital policy proposals:
- Digital Governance Act: Its publication in the EU Official Journal last week clarifies one important date: the DGA will enter into force 23 June and become applicable to organizations in scope 15 months after, i.e., 24 Sept. 2023.
- Artificial Intelligence Act: The European Parliament and the Council are working to finalize their respective positions before entering into so-called trilogue negotiations. Member States approved the French progress report on the file, but arguably progress has been slow as many aspects of the Commission’s proposal are still being debated. On the other side, Parliament has been flooded with thousands of amendments; one can expect heated debates and the file to carry over into 2023.
- Digital Services Act: The file seems closer to the finish line than ever. Although the European Parliament Committee Internal Market and Consumer Protection leads on the file, it has optimistically planned a vote on the final text for 16 June, so legislators may stretch the timeline a bit longer.
- The Council also discussed the negotiation state-of-play of the Data Act, ePrivacy and the European Digital Identity framework (better known as eIDAS Regulation).
Lastly, on the recommended reading list is France’s CNIL question and answer page on its February Google Analytics decision. In this Q&A, the CNIL confirms that decision applies to all controllers using Google Analytics in similar conditions and with the same standard contractual clauses and additional safeguards implemented by Google. It also confirms that these controllers “must turn immediately to another service provider that offers sufficient guarantees of conformity.” To better understand what “sufficient guarantees of conformity” means in the CNIL’s reading, you can look at the CNIL’s suggested options for compliance solutions on this page. This decision was one of 101 complaints brought before European DPAs, many of which have yet to be decided on by authorities, possibly with slight variations of interpretation and thereby on appropriate solutions that organizations can consider. To be continued …
Photo by Yannis Papanastasopoulos on Unsplash