"In our society, everything is allowed; you can say anything about anyone. Indiscretion is not only allowed but also became a virtue. Intimacy is de-valorized completely. What is the human character with no intimacy or private life, when private life is no longer private?" This interrogation was by Milan Kundera, the famous writer born in 1929 in then-Czechoslovakia who died earlier this month.
The interview was aired during a famous literary show on French television, ironically for avid readers in 1984, almost 40 years ago. Kundera's lament encapsulates a fundamental belief that, at the end of the day, no matter the tools we use or the law even that we as a society enact, the ability to experience technology positively ultimately sits with human decency.
Bringing this week's digest down to earth, it has been interesting following the debates of the European Parliament's Industry, Research and Energy Committee. The committee debated at least two files of interest for privacy professionals this week.
The ITRE Committee held a vote on the Cyber Resilience Act. The European Commission proposed this regulation on cybersecurity requirements for "products with digital elements" (hardware and software) with two main objectives: first, to encourage a life-cycle approach to connected devices and to ensure that they are placed on the market with fewer vulnerabilities, and second, to allow users to take cybersecurity into account when selecting and using connected devices.
Ultimately, the CRA defines the chain of responsibility in the cybersecurity ecosystem. Among others, it introduces new obligations for manufacturers to include a cybersecurity risk assessment in the technical documentation of a new connected device placed on the market, obligations to report incidents that have an impact on the security of the connected devices as well as actively exploited vulnerabilities — both within a window of 24 hours of becoming aware of it.
As it turns out, the Council of the European Union made significant progress as well and reached an agreement on its general approach this week, which means trilogue negotiations will begin shortly.
The CRA has been the source of vivid critique by the open-source software community, which represents more than 70% of modern software products. At the heart of their concerns is that the proposal does not clearly differentiate enough producers of licensed software and contributors to (free) open-source software — placing the same level of responsibility on both types of actors when their roles in the life cycle of software products are different.
Other thorny issues also remain ahead. The proposal lacks clear criteria for the categorization of connected devices and level of responsibility associated. It also emphasizes European cybersecurity certification schemes as a tool to demonstrate conformity with essential requirements of the CRA, while at the moment, no scheme existing or in drafting covers the CRA in an appropriate way.
Separately, the end of the Data Act's trilogue negotiations has been looming since late June. The ITRE Committee voted 19 July on the provisional agreement reached with the Council. Once entered into force, this regulation will set new requirements to govern the use of and access to data of connected products and related services. The IAPP Research and Insights team is working on an infographic overview which will be published here once the final text is formally approved.
Elsewhere:
- Digital Identity: The EU Digital Identity Wallet will soon be a reality following the recent provisional agreement reached by the co-legislators on the June 2021 European Commission's proposal. In its own words, "the EU Digital Identity Wallet will revolutionize digital identification by giving Europeans control over their personal data with the full convenience of mobile apps." Member states will issue the e-ID wallets, which will be available to everyone and, more significantly, be accepted by all the other member states. Users will be able to control what personal data they want to share with online services. Further technical work is still needed to set up the framework before the legislation can be adopted.
- Digital Markets Act: Earlier this month, the European Commission received a notification from companies that meet the threshold to qualify as systemic platforms under the DMA. The seven companies/holdings that came forward were: Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft and Samsung. The European Commission now has until 6 Sept. to confirm that designation. By that point, the European Commission may also designate other companies that it deems to meet the threshold though they may not have come forward. These organizations will have six months to comply with the DMA if the designation is confirmed.
Last but not least, happy Belgian national day to all! It was on 21 July 1831 that the first King of Belgium, Leopold I, took the constitutional oath and swore loyalty to the Belgian Constitution and laws.
Comments, suggestions, constructive criticism? iroccia@iapp.org
