The European Data Protection Supervisor held a summit to celebrate its 20th anniversary. Supervisor Wojciech Wiewiórowski opened the conference and there was no doubt about the priorities on his mind, "What is at stake: democracy. More than the GDPR, we need to change our mindset." He noted his top concerns as being the increase in data collection by the government with a national security justification, the need to "do better" on norms, definition and implementation of data protection; and using the reflection about data protection in the public sector as a gateway to inform the community more broadly.
A few other statements caught my attention
European Commission Vice-President for Values and Transparency Vera Jourova emphasized that her successor will work in uncertain times, with new risks and threats. "We may see more pressure from states to collect data," adding that, in her view, the pendulum may favor stronger security mandates for states rather than protecting privacy.
Ireland Data Protection Commissioner Des Hogan commented on the challenge of prioritizing areas of work when there is so much coming at the DPC. Children's rights are at the top of his list. "The GDPR is only six years old, but the world is different. Fines are not the end of the story; what matters most are corrective measures." Addressing specifically two ongoing cases, presumably those involving Tiktok and Meta's Instagram, he confirmed the DPC is "satisfied with measures the two controllers have taken."
Former Advocate-General at the Court of Justice of the EU spoke about the delicate balance between privacy and law enforcement concerns, citing data retention and international transfer rulings from the court in the last decades, "We do need to accept a part of risk because we do need to trade with the outside world."
Regulation on GDPR enforcement procedures — the Council adopted a negotiating position
As the European Parliament is currently busy with post-election organizational matters — forming political groups and a majority coalition, holding constitutive meetings of committees, etc. — its legislative work is on hold.
In the meantime, the European Council continues to work on various files, including the regulation on additional procedural rules relating to EU General Data Protection Regulation enforcement. The Council announced 13 June that EU member states found common ground on this file, and as a result, its negotiating position was adopted. With the Parliament's position established in April, the arrival of the Council's general approach gives the green light to start the trilogues on this file proposed by the Commission in July 2023. It aims to streamline the procedural matters regarding GDPR enforcement and, in particular, improve cross-border enforcement. The interinstitutional negotiations will commence after summer when the Parliament returns to its full capacity as a European lawmaker.
AI technologies and personal data protection
The intersection between personal data protection and the development of AI technologies has been a hot topic for quite some time. Ireland's DPC recently supported Meta's choice to halt its large language model training plans, which would involve using publicly available content posted by the users of its Facebook and Instagram platforms. In a statement, the DPC ensured it would continue communicating regarding this issue with both Meta and other data protection authorities. The release of this statement comes days after NOYB, a nonprofit digital rights association established by the data protection activist Max Schrems, announced the filing of 11 complaints with various European DPAs requiring immediate action concerning Meta's planned AI training practices.
New deputy chair of the EDPB
The European Data Protection Board held a plenary meeting 18-19 June, during which it elected a new deputy chair. Zdravko Vukić, director of Croatia's DPA, will replace Aleid Wolfsen, Chair of the Dutch DPA in this role. He will work to support cooperation between national European DPAs and ensure a consistent application and enforcement of European data protection rules over the next five years.
What's next for Europe's digital agenda?
Three re-elected MEPs from different political groups discussed the future of Europe's digital agenda in an 18 June event organized by Politico. Anna Cavazzini (Greens/EFA), Sandro Gozi (Renew Europe) and Andreas Schwab (EPP) were all members of the Committee on the Internal Market and Consumer Protection in the previous term and were involved in the development of various EU legislation in the digital field.
They highlighted the importance of implementing the existing policies, including the Digital Services Act, Digital Markets Act and AI Act, though they did not exclude further regulation. They argued that the current rules would have to be assessed, and if any gaps are identified, new laws will likely be adopted to address them. In terms of specific topics, they touched upon telecommunications, copyright, cybersecurity and digital fairness in terms of dark patterns, addictive designs, targeted advertising and protection of children online, and more.
Isabelle Roccia, CIPP/E, is the managing director, Europe, at the International Association of Privacy Professionals.