I leave the pen to my colleagues for a couple of weeks, and I come back with a whole shopping list of things I want to share with you all.
DSA and DMA update
The Digital Services Act was approved by the Council of Member States, marking the end of a legislative process that started with the commission's proposal in December 2020. The final text, as approved by the EU co-legislators, is expected to be published in the EU Official Journal in November for an entry into force 20 days following. It will then apply to organizations after a 15-month transition period or as of 1 Jan. 2024, whichever is later.
The Digital Markets Act is one step ahead as it should be published to the OJEU on 13 Oct. and enter into force 20 days thereafter. It should become applicable six months after that date, although a set of specific provisions will apply directly on the date of entry into force and will kick off with the commission's work, in particular, to determine the methodology for designating gatekeepers.
We will have an IAPP infographic on both regulations once the final texts are published. These new rules will also feature on the agenda of our upcoming European Data Protection Congress in Brussels, so make sure you check that as well.
Shield or no Shield?
U.S. President Joe Biden signed an executive order Friday, materializing some aspects of the political agreement reached with the European Commission in April on a Trans-Atlantic Data Privacy Framework, now referred to as the EU-U.S. Data Privacy Framework. From a Brussels perspective, this development means the European Commission will then finalize the legal drafting of a draft adequacy decision and launch its formal approval process. We are looking at a four- to six-month EU process, six is probably more realistic, and a new fully functioning agreement by around March 2023. This IAPP infographic details the timeline from Privacy Shield to the framework.
Of course, there are a few elephants in this giant trans-Atlantic room: Will member states vote to approve the adequacy decision based on this updated framework? I bet on a comfortable "yes" with perhaps a couple of abstentions. While the European Parliament has no formal role in this process, some of its members may raise serious concerns about the new draft agreement, influencing the otherwise trending debate that Europe may need a bit more data localization. Will the new adequacy be challenged before European courts? We all anticipate it is less of a matter of "if" than "when" and whether it will hold.
AI liability rules
The Europe Commission proposed a new directive on 28 Sept. on artificial intelligence liability rules. According to the news release, "the new rules will ensure that victims benefit from the same standards of protection when harmed by AI products or services, as they would if harm was caused under any other circumstances."
Yes, this proposal is different from the AI Act, which is still being heavily debated in both Parliament and Council. Yes, there are still a lot of uncertainties on where the AI Act will eventually land regarding key concepts such as the definition of AI systems, the material scope of application of the Act, and whether the focus will remain on high-risk AI or be expanded. Yes, that might create an interesting conundrum when the two pieces of legislation are being debated in parallel. Our Research and Insights team is taking a closer look at this latest proposal and will share some thoughts soon.
Last but not least, we are hosting the IAPP Data Protection Intensive: Deutschland 2022 in Munich next week. We are looking forward to seeing many Privacy Pros from the DACH region and beyond!
If you want to comment on this post, you need to login.