Last week, European data protection authorities gathered in Budapest for their annual Spring Conference. It was hosted by the Hungarian National Authority for Data Protection and Freedom of Information in the scenic Vàrosliget parc. So, what do European regulators talk about when nobody is listening? During the closed session, they discussed new technologies and their impacts on society. They also discussed the interplay between competition law and data protection and how these two areas of law can support one another.
Against the challenge of keeping up with constant developments in the field (something we all feel), DPAs also dedicated a session to the latest and most important cases before the Court of Justice of the European Union and the European Court of Human Rights. They also shared experience gained in enforcement cooperation between countries outside the EU General Data Protection Regulation cooperation. Finally, the role of the data protection officer was the main topic of the open day, against the backdrop of the European Data Protection Board's focus on the designation and role of the DPO.
Earlier this week, I hosted Gwendal Le Grand, second-in-command at the EPDB, to discuss the CEF action. He explained the process behind the CEF and reaffirmed DPOs are "key enablers of compliance." Our full discussion was followed by an insightful exchange with two European DPOs, can be found here.
This week I also hosted an IAPP web conference jointly with ISC2 on the interdependence between privacy and cybersecurity between professionals whose role is to navigate interdependence and build that much-needed collaboration. My panelists all used very colorful expressions, so here is a recap of what we discussed: navigating accountability and responsibility ("CPO and CISO need to be BFFs and eat cake together"), leadership ("security goes first, but it shouldn't lead" — a bit of debate around that one), capacity-building ("security is a teams sport"), governance and the importance of incentives ("using the carrot rather than the stick"), and arbitration when privacy and cybersecurity needs, objectives, and requirements conflict (my personal favorite: "It's about focusing on the crocodile that is closest to the canoe").
If you are in the mood for some reading, here is what else came across my desk:
- Spain's regulator, the Agencia Española de Protección de Datos, recently published guidelines to validate encryption as a security measure for personal data. The document addresses how to assess whether this technique is adequately implemented in the processing of personal data. These guidelines were published in collaboration with the Spanish Association for the Promotion of Information Security and the Spanish Professional Association for Privacy.
- Spain has also modified its GDPR implementation ("organic") law to address some of its shortcomings and discrepancies. Among other things, the text creates a specific, more flexible and quick warning procedure to speed up the response to the data subject's claims to the AEPD.
- France's DPA, the Commission nationale de l'informatique et des libertés, published an AI Action Plan. It is structured around four objectives: to understand the functioning of AI systems and their impact on people; to enable and guide the development of privacy-friendly AI; federate and support innovative players in the AI ecosystem in France and Europe; to audit and control AI systems and protect people. This follows the creation of an AI Department at the CNIL in January.
