November is officially here, which means the IAPP Europe Data Protection Congress 2022 is just around the corner. We are happy so many of you are joining us in Brussels. Let me also say how difficult it is for the entire IAPP team not to be able to welcome everyone who would have wanted to be there, as the event sold out a month in advance. The IAPP team has worked around the clock these past few weeks to find creative ways to accommodate more delegates; as much as we want to push the walls and expand the conference venue, we are confronted with the physical world's limitations.
So, what can we expect to hear at Congress this year? Well, there is no shortage of hot topics, from discussion around the EU-U.S. Privacy Shield’s approval process and the expected European Data Protection Board’s coordinated enforcement action on the position of data protection officers next year to the fate of facial recognition regulation and EU General Data Protection Regulation certification. If anyone were to ask me what my top two topics would be at a strategic level, though, this is what I would point to:
Number one: The EU’s acronym soup
Show of hand, who can claim they know all about DGA, DSA, DMA, NISD, DA, AIA, AI Liability? LOL, right. Congress will devote many sessions to making sense of all these laws — whether in force or still under discussion — that are and will continue to make the European regulatory landscape excruciatingly intricate and complex. It will be about understanding which is which, what are the main requirements and provisions, or their enforcement mechanisms. We hope our “European Strategy for Data – Overview of New Regulations” and other analytical pieces we publish are helpful. For many privacy professionals, it will mostly be about integrating new requirements into existing privacy policy and compliance programs, and understanding the interplay between the EU GDPR and broader European privacy rules on the one hand and these new laws on the other, is far from straightforward.
Number two: Sovereignty
This concept heavily colored the first couple of years of European Commission President Ursula von der Leyen’s mandate. Now with several laws and other projects ticked off the commission’s to-do list, I want to gauge just how current and alive this trend is these days. We have seen different definitions of sovereignty, from assertive-but-trade-friendly to downright protectionist, and not one definition truly gathered consensus among EU and member states’ leadership.
A good indicator of which definition has more traction is around data localization requirements and market access restrictions. In that vein, the Proposal for a Regulation on the European Health Data Space proposal is interesting to follow, for privacy regulators have already called for it to require storing the personal electronic health data in the EU/EEA . Another indicator is the fate of the more ominous yet significant European cybersecurity certification scheme for cloud services, currently being finalized by the EU cybersecurity agency. Earlier drafts included strong language containing various restrictions that would likely make it very difficult for non-domestic cloud services providers to get this certification. Many industry groups — including European ones — and some member states including powerful Germany have said this approach should be verboten. Jury is still out but whichever approach will be endorsed will be difficult to overturn later.
Now I want to hear what is on your list!