Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The end of June marks the wrap-up of Poland's six-month presidency of the Council of the European Union. Before it passes the baton to Denmark 1 July, Poland managed to bring to a close one of its priority files — a proposal for a regulation on additional procedural rules relating to enforcement of the EU General Data Protection Regulation. The council and the European Parliament reached a long-awaited provisional agreement on the file 16 June.
The proposed regulation aims to accelerate enforcement of cross-border cases, one of the most criticized aspects of the GDPR, by harmonizing some national procedural rules. The provisional agreement introduces binding deadlines for enforcement procedures and certain rights to both the complainant and the parties under investigation, such as the right to be heard during different stages of the procedure and the right of access to the case information. Without the final text, uncertainty remains surrounding resolution of some disputed topics, such as the European Data Protection Board's role in the dispute resolution mechanism.
The European Commission tabled this proposal in the summer of 2023. As a previous European Parliament's "unfinished business" file, it was carried over to the new parliamentary term last summer. The new rules aiming to improve GDPR enforcement will enter into force after the official adoption of the text by both institutions, fine-tuning by lawyer-linguists and publication in the Official Journal of the European Union.
Another development in the field of data protection: Receiving of Royal Assent last week, the Data (Use and Access) Act became law. This is an important moment in the evolution of the U.K.'s approach to data protection after Brexit, as the act introduces new data sharing rules, including on the access and use of health care information, consumer and traffic data, and rules on digital identity verification. According to the U.K. Government, the new legislation will "unleash the power of data" and make British people's "day-to-day lives easier."
It remains to be seen whether these changes in the U.K. data protection regime will affect the EU adequacy decisions allowing free flows of personal data between the EU and U.K., which are up for review by the Commission at the end of this year.
Regarding the intersection between privacy and artificial intelligence, France's data protection authority, the Commission nationale de l'informatique et des libertés, released new recommendations on development of AI systems. The advice focuses on the use of legitimate interest as a legal basis and includes an assessment that can be used to determine whether legitimate interest can be relied upon, specific cases in which it is allowed or not and examples of safeguards to be used, such as omitting the collection of certain data.
With the next batch of the EU AI Act's implementation deadlines approaching in August, the Commission launched a public consultation to gather input on implementing the regulation's rules on high-risk AI systems. Until 18 July, stakeholders are invited to share practical examples of AI systems and identify issues they want to be addressed in future commission guidelines, including the classification of high-risk AI systems, high-risk requirements and obligations and responsibilities along the AI value chain.
At the same time, the topic of possibly delaying the AI Act's implementation was widely discussed this month. Some believe that postponing the entry into application of certain AI Act rules would be appropriate, especially if relevant guidance and technical standards are not finalized. Head of Office and Digital Policy Adviser for MEP Axel Voss, European People's Party, in the European Parliament Kai Zenner and Resaro Chief Trust Officer Sebastian Hallensleben highlighted the risks of delaying the act's implementation and suggested certain next steps the Commission should take.
At least some of the uncertainty is hoped to be clarified in the next digital simplification omnibus, but the question is if it will happen soon enough, as important implementation deadlines are just around the corner.
Laura Pliauškaitė is European operations coordinator for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
