Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The European summer recess has come to an end and September has been full of developments in the digital field.
On 12 Sept., the European Data Protection Board adopted its first guidelines on the intersections between the EU General Data Protection Regulation and other laws in the EU's digital playbook. These guidelines focus on the interplay between the Digital Services Act and the European data protection rules. They are open for public consultation until the end of October.
The EDPB addresses specific DSA provisions that intersect with GDPR requirements, including obligations concerning notice-and-action systems for reporting illegal content, deceptive design patterns, online platforms' recommender systems, protection of minors and transparency of advertising. Concerning intersections around enforcement, the guidelines also provide recommendations on cross-regulatory cooperation, namely the process of consultations between data protection authorities and authorities enforcing the DSA.
A year ago, the EDPB and the European Commission started a joint project in this regard, another set of guidelines breaking down the intersection between the GDPR and the Digital Markets Act, but there is no publicly known timeframe for its finalization.
September also saw advancements in the area of international data flows. In 2021, the EU concluded South Korea provides a level of personal data protection that is essentially equivalent to the one guaranteed under the EU law. Since 16 Sept., personal data can flow freely either direction, as South Korea's recognition of the EU personal data protection framework's equivalence entered into force.
This is another indication of similarities between the outlooks on digital regulation in the EU and South Korea after South Korea's Framework Act on the Development of AI passed early this year, making it the second jurisdiction worldwide — after the EU — to adopt a comprehensive AI regulation.
The EU's list of jurisdictions with an adequate level of personal data protection is also about to expand, as its draft adequacy decision for Brazil was finalized at the beginning of September. Opice Blum's Gabriela Silveira Bueno dos Santos, CIPP/E, CIPM, CDPO/BR, FIP, and Tiago Neves Furtado, CIPP/E, CIPM, CDPO/BR, FIP, outlined their main takeaways, Brazil's position on the EU's adequacy and the next steps.
There is more to note on data flows across the Atlantic. On 17 Sept., the European Data Protection Supervisor issued an opinion on the European Commission's negotiating mandate on an EU-U.S. framework agreement on the exchange of information for security screenings and identity verifications.
In its opinion, the EDPS communicated discontent over the lack of a supporting impact assessment, making the evaluation of the proposed framework agreement's necessity and proportionality more difficult. Nevertheless, the EDPS expressed overall support for developing such a framework while also underlying the importance of strong safeguards.
The data protection regulator provided specific recommendations in this regard, including on accountability mechanisms, transparency obligations and oversight and redress. This is a matter of international data flows that is unprecedented for the EU. If adopted, it would be the EU's first agreement permitting such extensive sharing of sensitive personal data, like biometric identifiers, to a non-EU country for the purpose of managing borders and migration.
There were also noteworthy developments at the national level. For instance, France's data protection authority, the Commission nationale de l'informatique et des libertés, published results of a survey on the economic benefits of having a data protection officer. It found the economic benefits are the most tangible for companies that view compliance with the GDPR as an opportunity rather than a regulatory burden. Increased success with tenders, avoiding fines and data breaches, and positive consequences of streamlining data management were identified as among the main benefits. The results ultimately lead to a conclusion that having a DPO can create value.
Several member states issued guidance to support the implementation of the European Digital Rulebook. The Dutch government published a guide to help organizations prepare for implementation of the Artificial Intelligence Act.
In Germany, materials were released, including a discussion paper on the relationship between the GDPR and the AI Act, as well as guidance on personal data protection matters in relation to the Data Act that entered into application earlier this month.
France's cybersecurity agency, the Agence nationale de la sécurité des systèmes d'information, launched an interactive tool to help organizations determine if they fall within the scope of the NIS2 Directive ahead of its first anniversary of application next month.
Laura Pliauškaitė is European operations coordinator for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
