Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
As Cybersecurity Awareness Month comes to a close, we look back at some of the developments that took place in October — cybersecurity-related and beyond.
The NIS2 Directive took effect one year ago 18 Oct. Different from EU regulations, which are directly applicable in all EU member-states, directives must be transposed into national law to become part of the country's legal system. NIS2, however, has not yet been transposed into national law in almost half of EU countries.
The law aims to establish a high common level of cybersecurity across the EU's critical sectors through stringent cybersecurity risk management, incident reporting and vulnerability disclosure obligations, applicable across the entire value chain. In a recent article for the IAPP, Baker McKenzie Partner Elisabeth Dehareng, AIGP, CIPP/E, and Mason Hayes and Curran Partner Julie Austin discussed practical challenges and strategic considerations of NIS2, and provided a step-by-step overview of how to leverage compliance efforts.
The importance of having a high level of cybersecurity was also highlighted by U.K. Government Communications Headquarters Director Anne Keast-Butler, who concluded cyberattacks have not been as "contested and complex" in recent decades as they have this past year.
There were also significant developments in the privacy field. In its October plenary session, the European Parliament voted to adopt the EU General Data Protection Regulation procedural rules regulation — an instrument that did not receive as much publicity as other EU digital laws, but is expected to resolve a widely recognized problem of the GDPR. With this piece of legislation, the EU is aiming to improve GDPR enforcement in cross-border cases.
Among the changes the law promises to bring is improved cooperation between data protection authorities, faster resolution of cases and enhanced complainants' rights in the complaint resolution process. The regulation will officially become law once it completes the last remaining steps of the EU's legislative process, including official adoption by the European Council, refinements by lawyers-linguist and its publication in the Official Journal of the EU.
Another privacy-related development was the publication of the European Data Protection Board's opinion on the Commission's draft adequacy decision for the U.K., which would extend the U.K.'s current adequacy status — set to expire at the end of this year — until December 2031. The EDPB expressed overall support for the decision.
However, as a new data protection framework was recently introduced in the U.K., the EDPB recommended monitoring certain areas closely and carefully. This covers new powers enabling the secretary of state to amend the data protection framework via secondary legislation and changes to the rules on international transfers of personal data. The EDPB also suggested the commission conduct a deeper analysis on certain aspects, including the restructuring of the U.K. Data Protection Act and its new complaint handling system, as well as the extended national security exemptions under the law enforcement framework.
The Netherlands' DPA, Autoriteit Persoonsgegevens, 23 Oct. published guidelines to help organizations build artificial intelligence literacy. Article 4 of the EU AI Act, which became applicable in February, requires organizations providing or deploying AI systems to ensure sufficient AI literacy of their staff. In its guidelines, the Dutch regulator explains what AI literacy is and how to demonstrate it. It also highlights that there is no universal solution when it comes to this obligation and provides a roadmap that can be used by entities to determine their AI literacy implementation needs, strategies and evaluation.
Finally, there were certain developments related to children's protection online, both at the EU and national levels. The European Parliament's IMCO Committee adopted a report 16 Oct., in which it raised issues related to the harms caused to children as a result of their use of online platforms. In the report, MEPs propose certain actions the Commission should take, including setting a minimum age of 16 for the use of social media and AI companions without parental control, establishing rules on addicting and persuasive techniques and bans on most addictive practices. The Parliament's vote on these issues is set for the end of November.
National efforts to minimize online harms to minors are also apparent in several European countries. Both Norway and Denmark published plans to ban certain social media platforms for children younger than 15.
Laura Pliauškaitė is European operations coordinator for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
