Notes from the IAPP Europe: International data transfers, the DSA and cybersecurity

Lately, there have been many discussions about the future of trans-Atlantic personal data transfers, especially after the dismissal of several members of the Privacy and Civil Liberties Oversight Board at the end of January. The PCLOB is the U.S. body responsible for, among other things, overseeing privacy-related activities of U.S. intelligence agencies and the functioning of the Data Protection Review Court — an independent and impartial redress mechanism established under the EU-U.S. Data Privacy Framework to handle and resolve complaints from EU individuals concerning the collection of their data for national security purposes.

Many are also looking in the opposite direction, in a literal sense, as personal data transfers from the EU to China are gaining attention. On 21 Feb., Ireland's Data Protection Commission, in accordance with the cooperation procedure under Article 60 of the EU General Data Protection Regulation, submitted to other European DPAs its draft decision in relation to its inquiry into TikTok.

The DPC was investigating whether Tiktok's transfers of EU individuals' personal data to China complied with the GDPR. The DPC commenced the inquiry in 2021 on its own initiative rather than as a result of an individual's complaint. It remains to be seen whether the draft opinion will be challenged, as other European DPAs have one month to send any "reasoned and relevant" objections to the DPC. Either way, it is expected that this development will shed more light on the lawfulness of personal data transfers from the EU to China.

The DPC's draft decision is not the only reason European DPAs are focusing on the topic of personal data transfers to China. In early February, multiple data protection regulators across the EU, including Luxembourg's National Commission for Data Protection, released warnings about the use of AI chatbot DeepSeek, urging individuals to be careful when entering personal — particularly sensitive — data in the Chinese artificial intelligence chatbot that gained popularity late January.

The Dutch DPA, Autoriteit Persoonsgegevens, also emphasized that DeepSeek must be used with care not only in terms of individuals' own personal data, but especially if personal data of others is entered, as this could lead to liability. The DPA also noted its inquiry into the compatibility of personal data transfers to China with the GDPR is broader and not limited to DeepSeek.

February marks exactly one year since the Digital Services Act's full entry into application, as well as the first meeting of the European Board for Digital Services. The month was also full of DSA-related developments. The European Commission commenced its series of workshops on potential benefits and implications of voluntary codes of conduct for online advertising.

Additionally, the Commission endorsed the integration of the voluntary 2022 Code of Practice on Disinformation into the DSA. Moreover, it unveiled the DSA Elections Toolkit with advice and guidance, including emerging best practices.

The Commission also launched a new Research API introducing pragmatic search functionalities to the DSA Transparency Database, which is the largest near real-time database globally collecting data on platforms' content moderation decisions in the EU.

Strengthening the EU's approach to cybersecurity was one of the new European Commission's agenda items. Work on this topic is picking up as the Commission presented a proposal for the Cyber Blueprint — a European Council recommendation on an EU framework for cybersecurity crisis management. The proposal for a nonbinding instrument, aiming to enhance the EU's response capabilities to large-scale cyber incidents, comes a month after the Commission's launch of the European action plan to strengthen the cybersecurity of hospitals and health care providers.

Laura Pliauskaite is European operations coordinator for the IAPP.