Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On 1 July, Denmark took over the presidency of the Council of the European Union from Poland. Among its priorities is the EU's digital competitiveness and technological sovereignty enhancement, with a focus on efforts in the areas of artificial intelligence, cloud and data.
The Danish presidency will also support the EU's digital rules simplification initiatives, particularly related to cybersecurity and data protection. Denmark is planning to zoom in on the online safety for young people by supporting the enforcement of existing legislation, such as the Digital Services Act, and the development of future rules like the Digital Fairness Act. It will also concentrate on advancing the EU's cybersecurity agenda that includes revision of the Cybersecurity Act and implementation of the Cyber Resilience Act, the NIS 2 Directive and other EU cybersecurity legislation.
European Commission President Ursula von der Leyen survived the vote of no-confidence before the European Parliament 10 July. While it's the victory that counts, this shows von der Leyen's difficult posture, as a third of all voting MEPs supported the motion of censure. With Parliament questioning the Commission's leader, it may prove difficult for her and her College of Commissioners to advance their legislative agenda.
On 15 July, the European Commission concluded that "the European Patent Organisation provides a level of data protection equivalent to that provided by the European Union," hereby issuing its first ever adequacy decision to an international organization. Just as with adequacy decisions for third countries, this will allow for barrier-free personal data transfers between the EU and the EPO, laying the foundations for unrestricted personal data flows between private and public entities.
This week, the European Commission announced its use of Microsoft 365 is now compliant with EU data protection rules. After finding several infringements in the Commission's use of the product in March 2024, the European Data Protection Supervisor imposed certain corrective measures.
To remedy the identified infringements, the Commission and Microsoft adopted contractual, organizational and technical measures in relation to its use of Microsoft 365, including ensuring that the types of personal data and the purpose of its processing are clearly defined and limited, preventing personal data transfers to third countries without adequate protection — including by Microsoft's sub-processors — and clearly defining rules on omitting notifications to the Commission of personal data disclosure requests. The EDPS commended the Commission and Microsoft on their efforts in remedying the infringements, calling it "a meaningful and shared success."
10 July marked the completion of the long awaited General-Purpose AI Code of Practice. The final version of the code comes two months after the Commission's self-imposed deadline, but just in time for the 2 Aug. entry into application of the EU AI Act's provisions on GPAI. IAPP Staff Writer Caitlin Andrews details how this voluntary tool aims to facilitate compliance with these provisions. A week after it was finalized, the code was officially opened for signatures, with several companies — such as OpenAI, Google and Microsoft — joining in shortly after.
Earlier this July, the European Data Protection Board and EDPS released a joint opinion on the EU General Data Protection Regulation simplification proposal published in May, which extends the derogation from record-keeping requirements to small mid-cap companies. The EDPB and EDPS express support for the proposal, but also request further clarification of some of its aspects, including regarding the 750 employee threshold for companies benefiting from the derogation and the exemption related to special categories of data.
The regulators also underline that record-keeping is not a standalone requirement, as it is also a tool to demonstrate compliance with other GDPR obligations like accountability and transparency.
Laura Pliauškaitė is European operations coordinator for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
